PUA - SoftPerfect Netscan Execution

 1title: PUA - SoftPerfect Netscan Execution
 2id: ca387a8e-1c84-4da3-9993-028b45342d30
 3status: experimental
 4description: |
 5    Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
 6    It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.    
 7references:
 8    - https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/
 9    - https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
10    - https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
11    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
12    - https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
13    - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
14    - https://www.softperfect.com/products/networkscanner/
15author: '@d4ns4n_ (Wuerth-Phoenix)'
16date: 2024-04-25
17tags:
18    - attack.discovery
19    - attack.t1046
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        - Image|endswith: '\netscan.exe'
26        - Product: 'Network Scanner'
27        - Description: 'Application for scanning networks'
28    condition: selection
29falsepositives:
30    - Legitimate administrator activity
31level: medium

References

• Uncovering Cyber Intruders: A Forensic Deep Dive into NetScan, Angry IP Scanner, and Advanced Port Scanner

  

  Explore the role of GUI network scanners in cybersecurity. Discover how operators use these tools to map networks and minimize detection.

  
  Read More

• hQ{Ì"&ß°¿Ä–2ÑP,ºB+deêÂ:Â3Çz›kÌ%¶ñÉò3ö’`]ÏÊAVêÇ:CÈvr× � ?°-Ì æ#P׃[Ôű,á<*ž#÷ìY-Ê@–À}�åù{VŽÜåJ†éŒ\•+zr…s&e$Î 9-ä–'“•Üòd2Ü 2YÉ-O&+k(O&kÎÅä¯2^{Éå­Fþj¶3ù«ÙÎä/L [‘¿È1–©-¥%•=«2]³...

  
  Read More

• Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor

  

  Black Basta operational TTPs are described here in full detail, revealing previously unknown tools and techniques and a link to FIN7.

  
  Read More

• Yanluowang: Further Insights on New Ransomware Threat

  

  At least one attacker now using Yanluowang may have previously been linked to Thieflock ransomware operation.

  
  Read More

• This research was conducted by Michael Mullen and Nikolaos Pantazopoulos from NCC Group Cyber Incident Response Team. You can find more here Incident Response – NCC Group Summary tl;dr In the Threa...

  
  Read More

• Microsoft Exchange servers hacked to deploy Hive ransomware

  

  A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.

  
  Read More

• SoftPerfect Network Scanner : fast, flexible, advanced

  

  Fast multi-threaded IPv4/IPv6 scanner with an extensive range of options and advanced features for system administrators and general users.

  
  Read More

Related rules

• Advanced IP Scanner - File Event
• Linux Network Service Scanning - Auditd
• MacOS Network Service Scanning
• PUA - Advanced IP Scanner Execution
• PUA - Advanced Port Scanner Execution