PUA - SoftPerfect Netscan Execution

 1title: PUA - SoftPerfect Netscan Execution
 2id: ca387a8e-1c84-4da3-9993-028b45342d30
 3status: experimental
 4description: |
 5    Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
 6    It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.    
 7references:
 8    - https://www.protect.airbus.com/blog/uncovering-cyber-intruders-netscan/
 9    - https://secjoes-reports.s3.eu-central-1.amazonaws.com/Sockbot%2Bin%2BGoLand.pdf
10    - https://www.sentinelone.com/labs/black-basta-ransomware-attacks-deploy-custom-edr-evasion-tools-tied-to-fin7-threat-actor/
11    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/yanluowang-ransomware-attacks-continue
12    - https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/
13    - https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/
14    - https://www.softperfect.com/products/networkscanner/
15author: '@d4ns4n_ (Wuerth-Phoenix)'
16date: 2024/04/25
17tags:
18    - attack.discovery
19    - attack.t1046
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        - Image|endswith: '\netscan.exe'
26        - Product: 'Network Scanner'
27        - Description: 'Application for scanning networks'
28    condition: selection
29falsepositives:
30    - Legitimate administrator activity
31level: medium

References

• Uncovering Cyber Intruders: A Forensic Deep Dive into NetScan, Angry IP Scanner, and Advanced Port Scanner

  

  Explore the role of GUI network scanners in cybersecurity. Discover how operators use these tools to map networks and minimize detection.

  
  Read More

• hQ{Ì"&ß°¿Ä–2ÑP,ºB+deêÂ:Â3Çz›kÌ%¶ñÉò3ö’`]ÏÊAVêÇ:CÈvr× � ?°-Ì æ#P׃[Ôű,á<*ž#÷ìY-Ê@–À}�åù{VŽÜåJ†éŒ\•+zr…s&e$Î 9-ä–'“•Üòd2Ü 2YÉ-O&+k(O&kÎÅä¯2^{Éå­Fþj¶3ù«ÙÎä/L [‘¿È1–©-¥%•=«2]³...

  
  Read More

• Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor - SentinelOne

  

  Black Basta operational TTPs are described here in full detail, revealing previously unknown tools and techniques and a link to FIN7.

  
  Read More

• Yanluowang: Further Insights on New Ransomware Threat

  

  At least one attacker now using Yanluowang may have previously been linked to Thieflock ransomware operation.

  
  Read More

• Climbing Mount Everest: Black-Byte Bytes Back?

  

  In the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a…

  
  Read More

• Microsoft Exchange servers hacked to deploy Hive ransomware

  

  A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon.

  
  Read More

• SoftPerfect Network Scanner : fast, flexible, advanced

  

  Fast multi-threaded IPv4/IPv6 scanner with an extensive range of options and advanced features for system administrators and general users.

  
  Read More

Related rules

• Pnscan Binary Data Transmission Activity
• Python Initiated Connection
• PUA - Advanced IP Scanner Execution
• PUA - Advanced Port Scanner Execution
• PUA - Nmap/Zenmap Execution