NetScan Share Enumeration Write Access Check

calendar Jan 29, 2024 · attack.discovery attack.t1135 dist.public  ·
Share on: linkedin copy

Detects the creation of unique artifacts created by SoftPerfect NetScan when performing write-access checking on enumerated network shares

Sigma rule (View on GitHub)

 1title: NetScan Share Enumeration Write Access Check
 2id: 8a0d153f-b4e4-4ea7-9335-892dfbe17221
 3status: Experimental
 4description: Detects the creation of unique artifacts created by SoftPerfect NetScan when performing write-access checking on enumerated network shares
 5author: "@pcscout, @TheDFIRReport"
 6date: 2024/01/27
 7references:
 8    - https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/
 9    - https://www.softperfect.com.cach3.com/board/read.php%3F12,10134,12202.html
10    - https://content.vectra.ai/hubfs/downloadable-assets/RansomOps-Post-Incident-Report.pdf
11tags:
12    - attack.discovery
13    - attack.t1135
14    - dist.public
15logsource:
16    product: windows
17    service: security
18detection:
19    selection:
20        EventID: 5145
21        RelativeTargetName: 'delete.me'
22        AccessMask: 
23            - '0x2'
24            - '0x130196'
25        ObjectType: File
26    condition: selection
27falsepositives:
28    - Unknown
29level: medium

References

  • Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - The DFIR Report

    Key Takeaways In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware. On … Read More


    Read More

  • File "delete.me" - Network Scanner Help

    SoftPerfect Network Scanner Support Forum : File "delete.me"


    Read More

  • jn¿ã÷aù›µ|Þ–=j-æ¥;SÎb Ë÷n¡ý.ô¾Ó½c õk9¯ùóÕÒôeY3B³'ºwù�14ºÐ“åéþèþË:ó^èÖ§{iÿÍöýÆYš�Y¨ºýѽ[oôB× ÿÉš ­ñ®Üÿ‚w½»Æú_YèYþ7{øïóG~d¤Š¿g šÒá*.E5—«1Ù<¹ÛÕp9šŽ!cëx}³yƒ¨^¡ZÂeÖp8ê*O‰µ$†°¸’B®...


    Read More

Related rules

to-top