sigmamediumHunting

PUA - Advanced Port Scanner Execution

Detects the use of Advanced Port Scanner.

MITRE ATT&CK

discovery

Detection Query

selection_img:
  - Image|contains: \advanced_port_scanner
  - OriginalFileName|contains: advanced_port_scanner
  - Description|contains: Advanced Port Scanner
selection_cli:
  CommandLine|contains|all:
    - /portable
    - /lng
condition: 1 of selection_*

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2021-12-18

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner

Tags

attack.discoveryattack.t1046attack.t1135

Raw Content

title: PUA - Advanced Port Scanner Execution
id: 54773c5f-f1cc-4703-9126-2f797d96a69d
status: test
description: Detects the use of Advanced Port Scanner.
references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-12-18
modified: 2023-02-07
tags:
    - attack.discovery
    - attack.t1046
    - attack.t1135
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|contains: '\advanced_port_scanner'
        - OriginalFileName|contains: 'advanced_port_scanner' # Covers also advanced_port_scanner_console.exe
        - Description|contains: 'Advanced Port Scanner'
    selection_cli:
        CommandLine|contains|all:
            - '/portable'
            - '/lng'
    condition: 1 of selection_*
falsepositives:
    - Legitimate administrative use
    - Tools with similar commandline (very rare)
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_pua_advanced_port_scanner/info.yml