PUA - Advanced IP Scanner Execution

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy
Source: upstream

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1046` Network Service Discovery, `T1135` Network Share Discovery

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `1 of selection_img`

or:
Description|contains: 'Advanced IP Scanner'
Image|contains: '\advanced_ip_scanner'
OriginalFileName|contains: advanced_ip_scanner

Stage 2: `1 of selection_cli`

CommandLine|contains: '/lng'
CommandLine|contains: '/portable'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`/lng` corpus 2 (sigma 2) `/portable` corpus 2 (sigma 2)
`Description`	match	`Advanced IP Scanner`
`Image`	match	`\advanced_ip_scanner`
`OriginalFileName`	match	`advanced_ip_scanner`