Detection rules › Splunk
Advanced IP Scanner Execution (Sysmon)
Advanced IP Scanner is a legitimate utility that can perform network scanning. Several threat actors, including UNC2465, Conti, Pysa ransomware and FIN12, have been reported to use Advanced IP Scanner during reconnaissance activities
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1046 Network Service Discovery |
References
- https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox
- https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-destructive-pysa-ransomware
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
- https://www.mandiant.com/resources/blog/shining-a-light-on-darkside-ransomware-operations
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '20033.35681'
title: Advanced IP Scanner Execution
description: 'Advanced IP Scanner is a legitimate utility that can perform network
scanning. Several threat actors, including UNC2465, Conti, Pysa ransomware and FIN12,
have been reported to use Advanced IP Scanner during reconnaissance activities.
-- Threat Actor Association: FIN12, UNC2465 - Software Association: Akira, AvosLocker,
Conti, Pysa'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<"
OR Type=Process) "advanced_ip_scanner" OR (TERM(/portable) TERM(/lng)) | where match(process_name,
"(?i)advanced_ip_scanner") OR match(process, "(?i)\sportable/s.+\slng") | table
_time, host, user, process, process_*, parent_process_* | bin span=1s | stats values(*)
as * by _time, host '
techniques:
- discovery:network service discovery
technique_id:
- T1046
data_category:
- Windows Sysmon
- Process command-line parameters
references:
- https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox
- https://www.cybereason.com/blog/research/threat-analysis-report-inside-the-destructive-pysa-ransomware
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
- https://www.mandiant.com/resources/blog/shining-a-light-on-darkside-ransomware-operations
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<" OR Type=Process) "advanced_ip_scanner" OR (TERM(/portable) TERM(/lng))
Stage 2: where
| where match(process_name, "(?i)advanced_ip_scanner") OR match(process, "(?i)\sportable/s.+\slng")
Stage 3: table
| table _time, host, user, process, process_*, parent_process_*
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
process | match |
|
process_name | match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "advanced_ip_scanner" |
| 1 | "/portable" |
| 1 | "/lng" |