Detection rules › Splunk
SoftPerfect Network Scanner Execution (Sysmon)
SoftPerfect Network Scanner is a free port scanner that can be run without installation. Due to its portability, it is an attractive tool for threat actors during post-compromise discovery activities as reported by DFIR. This use case detects executions of netscan.exe, netscan32.exe, or netscan64.exe. While the tool itself is not considered malicious, unexpected use should be investigated as it may indicate unauthorized discovery activity
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1046 Network Service Discovery |
References
- https://www.softperfect.com/products/networkscanner/
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://thedfirreport.com/2020/07/13/ransomware-again-but-we-changed-the-rdp-port/
- https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '24804.45867'
title: SoftPerfect Network Scanner Execution
description: 'SoftPerfect Network Scanner is a free port scanner that can be run without
installation. Due to its portability, it is an attractive tool for threat actors
during post-compromise discovery activities as reported by DFIR. This use case detects
executions of netscan.exe, netscan32.exe, or netscan64.exe. While the tool itself
is not considered malicious, unexpected use should be investigated as it may indicate
unauthorized discovery activity. -- Software Association: Akira'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<")
"netscan" | where match(process_name, "(?i)\x5cnetscan(32|64)?\.exe") or match(process_path,
"(?i)\x5cnetscan_portable") | table _time, host, user, process, process_*, parent_process,
parent_process_*, user | bin span=1s | stats values(*) as * by _time, host '
techniques:
- discovery:network service discovery
technique_id:
- T1046
data_category:
- Windows Sysmon
references:
- https://www.softperfect.com/products/networkscanner/
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://thedfirreport.com/2020/07/13/ransomware-again-but-we-changed-the-rdp-port/
- https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<") "netscan"
Stage 2: where
| where match(process_name, "(?i)\x5cnetscan(32|64)?\.exe") or match(process_path, "(?i)\x5cnetscan_portable")
Stage 3: table
| table _time, host, user, process, process_*, parent_process, parent_process_*, user
Stage 4: bucket
| bin span=1s
Stage 5: stats
| stats values(*) as * by _time, host
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
process_name | match |
|
process_path | match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "netscan" |