The hypothesis is that the use of Advanced IP Scanner indicates potential reconnaissance by adversaries leveraging T1046 to gather network information, which could precede a ransomware attack. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of adversarial network mapping and mitigate potential ransomware threats.
Detection Rule
title: Advanced IP Scanner - File Event
id: fed85bf9-e075-4280-9159-fbe8a023d6fa
related:
- id: bef37fa2-f205-4a7b-b484-0759bfd5f86f
type: derived
status: test
description: Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
references:
- https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
- https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
author: '@ROxPinTeddy'
date: 2020-05-12
modified: 2022-11-29
tags:
- attack.discovery
- attack.t1046
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
condition: selection
falsepositives:
- Legitimate administrative use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_advanced_ip_scanner/info.yml
imFileEvent
| where TargetFileName contains "\\AppData\\Local\\Temp\\Advanced IP Scanner 2"Scenario: System administrator uses Advanced IP Scanner to perform a network inventory during routine maintenance.
Filter/Exclusion: Check for the presence of a known admin task or scheduled job (e.g., AdvancedIPScanner.exe in a known admin tools directory or with a scheduled task named “Network Inventory”).
Scenario: A Windows Update or Group Policy deployment triggers a scan using Advanced IP Scanner as part of a compliance check.
Filter/Exclusion: Exclude events where the process is launched by a known system service or scheduled task related to updates (e.g., wuauclt.exe, gpupdate.exe).
Scenario: A third-party IT management tool (e.g., SolarWinds IP Address Manager) uses Advanced IP Scanner as a dependency for network discovery.
Filter/Exclusion: Exclude processes that are child processes of known IT management tools or have a parent process matching the IT tool’s executable.
Scenario: A scheduled backup job includes a script that runs Advanced IP Scanner to gather network information for documentation purposes.
Filter/Exclusion: Exclude events where the process is initiated by a backup-related service or scheduled task (e.g., BackupExec.exe, Veeam.exe).
Scenario: A network security audit tool (e.g., Nessus, OpenVAS) uses Advanced IP Scanner as part of its scanning capabilities.
Filter/Exclusion: Exclude processes that are child processes of known security audit tools or have a parent process matching the audit tool’s executable.