PUA - Advanced IP/Port Scanner Update Check

Hunt Hypothesis

Adversaries may use Advanced IP/Port Scanner utilities to perform update checks that mask lateral movement or reconnaissance activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential network scanning and compromise indicators early.

Detection Rule

Sigma (Original)

title: PUA - Advanced IP/Port Scanner Update Check
id: 1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d
status: test
description: Detect the update check performed by Advanced IP/Port Scanner utilities.
references:
    - https://www.advanced-ip-scanner.com/
    - https://www.advanced-port-scanner.com/
author: Axel Olsson
date: 2022-08-14
modified: 2024-02-15
tags:
    - attack.discovery
    - attack.reconnaissance
    - attack.t1590
logsource:
    category: proxy
detection:
    selection:
      # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps
      # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
        c-uri|contains: '/checkupdate.php'
        c-uri-query|contains|all:
            - 'lng='
            - 'ver='
            - 'beta='
            - 'type='
            - 'rmode='
            - 'product='
    condition: selection
falsepositives:
    - Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.
level: medium

KQL (Azure Sentinel)

imWebSession
| where Url contains "/checkupdate.php" and (Url contains "lng=" and Url contains "ver=" and Url contains "beta=" and Url contains "type=" and Url contains "rmode=" and Url contains "product=")

False Positive Guidance

• Scenario: System update check via Windows Update or Microsoft Defender ATP
  Filter/Exclusion: process.name != "wuauclt.exe" && process.name != "MsMpEng.exe"

• Scenario: Scheduled job for IP/port scanning using Advanced IP Scanner (real tool)
  Filter/Exclusion: process.name != "AdvancedIPScanner.exe"

• Scenario: Admin task to verify scanner version using Advanced IP Scanner CLI
  Filter/Exclusion: process.name != "AdvancedIPScanner.exe" || process.args !~ /--version/

• Scenario: Network discovery tool (e.g., Nmap) performing a scan
  Filter/Exclusion: process.name != "nmap.exe"

• Scenario: Automated patching tool checking for scanner updates
  Filter/Exclusion: process.name != "patching_tool.exe" || process.args !~ /check-update/

MITRE ATT&CK Context

• Tactic: Discovery
• Tactic: Reconnaissance
• Technique: T1590