Advanced Port Scanner

level
status experimental

Detects the use of Advanced Port Scanner.

Known false-positives

  • Legitimate administrative use
  • Tools with similar commandline (very rare)

References

Raw rule (edit)

title: Advanced Port Scanner
id: 54773c5f-f1cc-4703-9126-2f797d96a69d
status: experimental
description: Detects the use of Advanced Port Scanner.
references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
author: Nasreddine Bencherchali @nas_bench
date: 2021/12/18
tags:
    - attack.discovery
    - attack.t1046
    - attack.t1135
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
       Image|contains: '\advanced_port_scanner'
    selection2:
       CommandLine|contains|all:
         - '/portable'
         - '/lng'
    condition: 1 of selection*
falsepositives:
    - Legitimate administrative use
    - Tools with similar commandline (very rare)
level: medium

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.