Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

PUA - Advanced IP/Port Scanner Update Check

Detect the update check performed by Advanced IP/Port Scanner utilities.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Axel OlssonCreated Sun Aug 14Updated Thu Feb 151a9bb21a-1bb5-42d7-aa05-3219c7c8f47dweb
Log Source
Proxy Log
CategoryProxy Log← raw: proxy
Detection Logic
Detection Logic1 selector
detection:
    selection:
      # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps
      # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips
        c-uri|contains: '/checkupdate.php'
        c-uri-query|contains|all:
            - 'lng='
            - 'ver='
            - 'beta='
            - 'type='
            - 'rmode='
            - 'product='
    condition: selection
False Positives

Expected if you legitimately use the Advanced IP or Port Scanner utilities in your environement.

References
1
Resolving title…
advanced-ip-scanner.com
2
Resolving title…
advanced-port-scanner.com
MITRE ATT&CK
Rule Metadata
Rule ID
1a9bb21a-1bb5-42d7-aa05-3219c7c8f47d
Status
test
Level
medium
Type
Detection
Created
Sun Aug 14
Modified
Thu Feb 15
Author
Axel Olsson
Path
rules/web/proxy_generic/proxy_pua_advanced_ip_scanner_update_check.yml
Raw Tags
attack.discoveryattack.reconnaissanceattack.t1590
View on GitHub