Detectionmediumtest
PUA - SoftPerfect Netscan Execution
Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Created Thu Apr 25ca387a8e-1c84-4da3-9993-028b45342d30windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
- Image|endswith: '\netscan.exe'
- Product: 'Network Scanner'
- Description: 'Application for scanning networks'
condition: selectionFalse Positives
Legitimate administrator activity
References
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
ca387a8e-1c84-4da3-9993-028b45342d30
Status
test
Level
medium
Type
Detection
Created
Thu Apr 25
Path
rules/windows/process_creation/proc_creation_win_pua_netscan.yml
Raw Tags
attack.discoveryattack.t1046