Detectionmediumtest

Advanced IP Scanner - File Event

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@roxpinteddyCreated Tue May 12Updated Tue Nov 29fed85bf9-e075-4280-9159-fbe8a023d6fawindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains: '\AppData\Local\Temp\Advanced IP Scanner 2'
    condition: selection

False Positives

Legitimate administrative use

References

assets.documentcloud.org

Resolving title…

thedfirreport.com

Testing & Validation

Regression Tests

by SigmaHQ Team

Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON

MITRE ATT&CK

Tactics

TA0007 · Discovery

Techniques

T1046 · Network Service Discovery

Related Rules

DerivedDetectionmedium

PUA - Advanced IP Scanner Execution

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

fed85bf9-e075-4280-9159-fbe8a023d6fa

Status

test

Level

medium

Type

Detection

Created

Tue May 12

Modified

Tue Nov 29

Author

@roxpinteddy

Path

rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml

Raw Tags

attack.discoveryattack.t1046

View on GitHub