Windows.Forensics.AdvancedPortScanner

This Velociraptor artifact is tailored for forensics analysis of Angry IP Scanner usage on Windows platforms. This facilitates the identification of how Angry IP Scanner was configured and used, aiding in DFIR investigations. It examines registry keys HKEY_USERS\\SOFTWARE\Famatech\advanced_port_scanner and HKEY_USERS\\SOFTWARE\Famatech\advanced_port_scanner\State for retrieve some informations about:

  • run: Displays the version of Advanced Port Scanner
  • locale_timestamp: Indicates the time in EPOCH (UTC +0) at which the application was first launched
  • locale: Displays the language chosen for the graphical interface, may prove useful to have an idea of the native language of a threat actor (it is necessary to correlate with a modus operandi in order not to fall into the trap of a false flag)
  • LastPortsUsed: Displays the last ports used in the last scan
  • LastRangeUsed: Displays the last IP range used in the last scan
  • IpRangesMruList: Displays all the IP ranges scanned by the tool, the first digit of each prefix in this list indicates the frequency of scans for each range
  • PortsMruList: Displays all the ports that have been scanned by the tool, the first digit of each prefix in this list indicates the frequency of scans for each port
  • SearchMruList: Displays all the IP addresses or hostnames that have been searched using the GUI’s “search” feature

name: Windows.Forensics.AdvancedPortScanner

description: |
 This Velociraptor artifact is tailored for forensics analysis of Angry IP Scanner usage on Windows platforms. This facilitates the identification of how Angry IP Scanner was configured and used, aiding in DFIR investigations. It examines registry keys HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner and HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner\\State for retrieve some informations about:
    
 - run: Displays the version of Advanced Port Scanner
 - locale_timestamp: Indicates the time in EPOCH (UTC +0) at which the application was first launched
 - locale: Displays the language chosen for the graphical interface, may prove useful to have an idea of the native language of a threat actor (it is necessary to correlate with a modus operandi in order not to fall into the trap of a false flag)
 - LastPortsUsed: Displays the last ports used in the last scan
 - LastRangeUsed: Displays the last IP range used in the last scan
 - IpRangesMruList: Displays all the IP ranges scanned by the tool, the first digit of each prefix in this list indicates the frequency of scans for each range
 - PortsMruList: Displays all the ports that have been scanned by the tool, the first digit of each prefix in this list indicates the frequency of scans for each port
 - SearchMruList: Displays all the IP addresses or hostnames that have been searched using the GUI's "search" feature

author: Julien Houry - @y0sh1mitsu (CSIRT Airbus Protect)

reference:
 
 - https://www.protect.airbus.com/blog/uncovering-cyber-intruders-a-forensic-deep-dive-into-netscan-angry-ip-scanner-and-advanced-port-scanner/
 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
 - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/

type: CLIENT

parameters:
    - name: RegistryPath_APS
      default: HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner
      type: hidden
    - name: RegistryPath_State
      default: HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner\\State
      type: hidden
    - name: RegistryData
      type: regex
      default: .

sources:

- name: AdvancedPortScanner
  query: | 
    SELECT Key.FileInfo.FullPath AS FullPath, Key.FileInfo.ModTime AS ModificationTime, run, locale, locale_timestamp
    FROM read_reg_key(globs=RegistryPath_APS, accessor="registry") WHERE Key.FileInfo.FullPath =~ RegistryData
    
- name: State
  query: |
     SELECT Key.FileInfo.FullPath AS FullPath, Key.FileInfo.ModTime AS ModificationTime, LastPortsUsed, LastRangeUsed, IpRangesMruList, PortsMruList, SearchMruList
      FROM read_reg_key(globs=RegistryPath_State, accessor="registry") WHERE Key.FileInfo.FullPath =~ RegistryData