This Velociraptor artifact is tailored for forensics analysis of Angry IP Scanner usage on Windows platforms. This facilitates the identification of how Angry IP Scanner was configured and used, aiding in DFIR investigations. It examines registry keys HKEY_USERS\\SOFTWARE\Famatech\advanced_port_scanner and HKEY_USERS\\SOFTWARE\Famatech\advanced_port_scanner\State for retrieve some informations about:
name: Windows.Forensics.AdvancedPortScanner
description: |
This Velociraptor artifact is tailored for forensics analysis of Angry IP Scanner usage on Windows platforms. This facilitates the identification of how Angry IP Scanner was configured and used, aiding in DFIR investigations. It examines registry keys HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner and HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner\\State for retrieve some informations about:
- run: Displays the version of Advanced Port Scanner
- locale_timestamp: Indicates the time in EPOCH (UTC +0) at which the application was first launched
- locale: Displays the language chosen for the graphical interface, may prove useful to have an idea of the native language of a threat actor (it is necessary to correlate with a modus operandi in order not to fall into the trap of a false flag)
- LastPortsUsed: Displays the last ports used in the last scan
- LastRangeUsed: Displays the last IP range used in the last scan
- IpRangesMruList: Displays all the IP ranges scanned by the tool, the first digit of each prefix in this list indicates the frequency of scans for each range
- PortsMruList: Displays all the ports that have been scanned by the tool, the first digit of each prefix in this list indicates the frequency of scans for each port
- SearchMruList: Displays all the IP addresses or hostnames that have been searched using the GUI's "search" feature
author: Julien Houry - @y0sh1mitsu (CSIRT Airbus Protect)
reference:
- https://www.protect.airbus.com/blog/uncovering-cyber-intruders-a-forensic-deep-dive-into-netscan-angry-ip-scanner-and-advanced-port-scanner/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/
type: CLIENT
parameters:
- name: RegistryPath_APS
default: HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner
type: hidden
- name: RegistryPath_State
default: HKEY_USERS\\*\\SOFTWARE\\Famatech\\advanced_port_scanner\\State
type: hidden
- name: RegistryData
type: regex
default: .
sources:
- name: AdvancedPortScanner
query: |
SELECT Key.FileInfo.FullPath AS FullPath, Key.FileInfo.ModTime AS ModificationTime, run, locale, locale_timestamp
FROM read_reg_key(globs=RegistryPath_APS, accessor="registry") WHERE Key.FileInfo.FullPath =~ RegistryData
- name: State
query: |
SELECT Key.FileInfo.FullPath AS FullPath, Key.FileInfo.ModTime AS ModificationTime, LastPortsUsed, LastRangeUsed, IpRangesMruList, PortsMruList, SearchMruList
FROM read_reg_key(globs=RegistryPath_State, accessor="registry") WHERE Key.FileInfo.FullPath =~ RegistryData