Windows.Forensics.AngryIPScanner :: Velociraptor

Windows.Forensics.AngryIPScanner

This Velociraptor artifact is tailored for forensic analysis of Angry IP Scanner usage on Windows platforms. This facilitates the identification of how Angry IP Scanner was configured and used, aiding in DFIR investigations. It examines HKEY_USERS\*\SOFTWARE\JavaSoft\Prefs\ipscan from the registry for retrieve some informations about:

language: Displays the language used in the GUI, may prove useful to have an idea of the language used by a threat actor (it is necessary to correlate with a modus operandi in order not to fall into the trap of a false flag)
Version: Displays the version of Angry IP Scanner
LastVersionCheck: Captures the last time (EPOCH format in UTC +0) when the application checked for an update
PortScanConfiguration: Displays the selected ports for scanning


name: Windows.Forensics.AngryIPScanner

description: |
 This Velociraptor artifact is tailored for forensic analysis of Angry IP Scanner usage on Windows platforms. This facilitates the identification of how Angry IP Scanner was configured and used, aiding in DFIR investigations. It examines HKEY_USERS\\*\\SOFTWARE\\JavaSoft\\Prefs\\ipscan from the registry for retrieve some informations about:
   
   - language: Displays the language used in the GUI, may prove useful to have an idea of the language used by a threat actor (it is necessary to correlate with a modus operandi in order not to fall into the trap of a false flag)
   - Version: Displays the version of Angry IP Scanner
   - LastVersionCheck: Captures the last time (EPOCH format in UTC +0) when the application checked for an update
   - PortScanConfiguration: Displays the selected ports for scanning


author: Julien Houry - @y0sh1mitsu (CSIRT Airbus Protect)

reference:

 - https://www.protect.airbus.com/blog/uncovering-cyber-intruders-a-forensic-deep-dive-into-netscan-angry-ip-scanner-and-advanced-port-scanner/
 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a
 - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a

type: CLIENT

precondition: SELECT OS FROM info() where OS = 'windows'

parameters:
    - name: RegistryPath
      type: hidden
      default: HKEY_USERS\\*\\SOFTWARE\\JavaSoft\\Prefs\\ipscan
    - name: RegistryData
      type: regex
      default: .

sources:
    - query: |
        SELECT Key.FileInfo.FullPath AS FullPath, Key.FileInfo.ModTime AS ModificationTime, language, get(field="last/Run/Version", default="Unknown") AS Version, get(field="port/String", default="Unknown") AS PortScanConfiguration, get(field="last/Version/Check", default="Unknown") AS LastVersionCheck FROM read_reg_key(globs=RegistryPath, accessor="registry") WHERE Key.FileInfo.FullPath =~ RegistryData