This Velociraptor artifact is tailored for forensic analysis of SoftPerfect Network Scanner (NetScan) usage on Windows platforms. This facilitates the identification of how SoftPerfect Network Scanner was configured and used, aiding in DFIR investigations. It parse the MFT to search and retrieve the content of two files:
name: Windows.Forensics.SoftPerfectNetworkScanner
description: |
This Velociraptor artifact is tailored for forensic analysis of SoftPerfect Network Scanner (NetScan) usage on Windows platforms. This facilitates the identification of how SoftPerfect Network Scanner was configured and used, aiding in DFIR investigations. It parse the MFT to search and retrieve the content of two files:
- netscan.lic: display information related to the program's graphical user interface language configuration and license details, including the license name for example
- netscan.xml: display information regarding the tool's configuration (selected scan ports, history of scanned IP ranges...)
author: Julien Houry - @y0sh1mitsu (CSIRT Airbus Protect), Matt Green - @mgreen27 (ntfs performance update)
parameters:
- name: AllDrives
type: bool
description: "Select MFT search on all attached ntfs drives."
reference:
- https://www.protect.airbus.com/blog/uncovering-cyber-intruders-a-forensic-deep-dive-into-netscan-angry-ip-scanner-and-advanced-port-scanner/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a
type: CLIENT
precondition: SELECT OS From info() where OS = 'windows'
sources:
- query: |
SELECT
FileName,
OSPath,
Created0x10 as Btime,
LastModified0x10 as Mtime,
parse_xml(file=OSPath) AS ParsedXML
FROM Artifact.Windows.NTFS.MFT(FileRegex='^netscan\.(lic|xml)$',AllDrives=AllDrives)
WHERE NOT OSPath =~ '''\\<Err>\\'''