This scanner is trendy among ransomware groups and has been mentioned in reports by @TheDFIRReport, among others. [1] 🧵
2/ This HTTP request can now be used very well for an alert.
Or better, collect and monitor all your DNS logs, because a DNS request will still go out if the Advanced IP Scanner is run without an installation (portable version).
An excellent opportunity for detection.
3/ You can see the DNS request for the domain www.advanced-ip-scanner[.]com below.
4/ DFIR Tip:
Inside the registry (HKCU\Software\Famatech\advanced_ip_scanner\State) we can find interesting forensic artifacts like the last scanned range. 🕵️♀️
3/ On our specified endpoint on the Internet (with the
-Destination parameter), we can capture incoming SMB connections (again, if SMB is not blocked on the FW):
# tcpdump -i eth0 port 445 -nn
IP X.X.X.20.64516 > 142.93.X.X.445
2/ Hunting for credentials in the PowerShell history is quickly done with @Velocidex Velociraptor.
We can get the file's entire content from the hosts or search specifically for keywords within the file.
3/ The content of this file (the PowerShell history), is not only interesting for searching stored credentials in it but also an excellent forensic artifact.
In the case of a CA, we can specifically search for (older) traces of TAs (Invoke-commands, downloading of tools/code..)
If the Windows App sideloading feature is enabled, users can also install APPX packages not originating not from the Microsoft Store, ideal for distributing malware with these packages 🤯[1],[2]
#QuasarRAT is another RAT we see from time to time in our IR cases and was also used against NATO facilities in March. [1]
We can hunt for
1⃣ The default port within the FW logs
2⃣Mutexes
3⃣User-Agent
4⃣Persistence mechanisms
🧵
2/ @qualys has published an excellent paper ("Stealthy Quasar Evolving to Lead the RAT Race") about Quasar, where the whole builder and much more are described in detail. [2]
3/ In the client builder (which creates an executable which is used for the infection), the default port is pre-configured to 4782.
2/ For our tests, we use the hosted instance of MeshCentral.com, but the management software can also be run on a separate server, controlled by the TA.
After logging into the panel, we can download an agent for different operating systems (Windows, Mac, Linux).
3/ Before the installation or execution of the agent, the server URL is displayed under "Connection Details".
In our example, the agent connects to meshcentral.com, but another domain can be configured when the management server is self-hosted.