This section describes the traces that are created during usage of the AIS tool and more specifically, the Windows registry keys that are being created. Forensic tracesĪIS leaves traces on a host system when it is executed. The fact that there is a portable version of Advanced IP Scanner, that it has a GUI and that the tool supports a variety of ways to interact with identified systems probably contributes to it popularity. If enabled, this provides the user with functionality to remotely boot a system. (Re)boot/ Wake-On-Lan : the user can boot / reboot a system if the user is authorized to do so, or can send Wake-On-Lan (WOL) packages to a system.Remote connections : connect to the corresponding IP address via HTTP, HTTPS, FTP, RDP, or RADMIN (only works if RADMIN is installed).Tools : provide functionality to ping an IP, perform a Tracert, or connect with Telnet / SSH.IP scanning : scan the given range for systems that are alive, or dead.From a high-level perspective, AIS provides the user with the following functionality: ĪIS is a simple and user-friendly IP scanner, which provides the end user with a concise overview of the systems found in the network. After the installation / execution of AIS, the end user is presented with an overview as shown in Figure 1. Furthermore, this blogpost provides some pointers related to detecting Advanced IP Scanner.Īdvanced IP Scanner (AIS) is freely available online 1 and can be executed as an installer and as a portable version. The artefacts might be useful during an investigation, and can shine some (minor) light on threat actors’ activities. This small write-up focuses on some of the forensic traces left by AIS that Hunt & Hackett observed during Incident Response cases. Groups that have (had) used Advanced IP Scanner include: This has not only been observed by Hunt & Hackett, but also by other incident response parties. During these targeted ransomware cases, ‘Advanced IP Scanner’ (AIS) 1 was regularly used as reconnaissance tool for Active Scanning ( T1595) and Network Service Scanning ( T1046). Hunt & Hackett has been working on a wide variety of targeted ransomware cases.
0 kommentar(er)
