Request to add two plugins: advanced_ip_scanner.pl and advanced_ip_scanner_tln.pl#74
Open
dfir-scripts wants to merge 1 commit into
Open
Request to add two plugins: advanced_ip_scanner.pl and advanced_ip_scanner_tln.pl#74dfir-scripts wants to merge 1 commit into
dfir-scripts wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This pull request adds two new plugins for extracting artifacts left by Advanced IP Scanner, which is widely used by ransomware operators and other threat actors.
(Conti, DarkSide/UNC2465, REvil, Ryuk/UNC1878, Egregor, Hades/EvilCorp, Dharma)
AIS is used for internal reconnaissance (MITRE ATT&CK T1046 / T1595).
Reference: https://www.huntandhackett.com/blog/advanced-ip-scanner-the-preferred-scanner-in-the-apt-toolbox
Hive: NTUSER.DAT
What the plugins do:
advanced_ip_scanner.pl:
Full-detail plugin that extracts:
Locale (language)
first-execution timestamp
Scan result display filters (show_alive, show_dead, show_unknown)
Last IP range scanned (LastRangeUsed)
Full scan history with scan-frequency counts (IpRangesMruList)
IP address search history (SearchMruList)
Last active tab on close (LastActiveTab)
Last update-check timestamp (CheckUpdates\LastCheck, Qt @datetime format)
Registry key LastWrite timestamps for temporal analysis
Registry path:
HKCU\Software\Famatech\advanced_ip_scanner
advanced_ip_scanner.pl
Companion TLN plugin. Single timeline line per hive in the standard epoch|REG|||description format, with artifacts separated by ;.
Tested on Regripper 3.0 (Windows and Linux) and Regripper 4.0 (Windows)