From 92e7ff882f080e5b38c3cce26107cd33d72be07f Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Sat, 18 Dec 2021 20:00:40 +0100
Subject: [PATCH] Create process_creation_advanced_port_scanner.yml

---
 ...process_creation_advanced_port_scanner.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/windows/process_creation/process_creation_advanced_port_scanner.yml

diff --git a/rules/windows/process_creation/process_creation_advanced_port_scanner.yml b/rules/windows/process_creation/process_creation_advanced_port_scanner.yml
new file mode 100644
index 000000000..e15249766
--- /dev/null
+++ b/rules/windows/process_creation/process_creation_advanced_port_scanner.yml
@@ -0,0 +1,27 @@
+title: Advanced Port Scanner
+id: 54773c5f-f1cc-4703-9126-2f797d96a69d
+status: experimental
+description: Detects the use of Advanced Port Scanner.
+references:
+    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
+author: Nasreddine Bencherchali @nas_bench
+date: 2021/12/18
+tags:
+    - attack.discovery
+    - attack.t1046
+    - attack.t1135
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+       Image|contains: '\advanced_port_scanner'
+    selection2:
+       CommandLine|contains|all:
+         - '/portable'
+         - '/lng'
+    condition: 1 of them
+falsepositives:
+    - Legitimate administrative use
+    - Tools with similar commandline (very rare)
+level: medium