New Target - SoftPerfect Nework Scanner 'Netscan'

[cert-cwatch]

Description

This target will fetch the default output of the network scanning tool "Netscan".
This tool is frequently observed in cases where threat actors neglect to delete its output.

Since this file contains valuable information, such as previously compromised hosts and the credentials used, it enables us to rapidly identify the compromised scope.

Checklist:

• I have generated a unique GUID for my Target(s)/Module(s)
• I have placed the Target(s)/Module(s) in an appropriate subfolder in Targets or Modules. If one doesn't exist, I have either added it to the Misc folder or created a relevant subfolder with justification
• I have set or updated the version of my Target(s)/Module(s)
• I have verified that KAPE parses the Target(s)/Module(s) successfully via kape.exe, using --tlist/--mlist and corrected any errors
• I have validated my Target(s)/Module(s) against test data and verified they are working as intended
• I have made an attempt to document the artifacts within the Target(s) or Module(s) I am submitting. If documentation doesn't exist, I have placed N/A underneath the Documentation header
• For Targets, I have consulted either the Target Guide, Target Template, Compound Target Guide, or Compound Target Template to ensure my Target(s) follow the same format

[AndrewRathbun]

Thoughts on adding C:\Users\%user%\AppData\Roaming\SoftPerfect Network Scanner\netscan.xml to the Target? I use it legitimately and this is where netscan.xml resides @cert-cwatch

[cert-cwatch]

We've come across numerous cases where threat actors simply drop a portable Netscan tool into any accessible folder, such as ProgramData, Perflogs, Music, Documents, Downloads, and so on.

I think it would be more efficient to search for this file recursively across the filesystem, considering its potential spread.

---

Another question:
Using a KAPE target, is there a way to search for files based on specific regex patterns within directories that also match specific regex criteria?

For example, an attacker might rename the netscan.xml file to something else. To mitigate this, it would be useful to locate any .xml files within folders whose names contain "Netscan" or "SoftPerfect."

Essentially, the search pattern would look something like this:
C:/.../*Netscan*/ *.xml applied recursively across the filesystem.

Let me know if this is feasible or if there’s a workaround!
@AndrewRathbun

[AndrewRathbun]

Honestly, great question! I am unsure if regex can be leveraged within Path:, but I know it can for FileMask:. This would be a good question for @EricZimmerman

[EricZimmerman]

no, not path, just the filename.

if you want recursive, its gonna be a walk of everything

OR you pull the MFT via kape and then look thru the csv

[EricZimmerman]

another pivot is prefetch, and narrowing down the path from there

[cert-cwatch]

Thank you for your response.
I agree that searching for specific .xml files via the MFT / Prefetch is the better approach for our questions.

Can we at least merge to implement the search specifically for the netscan.xml file?

[EricZimmerman]

yea @AndrewRathbun can verify that all looks good