Tip
There are a number of network scanning and profiling tools available online that are designed to help administrators and IT professionals with tasks such as discovering and mapping network devices, performing detailed scans of IP addresses and open ports, and querying network services like Active Directory.
Important
Malicious adversaries leverage these network management tools to perform reconnaissance and gather detailed information about a target network. They can use these tools to identify active devices, open ports, and vulnerabilities, which could then be exploited to gain entry. Additionally, querying tools for active directory services could allow them to harvest sensitive information about users, groups, and permissions, facilitating targeted attacks or insider threats. Essentially, these tools, while valuable for legitimate network management, can be misused to map out and exploit network infrastructures for nefarious purposes.
| Tool Name | Threat Group Usage |
|---|---|
| ADExplorer | Lapsus$, Scattered Spider* |
| ADRecon | Scattered Spider*, DarkSide, PYSA, BlackCat, Cicada3301, Storm-0501 |
| AdFind | MAZE, BlackSuit, Royal, PLAY, LockBit, Conti, Dagon Locker, Nokoyawa, Quantum, Diavol, XingLocker, REvil, Ryuk, NetWalker, INC Ransom, Black Basta, Yanluowang, DarkSide, Lockean*, FiveHands |
| Advanced IP Scanner | MAZE, BlackSuit, Royal, Akira, LockBit, Diavol, GoGoogle, INC Ransom, Hive, Zola, DarkSide, PYSA, Vice Society, FiveHands |
| Advanced Port Scanner | LockBit, BianLian, PYSA, Trigona, EvilCorp*, Fog, Scattered Spider*, RagnarLocker, Vice Society |
| Angry IP Scanner | Phobos, RansomHub |
| AWS Systems Manager Inventory | Scattered Spider* |
| Bloodhound | MAZE, LockBit, Conti, XingLocker, REvil, Hive, Black Basta, Lockean*, FiveHands |
| Cent Browser | Yanluowang |
| Dsquery | RagnarLocker |
| Lansweeper | EvilCorp* |
| Nbtscan | Dagon Locker |
| NirSoft WinLister | AvosLocker |
| Nmap | Qilin, Cactus, AvosLocker, RansomHub |
| Nping | Qilin |
| ManageEngine LANDESK | Scattered Spider* |
| Masscan | Akira, BlackCat |
| ossec-win32 | Storm-0501 |
| OSQuery | Storm-0501 |
| PDQ Inventory | Scattered Spider* |
| PingCastle | MAZE, BianLian, Scattered Spider* |
| PowerView | MAZE, Conti, XingLocker, Rhysida, BlackByte, Black Basta, Cicada3301 |
| PsInfo | RagnarLocker |
| PSNmap | Black Basta |
| ReconFTW | Akira |
| RustScan | Scattered Spider* |
| RVTools | Scattered Spider* |
| S3 Browser | FiveHands, Yanluowang |
| Seatbelt | LockBit, Conti, Dagon Locker |
| SharpHound | Scattered Spider*, Akira, BlackSuit |
| ShareFinder | MAZE, Conti, Dagon Locker, Diavol, XingLocker |
| SharpShares | BlackSuit, Royal, BianLian, Fog |
| SharpView | Conti |
| SoftPerfect LanSearchPro | RagnarLocker |
| SoftPerfect NetScan | BlackSuit, Royal, Black Basta, Akira, LockBit, BianLian, Conti, BlackCat, Dagon Locker, Nokoyawa, Trigona, Hive, BlackByte, RansomHub, Cactus, Fog, Medusa, Avaddon, AvosLocker, FiveHands, Yanluowang, MONTI, DarkSide, Everest, Cicada3301 |
| TXPortMap | *Prophet Spider |
| VMware PowerCLI | Scattered Spider* |