```yaml title: SoftPerfect Network Scanner Execution id: edr-win-disc-netscan-deployment status: stable description: > Detects execution of SoftPerfect Network Scanner (netscan.exe) via process name, display name, or publisher. This commercial tool has extensive abuse history across Akira, Qilin, Chaos, TheGentlemen, and other ransomware operations for network host discovery and service enumeration. references: - https://hunt.io/blog/thegentlemen-ransomware-toolkit-russian-proton66-server - https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a author: ShroudCloud date: 2026/04/14 modified: 2026/04/14 tags: - attack.discovery - attack.t1046 logsource: category: process_creation product: windows detection: selection: - Image|contains: 'netscan' Product|contains: 'softperfect' - Product|contains: 'SoftPerfect Network Scanner' - Product|contains: 'Application for scanning networks' condition: selection falsepositives: - Authorized network scanning by IT/security teams level: medium ```