Feature: SPARK Sample Quarantine via Bifrost

by Aug 20, 2018

The new SPARK v1.14.16 supports the sample quarantine protocol named Bifrost.

With Bifrost you’re able to send suspicious samples that THOR or SPARK  detect on endpoints directly to a central server for analysis.

A Bifrost server is shipped in form of a Python script with THOR and SPARK. (./tools sub folder)
You can also activate the Bifrost server on our ASGARD platform.

All samples that have a score higher than the given limit are dropped into a given directory and are available for further post-processing – e.g. drop them into a sandbox or static analysis.

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner