ASGARD 2.14 Release

by Nov 3, 2022

We’ve just released the new ASGARD Management Center version 2.14 with important new features. This blog posts lists the most important changes in dedicated chapters. The whole change log can be found at the end of the article. 

Broker Network

The Broker Network allows you to proxy connections to an ASGARD through a so called Broker.

The Broker is a hardened connection proxy that brokers connections to an ASGARD Management Center. Brokers can be exposed to the Internet and allow users to roam between the corporate network and their home network without the need for a permanent VPN connection. They can also load balance connections. 

Two more components are required to maintain a Broker Network: a Gatekeeper and a Lobby.

The Gatekeeper is an application layer firewall that filters malformed or unverifiable requests. The Lobby is a dedicated system to manage and accept new request from yet unverified agents.

The use of the new Broker Network and its components is optional and requires a so-called “Broker License”. Please contact us for more details.

ASGARD Query Language

The new ASGARD query language allows to filter the list of assets based on complex conditions.

It can also be used to select targets for scans or other tasks. 

Advanced Target Selection

Currently, the target selection only allows the selection of target groups based on their label. All target groups are combined with a logical OR. 

The new target selection allows you to include and exclude groups of assets based on their tags. 

E.g., you can now create a job that runs on all systems with the tag “linux” and exclude all systems with the tag “munich”. You can also combine them with a logical AND and instruct ASGARD to run tasks only on systems that have e.g. the labels “windows” AND “berlin”.

The result of this change is that you no longer need to label everything you want to select as target.

New Maintenance Tasks

New predefined tasks allow you to reconfigure or move an agent from one ASGARD Management Center to another one. 

 

Other Important Changes and Improvements

  • Repeated installation of ASGARD agents will not cause duplicate assets
  • Manual deletion of assets from Asset View
  • Multiple UI improvements
  • The new ASGARD agent will not send his agent log via syslog by default anymore. This has to be enabled individually.

Full Change Log

  • Feature: Broker Network support
  • Feature: Search and select assets with queries, e.g. ‘hostname ends with “-dev” OR labels = “dev”‘
  • Feature: Optionally create group tasks with an asset query instead of labels
  • Feature: The agent config can now be maintained from ASGARD, e.g. change proxy settings
  • Feature: Move agent to a different ASGARD
  • Feature: Automatically resume THOR scans that have been terminated due to shutdown signals (e.g. on reboot)
  • Feature: Added a lot new ASGARD features to Master ASGARD, e.g. manage and download agent installers, manage Broker Network
  • Feature: Allows to delete assets
  • Feature: Delete agent installers
  • Feature: Added diagnostic checks to diagnostic download packs
  • Feature: Support unix filepath format in playbooks for Windows targets
  • Feature: Detect assets that run with same key material, e.g. cloned assets
  • Feature: Forward THOR and Aurora events via rsyslog
  • Feature: Migrate key material from old agent config on agent re-installation
  • Feature: Added more columns in some tables, e.g. ‘creator’ in service configurations or ‘active since’ in services
  • Feature: Download ASGARD users as CSV
  • Feature: Set description for remote consoles
  • Feature: New default playbook “Collect Agent Log” (requires an agent update)
  • Feature: Bulk task / scan creation
  • Change: Require min. TLS 1.3 for all agent connections. To disable min. TLS 1.3, set “LegacyTLS=1” in the ASGARD config file.
  • Change: Disable “Add and activate” button for “Add group task”, if “Scheduled start” is set
  • Change: Allow “–nohtml” flag for THOR
  • Change: Set scan status to error if THOR scan result does not contain ‘THOR scan finished’ message
  • Change: Collect stdout/stderr at the end of each playbook step instead of streaming it directly to ASGARD
  • Change: Automatically set THOR’s max runtime to unlimited and removed THOR’s max runtime argument from THOR flag list
  • Change: Ignore deprecated sigma rules
  • Change: Improved compression level of some generated zip files
  • Change: Allow stop of group tasks without starting it
  • Change: Improved diagnostics for synchronization with Analysis Cockpit
  • Change: Disabled syslog debug log on agents by default, added option to agent installer to enable syslog
  • Change: Added key usage and SAN to self-signed TLS certificate for UI on installation
  • Bugfix: Security fixes
  • Bugfix: Fixed missing ‘Default response mode’ in Sigma ruleset details
  • Bugfix: Fixed some missing Aurora flags
  • Bugfix: Fixed non-working save button for global Sigma false positive filter list
  • Bugfix: Fixed NaN when removing the score of an IOC
  • Bugfix: Fixed a bug in event caching in offline mode of Aurora Agent and LogWatcher
  • Bugfix: Fixed ‘Windows 11’ detected as ‘Windows 10’
  • Bugfix: Fixed missing LastLogon date in local users table
  • Bugfix: Disable deletion of the own user
  • Bugfix: Added “x86_64” in addition to “amd64” for agent installer rpm packages to support older yum/rpm
  • Bugfix: Fixed wrong YARA rule count after uploading YARA rules
  • Bugfix: Fixed “in a few seconds” last seen timestamps that have been caused by either a wrong server or browser clock
  • Bugfix: Removed some Aurora and Sigma error messages in ASGARD log after fresh installation
  • Bugfix: Removed a race condition between automatic and manual update checks that may cause corrupt product version numbers
  • Bugfix: Fixed missing “enabled/disabled service” history entries on ASGARDs that are connected to a Master ASGARD
  • Bugfix: Fixed corrupt network interfaces search in asset table for new assets that had no interrogate job yet
  • Bugfix: Fixed a bug in motd config that causes some error messages after a fresh installation
  • Bugfix: Removed c2 file name prefix from some compiled custom signatures
  • Bugfix: Fixed non-working obfuscated agent for AIX

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Subscribe to our Newsletter

Monthly news, tips and insights.

Follow Us

Upgrade Your Cyber Defense with THOR

Detect hacker activity with the advanced APT scanner THOR. Utilize signature-based detection, YARA rules, anomaly detection, and fileless attack analysis to identify and respond to sophisticated intrusions.

GDPR Cookie Consent with Real Cookie Banner