Upcoming Master ASGARD v2
In the first week of June, we plan to release Master ASGARD v2.
Master ASGARD is an ASGARD version that is able to connect to and control an unlimited number of ASGARD servers.
While each ASGARD supports 25,000 connected endpoints, a Master ASGARD server can control an theoretically unlimited amount of ASGARD servers and thus an unlimited amount of end systems. We plan to support installations with up to 500,000 end systems until we get confirming performance and system load statistics from our customers’ setups.
With Master ASGARD v2 we will also change the way in which you install Master ASGARD.
From now on the ASGARD platform can be upgraded to a Master ASGARD by the installation of special license. You simply upgrade an already installed ASGARD to a Master ASGARD.
Master ASGARD 2 features
- MISP integration and IOCs triage scans on all connected endpoints
- Remote Console on all connected endpoints
- Playbook runs on all connected endpoints
- Evidence collection from all connected endpoints
- License management for all connected ASGARDs
- Key material backup of all connected ASGARDs
- THOR version management of all connected ASGARDs
Master ASGARD 2 does not support
- direct upgrade from Master ASGARD version 1
- the control of ASGARDs running on version 1
Please contact sales@nextron-systems.com for more information on Master ASGARD v2.
Upcoming Changes in THOR v10.5
PE Sieve Integration
With the integration of @hasharezade‘s PE Sieve project THOR is able to detect and report a variety of process implants like replaced or injected portable executables (process hollowing), injected shellcodes, hooks and in-memory patches.
Naturally, since @hasharezade’s project is an open source project, this feature will also be available in THOR Lite, the free version of THOR.
Process Dumps
THOR v10.5 creates a process dump of any process that is considered suspicious or malicious.
This process dump can then be analyzed with standard tools later to examine the findings.
To prevent excessive disk space usage, new dumps overwrite old dumps of the same process. Also, THOR stores the dumps in a compressed form and will not generate dumps if less than 5 GB disk space is available.
Global Module Lookback
The current “–lookback” option allows you to restrict the Eventlog and log file scan to a given amount of days. E.g. by using “–lookback 3” you instruct THOR to check only the log entries that have been created in the last 3 days.
We’ve extended this feature to include all applicable modules, including “FileScan”, “Registry”, “Services”, “Registry Hives” and “EVTX Scan”. By setting the flags “–global-lookback –lookback 2” you instruct THOR to scan only elements that have been created or modified during the last 2 days. This reduces the scan duration significantly.
On our test systems, we were able to reduce the scan duration of a full filesystem scan and a lookback of three days to less than 4 minutes.
LNK File Parser
The link file parser module processes .lnk files, extracts relevant data and gathers more information on the linked contents. It also applies the anomaly detection methods to its contents to allow the detection of unknown threats.
More Changes
- Default output files include a timestamp and not just the date
- Outputs include non-ASCII characters in a hex encoded form (use –ascii to revert to ASCII only output)
- THOR DBs “–resume” feature is deactivated by default and has to be manually activated using “–resume” due to significant performance implications caused by updating resume states in THOR DB
- New –portal* flags allow the licenses generation at runtime using our Netxron portal API
- New –yara-max-strings-per-rule flag limits the output of matching strings
- New –nofserrors flag suppresses all error messages regarding access permissions
- New –scanid-prefix allows users to set a custom prefix to allow the identification of group of scans
- New –print-signatures flag lists names and meta data of all included YARA and Sigma rules
End-of-Life ASGARD v1 and Master ASGARD v1
Nextron announces the end-of-sale and end-of-life dates for the ASGARD version 1 and Master ASGARD version 1. The last day to order the affected product(s) is May 31, 2020. Customers with active service contracts will continue to receive support as shown until June 30, 2021.
| End of Life Announcement Date | The date the document that announces the end-of-sale and end-of-life of a product is distributed to the general public. | 22.05.2020 |
| End of Sale Date | The product is no longer for sale after this date. | 31.05.2020 |
| End of Software Maintenance | The last date that Nextron may release any final software maintenance releases or bug fixes. After this date, Nextron will no longer develop, repair, maintain, or test the product software. | 31.05.2021 |
| Last Date of Support | The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete. | 31.06.2021 |
New VALHALLA Features That You Might Have Missed
Rule Info Pages
The new rule info pages allow you to get more information on a certain rule. You can find all the meta data, as well as past rule matches and previous antivirus verdicts.
A second tab contains statistics.
You can also report false positives that you’ve encountered with that rule using the button in the tab bar.
Note that the rule info lookups in the web GUI are rate limited. If you query rule infos too often, you get blocked.
The rule info pages can be access using this URL scheme:
https://valhalla.nextron-systems.com/info/rule/RULE_NAME
For example:
https://valhalla.nextron-systems.com/info/rule/HKTL_Empire_ShellCodeRDI_Dec19_1
Automated Tagging
The automated tagging has been extended to included MITRE ATT&CK threat actor group IDs.
Status Includes Version
The status endpoint now includes a version number.
The version number is an integer value generated from the last update timestamp using a format string “%Y%m%d%H”. This way it is not just a version number that you can compare with you local last change (e.g. “>=”) but also an implicit timestamp.
You can access that endpoint via POST request (/api/v1/status) or Python API’s “get_status()” function.
You can find more information on Valhalla on our web page.