Visit the New Online Manuals

We’ve converted all our PDF based user manuals into shiny new online version.

The new online version are hosted on Github and converted into web pages with the help of ReadTheDocs. 

This way we can update them with new information much faster than before and allow anyone to share and access them. 

 

 

We’ve added links to the user manuals to every product page and the footer of this website. The links in the customer portal have also been updated.

You can find the new manuals here:

We’ll replace the PDF manuals in the installation packages as soon as possible. Please let us know if you can still find outdated manuals anywhere in new update or download packages.

Use YARA math Module Extension in THOR TechPreview and THOR Lite

Not long ago, we’ve created a pull request for the official YARA repository on Github, that would introduce new functions in the `math` module to improve the flexibility in cases in which a sample is heavily scrambled or obfuscated. These cases require further statistical evaluations that go beyond the currently available “entropy”, “mean” or “deviation” functions.

The example on the right shows a heavily obfuscated PHP web shell, as used by a Chinese actor. 

You immediately notice the high amount of “%” characters, but since each of them is preceded and followed by different characters, it’s difficult to find atoms that are long enough to maintain an acceptable performance / stability of that rule. 

 

If you could, you would formulate a rule like this: “Detect files smaller 400 bytes, that begin with ‘<?’ and consist of at least 25 percent ‘%’ characters”. 

Well, the new module extension allows you to do exactly that.

Read the documentation provided with the pull request for details on all three new functions:

  • count(byte/string, offset, size)
  • percentage(byte, offset, size)
  • mode(offset, size)

While the first two functions are self-explanatory, the “mode” function isn’t. It is is a term used in statistics for the most common value.

For your convenience, we’ve already patched our versions of THOR TechPreview and THOR Lite to support these extensions of the “math” module. You need at least v10.6.6 to use the new function in your rules. 

We wish you good hunting. 

THOR 10.6.8 TechPreview with ETW Watcher to Detect CobaltStrike Beacons

THOR TechPreview version 10.6.8 will introduce a completely new module named ETW Watcher, which runs in a separate thread and monitors the systems during a scan run. As its name indicates, the ETW Watcher module makes use of Event Tracing for Windows (ETW). 

So, whenever you start a scan run on an end system, one thread performs all the usual checks while another thread analyses certain event channels and correlates events to detect malicious activity.

Consider it an agent-less, portable, short term EDR. 

The first task of this new module is the detection of C2 beaconing activity as e.g. used in attacks that utilize Cobalt Strike.

The following screenshots show messages created by the ETW Watcher module. Since all of our modules apply a so called message enrichment, you’ll also notice further messages before and after the highlighted events. These additional messages are generated during the enrichment of the original event.

“Enrichment” means that we add additional information to the original event – e.g. if a file path is given in the original message, THOR tries to find that file, scans it using the “FileScan” module and adds information to the original event. The same is true for process ID values. This adds as much meta data as possible and helps analysts to assess the event as quickly and easily as possible.  

The example above shows a beacon detection that mentions a process named “fnord.exe” frequently calling out to 10.0.2.15 via HTTP and TCP. Message enrichment shows the result of a file scan above (red alert message; appears before the actual event because the enrichment happens before the message composition). 

The next example shows the result of a “hashdump” command sent to the beacon. It causes the beacon to open a handle to the LSASS process memory, which THOR detects and reports as a Warning level message.

The next example shows a privilege escalation attempt performed by that same beacon. 

The ETW Watcher module will be integrated in THOR TechPreview version 10.6.8 and only is available on Windows. It will not be available in THOR Lite and THOR 10.5. 

Analyze VMware ESX Systems with THOR Thunderstorm

Since the release of THOR Thunderstorm in the summer of 2020, our customers used it to analyse a variety of systems that are usually considered as “out of scope”. In some cases the EULA prevents the installation of Antivirus scanners or EDR agents. In other cases the used platforms are simply outdated, customised or unsupported. 

A use case that we would like to highlight in this blog post is the analysis of VMWare ESXi systems.

In the past, our customers frequently asked if the Linux version of THOR would run on Photon OS used by ESX/ESXi. The need to analyse these systems is well justified. ESX/ESXi systems and the services running on these systems have vulnerabilities and are definitely in scope of an attack. Therefore they should also be in the scope of a compromise assessment.    

 However, VMware writes on its website:

With THOR Thunderstorm, we can simply copy the thunderstorm-collector.sh bash script to an ESXi appliance and start the collection to a THOR Thunderstorm service running in a local network.

Using a blank Debian system and the installer script, this only takes a few minutes.

In our case, we simply watched the log file written by THOR Thunderstorm with “tail -f” for incoming alert messages to showcase the use case for our customer. By default, the collector submits all files created or modified during the last 14 days and smaller 2 MB.

In our demo, we’ve detected a webshell named “shell.jsp” in the “/tmp” folder and a command that indicates a back connect shell using Linux sockets in the “.bash_history” of the root account. 

You can add the collector script run to the local crontab or execute it using Ansible to perform frequent collection runs once a day. 

If you’re interested in a test setup, please contact us using the “Get Started” button. 

End-of-Life ASGARD Analysis Cockpit Version 2

Nextron announces the end-of-sale and end-of-life dates for the ASGARD Analysis Cockpit version 2. Customers with active service contracts will continue to receive support until June 30, 2022, as shown in the table below.

End of Life Announcement Date The date the document that announces the end-of-sale and end-of-life of a product is distributed to the general public. 06.05.2021
End of Sale Date The product is no longer for sale after this date. 30.04.2021
End of Software Maintenance The last date that Nextron may release any final software maintenance releases or bug fixes. After this date, Nextron will no longer develop, repair, maintain, or test the product software. 31.05.2022
Last Date of Support The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete. 30.06.2022