Upcoming Master ASGARD v2

In the first week of June, we plan to release Master ASGARD v2.

Master ASGARD is an ASGARD version that is able to connect to and control an unlimited number of ASGARD servers.

While each ASGARD supports 25,000 connected endpoints, a Master ASGARD server can control an theoretically unlimited amount of ASGARD servers and thus an unlimited amount of end systems. We plan to support installations with up to 500,000 end systems until we get confirming performance and system load statistics from our customers’ setups.

With Master ASGARD v2 we will also change the way in which you install Master ASGARD.

From now on the ASGARD platform can be upgraded to a Master ASGARD by the installation of special license. You simply upgrade an already installed ASGARD to a Master ASGARD.

Master ASGARD 2 features

  • MISP integration and IOCs triage scans on all connected endpoints
  • Remote Console on all connected endpoints
  • Playbook runs on all connected endpoints
  • Evidence collection from all connected endpoints
  • License management for all connected ASGARDs
  • Key material backup of all connected ASGARDs
  • THOR version management of all connected ASGARDs

Master ASGARD 2 does not support

  • direct upgrade from Master ASGARD version 1
  • the control of ASGARDs running on version 1

Please contact sales@nextron-systems.com for more information on Master ASGARD v2.

 

Upcoming Changes in THOR v10.5

PE Sieve Integration

With the integration of @hasharezade‘s PE Sieve project THOR is able to detect and report a variety of process implants like replaced or injected portable executables (process hollowing), injected shellcodes, hooks and in-memory patches.

Naturally, since @hasharezade’s project is an open source project, this feature will also be available in THOR Lite, the free version of THOR. 

Process Dumps

THOR v10.5 creates a process dump of any process that is considered suspicious or malicious. 

This process dump can then be analyzed with standard tools later to examine the findings.

To prevent excessive disk space usage, new dumps overwrite old dumps of the same process. Also, THOR stores the dumps in a compressed form and will not generate dumps if less than 5 GB disk space is available. 

Global Module Lookback

The current “–lookback” option allows you to restrict the Eventlog and log file scan to a given amount of days. E.g. by using “–lookback 3” you instruct THOR to check only the log entries that have been created in the last 3 days.

We’ve extended this feature to include all applicable modules, including “FileScan”, “Registry”, “Services”, “Registry Hives” and “EVTX Scan”. By setting the flags “–global-lookback –lookback 2” you instruct THOR to scan only elements that have been created or modified during the last 2 days. This reduces the scan duration significantly.

On our test systems, we were able to reduce the scan duration of a full filesystem scan and a lookback of three days to less than 4 minutes.

More Changes

  • Default output files include a timestamp and not just the date
  • Outputs include non-ASCII characters in a hex encoded form (use –ascii to revert to ASCII only output)
  • THOR DBs “–resume” feature is deactivated by default and has to be manually activated using “–resume” due to significant performance implications caused by updating resume states in THOR DB 
  • New –portal* flags allow the licenses generation at runtime using our Netxron portal API
  • New –yara-max-strings-per-rule flag limits the output of matching strings
  • New –nofserrors flag suppresses all error messages regarding access permissions
  • New –scanid-prefix allows users to set a custom prefix to allow the identification of group of scans
  • New –print-signatures flag lists names and meta data of all included YARA and Sigma rules

End-of-Life ASGARD v1 and Master ASGARD v1

Nextron announces the end-of-sale and end-of-life dates for the ASGARD version 1 and Master ASGARD version 1. The last day to order the affected product(s) is May 31, 2020. Customers with active service contracts will continue to receive support as shown until June 30, 2021.

End of Life Announcement Date The date the document that announces the end-of-sale and end-of-life of a product is distributed to the general public. 22.05.2020
End of Sale Date The product is no longer for sale after this date. 31.05.2020
End of Software Maintenance The last date that Nextron may release any final software maintenance releases or bug fixes. After this date, Nextron will no longer develop, repair, maintain, or test the product software. 31.05.2021
Last Date of Support The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete. 31.06.2021

New VALHALLA Features That You Might Have Missed

Rule Info Pages

The new rule info pages allow you to get more information on a certain rule. You can find all the meta data, as well as past rule matches and previous antivirus verdicts.

A second tab contains statistics. 

You can also report false positives that you’ve encountered with that rule using the button in the tab bar. 

Note that the rule info lookups in the web GUI are rate limited. If you query rule infos too often, you get blocked.

The rule info pages can be access using this URL scheme: 

https://valhalla.nextron-systems.com/info/rule/RULE_NAME

For example:

https://valhalla.nextron-systems.com/info/rule/HKTL_Empire_ShellCodeRDI_Dec19_1

 

Rule Info & Hash Info

The rule info and hash info API endpoints are available for customers with valid API key only.

The API is not rate limited.

Customers can find information on how to use these end points here.

 

Automated Tagging

The automated tagging has been extended to included MITRE ATT&CK threat actor group IDs. 

Status Includes Version

The status endpoint now includes a version number.

The version number is an integer value generated from the last update timestamp using a format string “%Y%m%d%H”. This way it is not just a version number that you can compare with you local last change (e.g. “>=”) but also an implicit timestamp.

You can access that endpoint via POST request (/api/v1/status) or Python API’s “get_status()” function.

 

You can find more information on Valhalla on our web page.

THOR 8 and SPARK End-of-Support

With this blog post we would like to inform you that our End-of-Life (EOL) products THOR 8 and SPARK will reach their End-if-Service-Life (EoSL) on 31th of October 2020.

From this day onwards, product and signature updates will not be available anymore.

Please consider upgrading to THOR 10, which is available for all relevant platforms and architectures.