Mjolnir Security: Blue Team Incident Response Training

Our partner Mjolnir Security offers a training named “Blue Team Incident Response Training” from 19th of September to 23rd of September.

It’s 3,5 hours a day, starting 4:00 pm and finishing 7:30 pm Eastern time. Each session will be recorded, so you’ll also be able to catch up on anything you’ve missed.

On day 4 you’ll learn how to write YARA rules and use the full potential of the THOR scanner together with ASGARD Management Center, our centralized management platform for easy scan management, incident response features and much more.

An analysis of the findings with our Analysis Cockpit is demonstrated as well as part of the training.

It’s a great opportunity to see a combination of our enterprise grade tools working seamlessly together, allowing you to get hands-on experience and a clear picture of how a full deployment would look like.

As a THOR Lite subscriber you can get a 30% discount on the training. In order to benefit from this discount, use the following discount code on checkout: NextronThorLite

Or use the direct link: https://www.eventbrite.ca/e/393153361287/?discount=NextronThorLite

Existing Nextron customers can even get a 50% discount. Please contact us for details.
The training is free for law enforcement and government agencies. We provide a contact method for said agencies to benefit from this discount.

Registration URL: https://www.eventbrite.ca/e/blue-team-incident-response-training-tickets-393153361287

Training Organizer: training@mjolnirsecurity.com

Antivirus Event Analysis Cheat Sheet v1.10.0

We’ve updated our Antivirus Event Analysis Cheat Sheet to version 1.10.0.

  • It includes updates in several sections
  • add special identifiers for Sliver and Brute Ratel C4 framework implants
  • many new tags for Virustotal assessments

You can download the new version here.

Tip: to always find the newest version of the cheat sheet, use this search query.

Changes:

THOR TechPreview 10.7.3 Features

THOR TechPreview version 10.7.3 has been released

  • Parsing of email formats .eml / .msg to scan the attachments (RFC-6532)
  • Archive scan improved to include .cab, .7z and .gzip
  • Archive scan improved to scan nested archives recursively
  • Bulk scanning improvements to further improve the scan speed
  • HTML report generation refactoring – much lower memory usage, lower CPU load during generation
  • Internal YARA rule set refactoring (using one big set and different name spaces to improve performance)
  • Internal refactoring to make use of a unified memory mapping of files to improve performance

The TechPreview version 10.7 can be downloaded from our customer portal or by using thor-util.

New Analysis Cockpit 3.5

New Baselining Views

Over the course of the last 18 months we reviewed most of our detections regarding their success in real world scenarios. In this context “success” means, that the detection uncovered malicious activity in the wild and at the same time had a low anomaly and false positive rate. Additionally we also consider a detection to be successful that caused little or no false positives or anomalies.

All this lead to two new views within the Cockpit’s Baselining section: “Compromise Assessment Mode” and “Deep Inspection Mode”.

“Compromise Assessment Mode” includes only matches of the highly successful rules. The second mode is the “Deep Inspection Mode”. This view is basically how it used to be (the old default view). It shows all Alerts and Warnings unless they are already part of an existing case.

This new “Compromise Assessment Mode” dramatically reduces our customer’s baselining effort.

In our tests we noticed a decrease of events in the Baselining section of more than 90%. We believe that especially entities that follow our “Continuous Compromise Assessment” approach should switch into this new mode. We’ve also challenged the new mode with the post exploitation tools and techniques found in the context of HAFNIUM / Exchange exploitations in March 2021 and covered almost every aspect of the attacks in the new view.

Asset Labels

Another exciting new feature that comes with Analysis Cockpit version 3.5 is an event filter based on asset labels. This was requested by many of our customers and partners, but until now we never found a way to deliver this feature without negatively affecting the Cockpit’s performance. We solved this now by allowing two limitations to this feature. It doesn’t work for events that existed prior to the update. Secondly an event always remains linked to the asset label it had at the time the event occurred. Changing an assets label will only affect events from scans that take place after the label change.

Other Changes

  • Hidden static filters in certain views
  • Minor bugfixes and stability improvements

Release

The new Analysis Cockpit will be released in the 2nd half of August. Interested customers can get a guide to use the “preprod” version of Analysis Cockpit 3.5. 

Follina CVE-2022-30190 Detection with THOR and Aurora

The Follina 0day vulnerability (CVE-2022-30190) in Microsoft Windows is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.

Kevin Beaumont's Blog Post

Kevin’s post contains links to tweets of researchers that discovered the 0day exploit, information on the timeline, and mitigations

Huntress Labs Blog Post

Explains the exploit in more detail

Counter Measures

Recommended counter measures by Benjamin Deplhy

Signatures Detecting Follina / CVE-2022-30190 Attacks

Check for matches with the following rules:

YARA

Rules shared in the public signature-base and used in THOR and THOR Lite

Only available in THOR

Sigma

Public Sigma rules used in Aurora, THOR and Aurora Lite

Private Sigma rules only available in Aurora

  • Sdiagnhost Loading System.Management.Automation.dll – 1a4a0e9c-e47d-492c-800f-545f83fac88a
  • Sdiagnhost Calling Suspicious Descendant Process – 8655fa4b-e956-4ed4-b20d-151dfd8c802d
WordPress Cookie Plugin by Real Cookie Banner