As we have announced in May, the old “thor-upgrade.exe” is already out-of-support and the old update servers accessed by “thor-upgrade.exe” will be decommissioned at the end of October.
The new all-round utility “thor-util.exe” now supports all of the features provided by the old “thor-upgrade.exe” including NTLM Authentication with corporate proxy servers.
You can use “thor-util.exe upgrade –help” to see all options of the “upgrade” feature.
Also note that “thor-util” has an “encrypt” feature that allows you to encrypt custom signature files and the “report” feature that creates HTML reports from plain text log files.
The only valid update servers that should be accessible to get updates from November onward are:
update1.nextron-systems.com
update2.nextron-systems.com
The “thor-util” utility is part of the THOR and SPARK packages and can also be downloaded from the Customer Portal in the “Downloads” section.
If you are a customer and don’t have access to the Customer Portal yet, please contact us or the respective partner.
Download the newest version of our Antivirus Event Analysis Cheat Sheet here.
— Update 09.09.18 10:30am CET
Thanks to Markus Neis, I’ve updated version 1.4 and created a version 1.5 just a few hours after my tweet. You can download version 1.5 here.
The new SPARK v1.14.16 supports the sample quarantine protocol named Bifrost.
With Bifrost you’re able to send suspicious samples that THOR or SPARK detect on endpoints directly to a central server for analysis.
A Bifrost server is shipped in form of a Python script with THOR and SPARK. (./tools sub folder) You can also activate the Bifrost server on our ASGARD platform.
All samples that have a score higher than the given limit are dropped into a given directory and are available for further post-processing – e.g. drop them into a sandbox or static analysis.
The new THOR-util version 1.2.4 supports the encryption of your custom signatures so that you can deploy your own IOC files and YARA rules in an encrypted form.
We use a public key in the utilities to encrypt the files for our scanners so that admins, Antivirus engines and attackers won’t be able to read the contents of the files.
The feature is also available in SPARK Core, our free scanner.
After encryption, place the encrypted IOC files in the “./custom-signatures” directory and the encrypted YARA rules in the “./custom-signatures/yara” directory.
The use of the function is simple. Just point it to a file, a list of files or use wildcards to select a set of files for encryption. The extension of the output file depends on the extension of the input file.
The upcoming ASGARD version 1.5 comes with a IOC management section in which you can manage your own set of IOCs in text files, YARA and Sigma rules.
You can then select each of the folders when creating a new scan run with THOR or SPARK. Selecting one of these folders will not include the sub folders.
You can schedule and run scans with different IOC, Sigma and YARA rule sets. You can review the included custom signatures in the scan details.
The following features are not yet implemented in v1.5 but on the roadmap for ASGARD v1.6:
Signature verification
Exclude the standard rule set (shipped with THOR and SPARK)
There are a few relevant changes in the upcoming THOR version 8.49.0 that we would like to announce.
Interpreter and Module Upgrades
The integrated Python interpreter will be upgraded to Version 2.7.15. We have also upgraded several modules. All our tests showed no signs of problems even with the oldest Windows version like Windows 2003 Server. (officially unsupported)
If you encounter any issues, please let us know.
4th Generation License Format Support
THOR 8.49.0 supports the newest license format which allows us to:
set a start date for the period of validity
enable or disable certain modules and features in THOR and SPARK
(e.g. we could license a SPARK version that only scans endpoint logs with Sigma rules)
THOR-util Report Generation
The new included THOR-util version 1.2 allows to generate HTML reports from scan log files. It can also generate reports for a directory that contains THOR or SPARK scan logs (up to 50 per HTML report). We’ve discussed this feature in detail in a previous blog post.
Noresume Becomes the New Default
The Scan Resume feature has caused many problems during incident response engagements in the past. The feature activates a journal in THOR DB that tracks the state of the scan and resumes the scan automatically if it was interrupted by a user or terminated due to a system shutdown. This feature seemed to be helpful but actually caused some problems.
THOR logs are created in “write” (w) mode, not in “append” (a) mode. When an administrator started THOR on a system, terminated the scan and then restarted it shortly after, the first part of the local log file was overwritten by the second scan. Sometimes a scan was interrupted on a system due to different reasons. When an administrator received the order to start a new scan on that system, the scan resumed the last scan and the log file and report contained only info of the resumed part of the scan.
We therefore decided to not resume scans by default. If you still want to maintain the old behaviour, please use the new “–resume” parameter. The old “–noresume” parameter is still valid but has no effect and is marked “obsolete” in the help.
Analysis Cockpit Web Session
We’ve just recently published a web session that gives an overview on our whole product portfolio and describes the features of our Analysis Cockpit in detail. (18 minutes, English language)
The main features of the Analysis Cockpit are:
THOR / SPARK Log Baselining
Automatic case creation based on similarities of the events
Sigma is a rule format for threat detection in log files. It is for log data what “Snort rules” are for network traffic or “YARA signatures” are for file data. It is easy to write and read. Writing a Sigma rule is a matter of minutes.
On the right you can see a simple Sigma rule that checks the “System” eventlog for traces of password dumper activity. The detection section contains 1+ identifiers (selection, keywords, quarkspwdump) that can be defined freely by the rule author. These selectors are used in the condition to build the rule.
It also contains a description, references, possible false positives and a level.
Analysts use Sigma to generate search queries for their SIEM or log management solution. The Sigma repo contains a converter that allows to convert the generic rules to ElasticSearch, Splunk, QRadar, Logpoint, Windows Defender ATP (WDATP) and ArcSight.
Wouldn’t it be great if you could apply Sigma rules on the endpoint?
Well, the upcoming version 1.14 of SPARK, which will be released at the end of July, does that. It applies Sigma rules to the local Eventlog. This way you’re able to apply searches that you have once defined for your SIEM to the local Eventlogs.
This way you are able “query” the standalone systems that are not connected to your SIEM and uncover otherwise common blind spots in your environment.
We ship the current rule set, which is part of the public Sigma repository and contains more than 200 rules with our SPARK program package in an encrypted form. (*.yms)
You can add your own Sigma rules to the “./custom-signatures/sigma/” folder in the SPARK program directory.
To activate Sigma scanning, use the new “–sigma” parameter.
Currently only SPARK supports this feature and there are no plans to implement this in THOR as well.
The feature is currently free for all customers but may become a premium feature that has to be licensed separately by the end of the year depending on the customer’s plan.
See the comparison table for a complete overview on all features.
The new version of “thor-util” (used with THOR/SPARK) / “spark-core-util” (used with SPARK Core) support a feature that allows a user to convert any scanner log file into a convenient report.
Convert THOR / SPARK / SPARK Core scan logs into HTML reports
Convert a single text log file into an HTML report
Convert multiple log files (50 max.) in a directory into a single HTML report
Provide a file with filters to suppress false positives in the reports
Even LOKI logs can be converted (no support)
Hash values linked to Virustotal searches
IP values linked to VirusTotal searches
Header sections linked to elements via ankers
You can access this feature in the upcoming enterprise products (THOR 8.47.2 and SPARK 1.13) and the free product SPARK Core (SPARK Core 1.13).
The following screenshot shows a typical text log file. It can be processed in log analysis solutions but it is difficult to read for an analyst. Most analysts search these log files for “(Alert|Warning):” or use grep to get the most relevant messages.
Our tools “thor-util” and “spark-core-util” will help you with this task.
I’ve collected some interesting samples for an internal YARA rule creation training session with our interns. With this blog post, I’ll also share 3 new premium feed YARA rules by pushing them to the Open Source signature-base repo.
What are the the preliminary conditions for the rule creation?
We don’t want to to spend more than 20 minutes for a single rule.
It is done! Our new free scanner SPARK Core has been released.
After weeks of planning, development and testing, we’re proud to provide the community with a new and powerful multi-platform scanner.
SPARK Core is a reduced version of our successful scanner SPARK.
The main differences are the Open Source signature base and the reduced set of modules. It uses LOKI’s open source “signature-base” instead of the big signature set that is used in THOR and SPARK. It also lacks some of the modules, like the SHIM cache, Registry, Eventlog and DeepDive modules.
This overview explains how SPARK Core fits in our current scanner portfolio:
Some key points:
Free scanner for Windows, Linux and macOS
Precompiled and encrypted open source signature set
Update utility (spark-core-util) to download tested versions with signature updates
Documentation
Custom IOCs and signatures (just add them to the ./custom-signatures/ folder)
Different output formats: text log, SYSLOG (udp/tcp/tcp+tls), JSON to file, JSON via Syslog
Scan throttling to limit the CPU usage
All we ask for is a SPARK Core Newsletter subscription, which is a requirement for the automatic license renewal. Each subscriber receives a personal licenses file that is valid for 1 year and allows to run SPARK Core on as many systems as he wishes.
Support is not guaranteed but we provide the possibility to submit issues via our github page.
More information and download can be found on the product page.
We hope that you can use SPARK Core to catch some bad guys.
