ASGARD: Check your Signature Versions

It came to our attention that under certain circumstances, after the upgrade to ASGARD 2.11, some ASGARD instances lost their scheduled task to automatically assign the newest signatures to scan jobs . We advice customers to review their update configuration if they are affected. Go to Updates > Scanners and Signatures. If you are affected the column ‘Automatically use newest version’ shows ‘not configured’.

In order to resolve this issue, you need to schedule a time for signature updates. Use the action button with the clock icon. We recommend an interval of 1 day (see the screenshot).

After you have entered the new schedule, you should see the configured date and interval in the “Automatically use newest revision” column.

The same mechanism is used to configure when new THOR versions should be used for scans. We recommend to use the default, which is also a daily update interval.

Log4j Evaluations with ASGARD

We’ve created two ASGARD playbooks that can help you find Log4j libraries affected by CVE-2021-44228 (log4shell) and CVE-2021-45046 in your environment. 

Both playbooks can be found in our public Github repository

We’ve created a playbook named “log4j-analysis” that helps you find instances that use versions of “log4j”. An additional evaluation script can be used to process the ASGARD playbook results and distinguish between affected and unaffected versions. 

Another playbook named “log4shell-detector” allows you to run a script provided by our head of research on all Linux systems to detect exploitation attempts in log files.

The results of the evaluation script that processes the results of the “log4j-analysis” playbook look like this. 

Nextron Products Unaffected by Log4j Vulnerability CVE-2021-44228

We have reviewed our products in order to identify services that use the vulnerable log4j library. Only Elastic Search in ASGARD Analysis Cockpit uses log4j but is NOT vulnerable. 

“Elasticsearch is not susceptible to remote code execution with this vulnerability due to our use of the Java Security Manager. Elasticsearch on JDK8 or below is susceptible to an information leak via DNS which is fixed by a simple JVM property change.”

Source: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476

Even older and EOL products like ASGARD v1 are not affected.

Other products don’t use JAVA or log4j.

Log4Shell Detection with Nextron Rules

The Log4Shell vulnerability (CVE-2021-44228) in log4j is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.

Explanation of the Vulnerability

LunaSec reported first on the vulnerability.

Canary-based Vulnerability Detection

Use this method to detect vulnerable applications and services in your organisation.

Grep / ZGrep Detection Ideas

Different detection patterns and idea to detect exploitation attempts in log files using grep and zgrep.

Log4Shell Detector Python Script

A python script that can be used to detect even the most obfuscated versions of the malicious payload. 

List of Advisories by Vendors

Big collection of advisories and statements by different vendors that use JAVA and log4j. 

List of Vulnerable Software with PoCs

Incomplete list of software products that have proven to be vulnerable.

Log4Shell Vulnerability Scanner (Local Files)

Scans the file system of application servers for vulnerable versions of the log4j module.

Fenrir Log4Shell Release

A bash based IOC scanner that can be used on any Linux/Unix system to detect traces of the attack and vulnerable log4j versions.

Signatures Detecting Log4Shell Attacks

Check for matches with the following rules:

Exploitation

YARA

Sigma

Post-Exploitation

Look for matches with the following rules that trigger on activity observer in-the-wild.

YARA

Sigma

ASGARD Users

It takes us few days to release new rules. The rules that we wrote over the weekend may not be available on Monday 13th of December. ASGARD users that want to use the signatures that are still in our QS, can activate the option for these signatures in “Settings > Advanced > Show Signature SigDev Option”. 

After changing the setting, new scans show an additional option in the dropdown menu. 

Please contact our support in case of any questions. 

THOR Users

Users of our scanner THOR also need to use the signature version that’s in development to get the newest signatures that detect log4j exploitation. 

Retrieve that signature pack with:

thor-util.exe update –sigdev

Reasons Why to Use THOR instead of THOR Lite

We have received reports from customers that were approached by service providers that offered compromise assessments with our scanner THOR. Subsequently, it appeared, however, that these providers used THOR Lite in their engagements and, when asked about this, argued that THOR Lite would be “just as good as the full version”.

In this article we would like to explain why this is not the case.  

1. The Small Rule Set

The rule set of THOR Lite is much smaller. While THOR uses more than 16,000 YARA rules, THOR Lite only uses the open source signature base, which has ~4000 rules. Of these 4000 rules, 800 are old webshell rules, 300 are written for old Equation Group implants that should be long gone, many others were written for past threat group activity.

Don’t get us wrong – these rules were good at their time and the set contains solid generic rules for some kinds of threats but the effectiveness of the older rules decreases and it is less and less likely that they catch something significant.

The number 4000 compared to 16,000 doesn’t mean that you would still see 1/4 of what THOR is able to detect – honestly, it’s rather 1/30. 

2. The Limited Modules

It is correct that the filesystem often contains evidence, but not traces of adversary activity are not always visible on the filesystem. It’s not unusual that adversaries remove their tools when they’ve finished their job.

Therefore the full version of THOR runs more than 25 modules that look for the IOCs and apply YARA rules in many different locations like the Eventlog, SHIM Cache, Registry and performs checks for hidden implants that can only be identified with their mutex or a handshake on a certain named pipe.

The screenshot on the right shows all disabled modules and features in the Lite version. 

Findings in these other modules aren’t just evidence of a compromise but often point to other techniques used by the attackers or other systems that are also affected.

THOR Lite lacks not only depth of visibility with a much smaller rule set but also breadth due to the limited set of modules and features.

All modules and features disabled in the Lite version

The Few Exceptions

There are a few exceptions to the rule of very limited visibility in THOR Lite.

  • To showcase what the full version is able to detect, we’ve included all available signatures for the various campaigns against Microsoft Exchange, namely ProxyShell and ProxyLogon. Scanning Exchange servers for this kind of threat is almost as good as using the full version of THOR.
  • The few generic detection rules provide a good coverage of common threats, like webshells and crypto miners. Arnim Rupp provided a great set of generic webshell detection rules that are able to highlight new, yet unknown web shells of all kinds (ASP, JSP, PHP etc.).
  • The coverage of some well-known hack tools like Mimikatz is also pretty good. 

For whom is THOR Lite intended?

THOR Lite is meant as a free community edition to showcase the functionality.

It is meant to be used by private individuals or small organisations without a budget that face common threats like crypto miners and crime groups. 

From time to time, we add sets of rules and IOCs to detect dangerous threats with high importance and / or a wide spread – e.g. Exchange vulnerability exploiting, crypto coin miners, Ransomware worms like WannaCry.  

Test Drive the Full Version

We recommend a test drive of the full version on compromised or possibly compromised systems to see the big difference in detection capabilities. We also offer affordable license packs for small organisations and give attractive discounts on license packs that are used by IR teams all over the world.

Just use the “get started” contact form and state that you’d like to test the full version of THOR.

WordPress Cookie Plugin by Real Cookie Banner