Antivirus Event Analysis Cheat Sheet v1.8.2

The analysis of Antivirus events can be a tedious task in big organizations with hundreds of events per day. Usually security teams fall back to a mode of operation in which they only analyze events in which a cleanup process has failed or something went wrong. 

This is definitely the wrong approach for a security team. You should instead focus on highly relevant events. 

This cheat sheet helps you select these highly relevant Antivirus alerts.  

Download the Antivirus Event Analysis Cheat Sheet version 1.8.2 here.

Visit the New Online Manuals

We’ve converted all our PDF based user manuals into shiny new online versions.

The new online versions are hosted on Github and converted into web pages with the help of ReadTheDocs. 

This way we can update them with new information much faster than before and allow anyone to share and access them. 

 

 

We’ve added links to the user manuals to every product page and the footer of this website. The links in the customer portal have also been updated.

You can find the new manuals here:

We’ll replace the PDF manuals in the installation packages as soon as possible. Please let us know if you can still find outdated manuals anywhere in new update or download packages.

Use YARA math Module Extension in THOR TechPreview and THOR Lite

Not long ago, we’ve created a pull request for the official YARA repository on Github, that would introduce new functions in the `math` module to improve the flexibility in cases in which a sample is heavily scrambled or obfuscated. These cases require further statistical evaluations that go beyond the currently available “entropy”, “mean” or “deviation” functions.

The example on the right shows a heavily obfuscated PHP web shell, as used by a Chinese actor. 

You immediately notice the high amount of “%” characters, but since each of them is preceded and followed by different characters, it’s difficult to find atoms that are long enough to maintain an acceptable performance / stability of that rule. 

 

If you could, you would formulate a rule like this: “Detect files smaller 400 bytes, that begin with ‘<?’ and consist of at least 25 percent ‘%’ characters”. 

Well, the new module extension allows you to do exactly that.

Read the documentation provided with the pull request for details on all three new functions:

  • count(byte/string, offset, size)
  • percentage(byte, offset, size)
  • mode(offset, size)

While the first two functions are self-explanatory, the “mode” function isn’t. It is is a term used in statistics for the most common value.

For your convenience, we’ve already patched our versions of THOR TechPreview and THOR Lite to support these extensions of the “math” module. You need at least v10.6.6 to use the new function in your rules. 

We wish you good hunting. 

THOR 10.6.8 TechPreview with ETW Watcher to Detect CobaltStrike Beacons

THOR TechPreview version 10.6.8 will introduce a completely new module named ETW Watcher, which runs in a separate thread and monitors the systems during a scan run. As its name indicates, the ETW Watcher module makes use of Event Tracing for Windows (ETW). 

So, whenever you start a scan run on an end system, one thread performs all the usual checks while another thread analyses certain event channels and correlates events to detect malicious activity.

Consider it an agent-less, portable, short term EDR. 

The first task of this new module is the detection of C2 beaconing activity as e.g. used in attacks that utilize Cobalt Strike.

The following screenshots show messages created by the ETW Watcher module. Since all of our modules apply a so called message enrichment, you’ll also notice further messages before and after the highlighted events. These additional messages are generated during the enrichment of the original event.

“Enrichment” means that we add additional information to the original event – e.g. if a file path is given in the original message, THOR tries to find that file, scans it using the “FileScan” module and adds information to the original event. The same is true for process ID values. This adds as much meta data as possible and helps analysts to assess the event as quickly and easily as possible.  

The example above shows a beacon detection that mentions a process named “fnord.exe” frequently calling out to 10.0.2.15 via HTTP and TCP. Message enrichment shows the result of a file scan above (red alert message; appears before the actual event because the enrichment happens before the message composition). 

The next example shows the result of a “hashdump” command sent to the beacon. It causes the beacon to open a handle to the LSASS process memory, which THOR detects and reports as a Warning level message.

The next example shows a privilege escalation attempt performed by that same beacon. 

The ETW Watcher module will be integrated in THOR TechPreview version 10.6.8 and only is available on Windows. It will not be available in THOR Lite and THOR 10.5. 

Analyze VMware ESX Systems with THOR Thunderstorm

Since the release of THOR Thunderstorm in the summer of 2020, our customers used it to analyse a variety of systems that are usually considered as “out of scope”. In some cases the EULA prevents the installation of Antivirus scanners or EDR agents. In other cases the used platforms are simply outdated, customised or unsupported. 

A use case that we would like to highlight in this blog post is the analysis of VMWare ESXi systems.

In the past, our customers frequently asked if the Linux version of THOR would run on Photon OS used by ESX/ESXi. The need to analyse these systems is well justified. ESX/ESXi systems and the services running on these systems have vulnerabilities and are definitely in scope of an attack. Therefore they should also be in the scope of a compromise assessment.    

 However, VMware writes on its website:

With THOR Thunderstorm, we can simply copy the thunderstorm-collector.sh bash script to an ESXi appliance and start the collection to a THOR Thunderstorm service running in a local network.

Using a blank Debian system and the installer script, this only takes a few minutes.

In our case, we simply watched the log file written by THOR Thunderstorm with “tail -f” for incoming alert messages to showcase the use case for our customer. By default, the collector submits all files created or modified during the last 14 days and smaller 2 MB.

In our demo, we’ve detected a webshell named “shell.jsp” in the “/tmp” folder and a command that indicates a back connect shell using Linux sockets in the “.bash_history” of the root account. 

You can add the collector script run to the local crontab or execute it using Ansible to perform frequent collection runs once a day. 

If you’re interested in a test setup, please contact us using the “Get Started” button. 

WordPress Cookie Plugin by Real Cookie Banner