Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity

Microsoft as well as Volexity pubslihed reports on activity of an actor named HAFNIUM by Microsoft exploiting at least four zero-day vulnerabilities in Microsoft Exchange services. 

In this blog post we would like to outline the coverage provided by THOR regarding this threat. 

Exploitation

All four vulnerabilities and related exploitation techniques have been unknown to the public and were used by the attackers at least since the beginning of January this year. We wrote YARA signatures to detect the exploitation attempts in Exchange web service logs and published Sigma rule that looks for more indicators in Exchange server logs. 

The new rules will be available on 4th of March.

We recommend scanning with the “–sigma” command line flag to apply Sigma rules during Logscan and Eventlog scanning. 

Web Shells

The mentioned web shells are already covered by existing rules.

Look for the following keywords in THOR log data

  • Webshell_ASP_cmd_3
  • Webshell_lowcov_Nov17_2
  • WEBSHELL_SharPyShell_ASPX
  • Chopper
  • reGeorg
  • Webshell + Tiny

The web shells samples mentioned by Microsoft as a hash cannot be found in public databases (e.g. Virustotal). We can only guess the current coverage and add a new rule to the rule set of tomorrow: 

WEBSHELL_TINY_ASP_Chopper_Mar21_1

Detection rate of some of the web shells on Virustotal:

LSASS Process Memory Dumping

Attackers used procdump and the MiniDump method in comsvcs.dll to dump the process memory of lsass.exe. THOR detects process memory dumps on disk as well as the process dumping attempts in the local Eventlog, if “–sigma” has been used to apply Sigma rules during scanning.

Looks for the following keywords in your THOR Logs:

  • SUSP_LSASS_Dump
  • HKTL_PUA_Procdump
  • HKTL_MiniDump_WriteDump
  • HKTL_AQUARMOURY_Brownie_Jan21_1
  • ‘Suspicious Use of Procdump’ (Sigma)
  • ‘Process Dump via Rundll32 and Comsvcs.dll’ (Sigma)
  • ‘LSASS process memory dump’ (Filename IOC)

PowerShell Tools

The PowerShell tools by Nishang and PowerCat are partly covered by our signatures.

Look for the following keywords:

  • p0wnedPowerCat
  • Nishang
  • ‘Malicious Nishang PowerShell Commandlets’ (Sigma)

We wrote a new rule for PowerCat and Nishangs PowerShell tool to achieve a better coverage:

  • HKTL_PS1_PowerCat_Mar21
  • HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine

Both new rules will be available on 4th of March.

Remember that you can check THOR’s signature set for certain keywords yourself using the ‘–print-signatures’ command line flag.

ASGARD Analysis Cockpit Version 3

ASGARD Analysis Cockpit is our on-premise soft-appliance that helps you analyze large amounts of THOR log data. The new version 3, which we are going to release this month, adds many new usability features and views. This blog post lists some of the changes. 

Analysis Cockpit 3 has a new look with many features that improve usability.

Filtering the log data to select a group of events to include into a case has never been easier. The search bar has been modified to support the most common use cases with feedback from numerous analysts. 

The idea is to allow a user reach a certain intended view with as few clicks and interactions as possible. 

New case creation forms, which are much more compact and add a new event selection type named “condition”. 

It adds many views focussed on assets like scans of each asset or findings per asset.

Extensive reporting section and for HTML and PDF reports

Two-Factor-Authentication (2FA, OTP) and improved LDAP support

A new “Notifications” sections allows you to review all triggered notifications that have been sent via SYSLOG, E-mail oder Webhook to a remote system.

These notifications are configured by the user and may include e.g.

  • New event added to incident case
  • Case type changed from “open” to “request evidence”

Other improvements:

  • Massive performance improvements
  • Sidebar with context information
  • CSV exports from almost any view
  • Direct Virustotal & Valhalla lookups from the event details

ASGARD Analysis Cockpit version 3 will be released this month. Customers with signed BETA software agreement can already test it since the beginning of this year. An upgrade from Analysis Cockpit version 2 is possible and includes an export of the case data and re-import of all previously indexed log data with the help of a guide that is part of the new manual.  

THOR Seed v0.18 Improves Integration with Microsoft Defender ATP

A new version of THOR Seed improves the integration with Microsoft Defender ATP by handling the script termination caused by exceeded timeouts. Due to a runtime limit for all scripts in the Live Response library we had to configure previous versions of THOR Seed to perform a reduced scan that tried to finish within that runtime limit.

This lead to two major issues:

  • Only a reduced set of modules could be activate and a limited set of elements could be scanned
  • Some script runs were terminated before completion

THOR Seed version 0.18 is now able to handle this situation and provides guidance on how to proceed. 

While resolving this issue we noticed that only the script run gets terminated but not the sub process, which is the actual THOR scan. So, the execution of “thor-seed.ps” gets interrupted but the sub process “thor64.exe” keeps on running in the background. 

After a terminated script run, you can now simply “run thor-seed.ps1” a second time and get the info that the THOR process in the background is still running. 

It includes the location of the log file and shows the last 3 lines of that file so that you can review the scan progress. 

After the scan has been completed, THOR Seed shows a message that it cannot start a new scan until the log files and HTML reports have been reviewed and removed from the system. 

It includes all necessary commands for you to just copy, paste and execute them.

A new guide explains all the steps and describes the integration in more detail. 

The release version can be found here.

Please contact us for a current version of that document in case you encounter any issues due to outdated information. 

THOR Process Memory Matches with Surrounding Strings

Following THOR’s approach of showing suspicious elements, it is not feasible to completely avoid false positives. Therefore we always try to provide as much information as possible for an analyst to assess such a suspicious element as quickly as possible.

Users liked the DeeDive feature in which a string match on a chunk of data does not only include the matching string but also the surrounding strings, which help enormously to evaluate the criticality of a matching YARA signature. 

The TechPreview version of THOR 10.6 now introduces this extra information in many other modules. 

The following example shows a false positive in which the string ‘ -p 0x53A4C60B’ matched on the process memory of the ‘svchost.exe’ process with the full command line as ‘svchost.exe -k ClipboardSvcGroup -p’.   

In previous versions THOR you would only see the matching string, but the new versions will also show the 40 bytes before and after the string match. (in the example it has been set to 100 bytes by using `–string-context 100`)

This helps analysts to assess the match more easily without having a process memory dump. In the example above, analyst can review that data block in which the string match occurred and see that it has been within HTML text that has been copied to memory. It could be an analyst system on which someone handling forensic reports copied sections from one document to another, but it’s certainly not the threat, which the YARA rule tried to detect. 

This feature will be available in the upcoming THOR TechPreview 10.6.4. 

VALHALLA API 1.1 Changes

We’ve made some changes to VALHALLA and released version 1.1 and valhallAPI version 0.5 to reflect these changes.

The new modified date shows when this rule has last been modified. 

See this example.

The modified date will also appear in the JSON feed and metadata of the text feed.

Rules now contain a “hash1” value, which is one of the samples from which it has been derived.

The API offers two new endpoints named “keyword” and “keyword-matches”, which allow two new lookups. (customers only)

The “keyword” lookup is not very spectacular and simply returns a list of rule meta data based on a certain keyword. 

However, the “keyword-matches” endpoint adds a new vector. It combines a keyword lookup on the rules with a lookup on matches created by these rules. 

E.g. by providing the keyword “Turla”, you get a list of sample hashes on which Turla related rules matched in the past.

The new valhallaAPI client and Python module in version 0.5 allow to use these features.

You can upgrade your current version with

pip3 install valhallaAPI --upgrade