THOR Version 8.49.0 Changes

There are a few relevant changes in the upcoming THOR version 8.49.0 that we would like to announce.

Interpreter and Module Upgrades

The integrated Python interpreter will be upgraded to Version 2.7.15. We have also upgraded several modules. All our tests showed no signs of problems even with the oldest Windows version like Windows 2003 Server. (officially unsupported)

If you encounter any issues, please let us know.

4th Generation License Format Support

THOR 8.49.0 supports the newest license format which allows us to:

  • set a start date for the period of validity
  • enable or disable certain modules and features in THOR and SPARK
    (e.g. we could license a SPARK version that only scans endpoint logs with Sigma rules)

THOR-util Report Generation

The new included THOR-util version 1.2 allows to generate HTML reports from scan log files. It can also generate reports for a directory that contains THOR or SPARK scan logs (up to 50 per HTML report). We’ve discussed this feature in detail in a previous blog post.

Noresume Becomes the New Default

The Scan Resume feature has caused many problems during incident response engagements in the past. The feature activates a journal in THOR DB that tracks the state of the scan and resumes the scan automatically if it was interrupted by a user or terminated due to a system shutdown. This feature seemed to be helpful but actually caused some problems.

THOR logs are created in “write” (w) mode, not in “append” (a) mode. When an administrator started THOR on a system, terminated the scan and then restarted it shortly after, the first part of the local log file was overwritten by the second scan. Sometimes a scan was interrupted on a system due to different reasons. When an administrator received the order to start a new scan on that system, the scan resumed the last scan and the log file and report contained only info of the resumed part of the scan.

We therefore decided to not resume scans by default. If you still want to maintain the old behaviour, please use the new “–resume” parameter. The old “–noresume” parameter is still valid but has no effect and is marked “obsolete” in the help.

Analysis Cockpit Web Session

We’ve just recently published a web session that gives an overview on our whole product portfolio and describes the features of our Analysis Cockpit in detail. (18 minutes, English language)

The main features of the Analysis Cockpit are:

  • THOR / SPARK Log Baselining
  • Automatic case creation based on similarities of the events
  • Filtered Forwarding of Logs to a SIEM system

SPARK uses Sigma Rules in Eventlog Scan

Sigma is a rule format for threat detection in log files. It is for log data what “Snort rules” are for network traffic or “YARA signatures” are for file data. It is easy to write and read. Writing a Sigma rule is a matter of minutes.

On the right you can see a simple Sigma rule that checks the “System” eventlog for traces of password dumper activity. The detection section contains 1+ identifiers (selection, keywords, quarkspwdump) that can be defined freely by the rule author. These selectors are used in the condition to build the rule.

It also contains a description, references, possible false positives and a level.

Analysts use Sigma to generate search queries for their SIEM or log management solution. The Sigma repo contains a converter that allows to convert the generic rules to ElasticSearch, Splunk, QRadar, Logpoint, Windows Defender ATP (WDATP) and ArcSight.

Wouldn’t it be great if you could apply Sigma rules on the endpoint?

Well, the upcoming version 1.14 of SPARK, which will be released at the end of July,  does that. It applies Sigma rules to the local Eventlog. This way you’re able to apply searches that you have once defined for your SIEM to the local Eventlogs.

This way you are able “query” the standalone systems that are not connected to your SIEM and uncover otherwise common blind spots in your environment.

 

We ship the current rule set, which is part of the public Sigma repository and contains more than 200 rules with our SPARK program package in an encrypted form. (*.yms)

You can add your own Sigma rules to the “./custom-signatures/sigma/” folder in the SPARK program directory.

To activate Sigma scanning, use the new “–sigma” parameter.

Currently only SPARK supports this feature and there are no plans to implement this in THOR as well.

The feature is currently free for all customers but may become a premium feature that has to be licensed separately by the end of the year depending on the customer’s plan. 

See the comparison table for a complete overview on all features.

THOR-Util with HTML Report Generation

The new version of “thor-util” (used with THOR/SPARK) / “spark-core-util” (used with SPARK Core) support a feature that allows a user to convert any scanner log file into a convenient report. 

  • Convert THOR / SPARK / SPARK Core scan logs into HTML reports
  • Convert a single text log file into an HTML report
  • Convert multiple log files (50 max.) in a directory into a single HTML report 
  • Provide a file with filters to suppress false positives in the reports
  • Even LOKI logs can be converted (no support)
  • Hash values linked to Virustotal searches
  • IP values linked to VirusTotal searches
  • Header sections linked to elements via ankers

You can access this feature in the upcoming enterprise products (THOR 8.47.2 and SPARK 1.13) and the free product SPARK Core (SPARK Core 1.13). 

The following screenshot shows a typical text log file. It can be processed in log analysis solutions but it is difficult to read for an analyst. Most analysts search these log files for “(Alert|Warning):” or use grep to get the most relevant messages.

Our tools “thor-util” and “spark-core-util” will help you with this task. 

Generate an HTML report for a single log file

<br /> thor-util report --logfile PROMETHEUS_thor.log<br />

Generate an HTML report for multiple log files

thor-util report --logdir ./logs

You can also provide a file with regular expressions that are applied during log parsing as filters to suppress false positives in the reports. 

The new tools will be in all productive packages at the end of this week. 

YARA Rule Creation Crackme

I’ve collected some interesting samples for an internal YARA rule creation training session with our interns. With this blog post, I’ll also share 3 new premium feed YARA rules by pushing them to the Open Source signature-base repo.

What are the the preliminary conditions for the rule creation?

  • We don’t want to to spend more than 20 minutes for a single rule.
  • We use string extraction, hex editors and yarGen
  • We also use public resources like Google (yes), malware.one

Requirements:

  • You need a Virusbay account to download the samples

So, get ready. We process the following 3 cases.

Turla Agent-BTZ

  • Great for yarGen string extraction
  • Especially check for variations of strings (in PE header) that are highly specific
  • Use google to check strings

Sample

PLEAD Downloader

  • yarGen will not produce good results in this case
  • Try to compare the samples in order to find specific strings that appear in all of them

Sample 1

Sample 2

Sample 3

Sample 4

TYPEFRAME (Hidden Cobra)

  • Authors missed some specific strings

Sample

Solution

Don’t check the solution before you’ve created your own rules.

Agent.BTZ YARA rule

PLEAD YARA rule

TYPEFRAME YARA rule

Remember, there is no single correct solution to this task. Your rules may be better than mine. If that’s the case, please share them with me 😄.

SPARK Core – Free IOC and YARA Scanning

It is done! Our new free scanner SPARK Core has been released.

After weeks of planning, development and testing, we’re proud to provide the community with a new and powerful multi-platform scanner.

SPARK Core is a reduced version of our successful scanner SPARK.

The main differences are the Open Source signature base and the reduced set of modules. It uses LOKI’s open source “signature-base” instead of the big signature set that is used in THOR and SPARK. It also lacks some of the modules, like the SHIM cache, Registry, Eventlog and DeepDive modules.

This overview explains how SPARK Core fits in our current scanner portfolio:

Some key points:

  • Free scanner for Windows, Linux and macOS
  • Precompiled and encrypted open source signature set
  • Update utility (spark-core-util) to download tested versions with signature updates
  • Documentation
  • Custom IOCs and signatures (just add them to the ./custom-signatures/ folder)
  • Different output formats: text log, SYSLOG (udp/tcp/tcp+tls), JSON to file, JSON via Syslog
  • Scan throttling to limit the CPU usage

All we ask for is a SPARK Core Newsletter subscription, which is a requirement for the automatic license renewal. Each subscriber receives a personal licenses file that is valid for 1 year and allows to run SPARK Core on as many systems as he wishes.

Support is not guaranteed but we provide the possibility to submit issues via our github page.

More information and download can be found on the product page.

We hope that you can use SPARK Core to catch some bad guys.

THOR Util Replaces THOR-Upgrade

We are currently upgrading our update infrastructure in many different ways.

We have added 2 new dedicated update servers – update1 (Karlsruhe, Germany) and update2 (Lenexa, USA). The old update locations will still be supported for a few months but have to be regarded as obsolete.

As a customer, please make sure to allow the following update servers in your proxy / firewall:

  • update1.nextron-systems.com (443/tcp)
  • update2.nextron-systems.com (443/tcp)

In this regard, our old utility called “thor-upgrade.exe” will be out-of-support by the end of July 2018.Please make sure to use the “THOR util” for all update tasks.

Major changes:

  • Supports all download types (THOR, SPARK for Windows, Linux, macOS)
  • Verifies Download via RSA signature
  • Runs on all platforms (Windows, Linux, macOS)
  • Allows updates and the download of a full program packages with config files
  • No support for proxy NTLM authentication

It is already part of all download packs.

Since THOR v8.46.9 and SPARK v1.11 all binaries are signed with a 2048 bit RSA key. The signatures are integrated in the download packs as separate “*.sig” files.

The new version 1.1.6 of THOR util checks the signatures during the upgrade / download and interrupts the process if an invalid signature is found.

You can verify the signatures yourself, by using the the new “verify” function.
These changes make our updates more reliable and secure.

If you have any question, don’t hesitate to contact us via support@nextron-systems.com

ASGARD Management Center version 1.4

Release notification of the ASGARD Management Center version 1.4

We have release version 1.4 for ASGARD.

This version has major improvements in usability, flexibility, stability and performance.

  • Plan and run THOR and SPARK scans on up to 10.000 endpoints – with a single 1RU appliance
  • Plan and run THOR and SPARK scans on up to 5.000 endpoints – with a virtual appliance
  • Improved the user interface with more information from a single pane
  • Schedule start date/time for single and group scans
  • Define frequency rhythm of scheduled scans (hourly, daily, weekly, etc.)
  • We added our own MySQL database to better track asset data
  • Improved ASGARD logging
  • Improved the ASGARD extension for GRR (added log status and scan duration to ASGARD)
  • You can now download the Scan Log from Scan Control
  • Import / export function to and from your CMDB system
  • Added full macOS support (Darwin) for SPARK scans
If you would like to see the core functions in action, check out our demo video:

https://youtu.be/G1VX9AloJNA

Plan and run THOR and SPARK scans
Set the frequency of your planned scans
Monitor your progress

Scan information

New Antivirus Event Analysis Cheat Sheet Version 1.2

Today we release a new version of our “Antivirus Event Analysis” Cheat Sheet that helps you with the analysis of Antivirus events by providing a clear decision matrix.

We’ve updated many of the sections, added new VirusTotal online analysis checks and brought it in a new format.

You can download the PDF version here.

THOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning

The new THOR version 8.44 comes with some interesting new features.

TLS/SSL Syslog Transmission

THOR version 8.44.0 supports the Syslog log transmission in an SSL/TLS encrypted form. Just set the value “TCPTLS” as protocol in the 4th position of the target definition.

thor.exe -s mysyslogserver:6514:SYSLOG:TCPTLS

The documentation has been updated accordingly.

TLS Syslog Log Transmission

ZIP YARA Scanning

Until today the ZIP file checks were limited to file name IOC or anomaly checks. The new version 8.44.2 supports the scanning of ZIP file contents with the YARA rule base. However, for the time being the ZIP YARA scanning has some limitations:

  1. The feature is limited to files which decompressed size does not exceed the defined maximum file size (default 4.5 Megabytes)
  2. The feature is limited to certain scan modes: –intense, –fsonly, –dropzone

If the feature proves to be stable, we will activate it in the default scan mode in a future minor release.

ZIP YARA Scanning