End-of-Life ASGARD v1 and Master ASGARD v1

May 22, 2020 | ASGARD Management Center, Newsletter

Nextron announces the end-of-sale and end-of-life dates for the ASGARD version 1 and Master ASGARD version 1. The last day to order the affected product(s) is May 31, 2020. Customers with active service contracts will continue to receive support as shown until June 30, 2021.

End of Life Announcement Date	The date the document that announces the end-of-sale and end-of-life of a product is distributed to the general public.	22.05.2020
End of Sale Date	The product is no longer for sale after this date.	31.05.2020
End of Software Maintenance	The last date that Nextron may release any final software maintenance releases or bug fixes. After this date, Nextron will no longer develop, repair, maintain, or test the product software.	31.05.2021
Last Date of Support	The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete.	31.06.2021

Upcoming ASGARD Version 2

Mar 2, 2020 | ASGARD Management Center, Newsletter

The last five months we’ve been working on a shiny new version of our ASGARD platform that overcomes previous limitations and includes exciting new features.

ASGARD 2 is a completely rewritten management platform, featuring a new interface, load balancing options, a new lightweight agent, custom response playbooks and greatly improved IOC management.

Fundamental Changes

Easy to use GUI and API for response functions (replaces GRR as underlying framework)
Rewritten agents consume much less memory
New dynamic agent load control allows to connect up to 25,000 endpoints
Predefined and custom playbooks
IOC management support for MISP
Remote consoles

IOC Management

The new IOC management allows to interface with a MISP instance and create rule sets based on filters.

For example, you can search for and select all MISP events containing the keyword “Emotet”, create a new rule set from them and then select this rule set to be used in a new THOR scan.

Playbooks

The so-called playbooks allow you to define a set of steps that the agent executes on an end system.

Each playbook can have up to 16 independant steps of the types “Run Command Line”, “Download File” or “Upload File”.

It is easy to set up new playbooks that e.g. download a certain tool to the endpoints, run it and collect the generated output.

Each or all results of playbook executions can be collected via GUI or API. Playbooks can be triggered via API to allow the integration into security orchestration, automation and response (SOAR) solutions.

ASGARD v2 ships with a set of predefined playbooks including:

Collect system memory
Collect file or folders
Quarantine endpoint
Collect triage package
Collect process tree

Remote Console

The remote console allows you to open up a web based command line window on any attached end system. This greatly facilitates the analysis of suspicious events. Analysts can browse the remote system, review or change settings and issue commands.

During the session, you can select files for collection or define certain playbooks to be executed after disconnecting the command line session.

Every session gets recorded for complete traceability.

Time Schedule

Beta customers will test drive ASGARD v2 in March and April. We expect a first release in June.

An upgrade guide for ASGARD v1 customers will be provided.

THOR Integration into Microsoft Defender ATP

Jan 7, 2020 | ASGARD Analysis Cockpit, ASGARD Management Center, Newsletter, Partners, THOR

Why Integrate THOR into Microsoft Defender ATP

While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious process starts and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry, logs and other elements for traces of hacking activity.

While Microsoft Defender ATP features a forensic package collection that retrieves elements from a remote system, THOR scans these elements on the remote system, applying more than 10,000 hand-written YARA rules and thousands of filename, C2, hash, mutex and named pipe IOCs to them. This live forensic scan reduces the work of your forensic analysts to a minimum and generates results as fast as possible for you to react in a timely manner.

THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment.

Deployment Options

Due to the fact that both Microsoft Defender ATP and THOR are very flexible and open products, the integration is no one-lane road with a single possible solution. Depending on the network size, segmentation and available 3rd party solutions like a SIEM the integration allows and requires different setups.

This blog post starts with an example use case and then outlines many of these setup options.

Live Response Scripts

The Microsoft Defender Security Center allows us to upload PowerShell scripts into a so called “live response library”, which is available on the endpoint during “live response” sessions.

These scripts allow us to facilitate the download and execution of THOR on the endpoint.

There are two ways to implement different scan modes and parameters. THOR has numerous command line options, which can be passed either as parameters of the PowerShell scripts or predefined in YAML config files.

Example: Turla Malware

We’ll use a simple demo script that contains a path to a file share providing the THOR package.

It uses a config file named “rootkit-check.yml”, which is located in the program folder on the file share. It activates 3 rootkit related modules, sets the path for all output files as rebase-dir and deactivates some features.

We upload that script into a live response session to investigate suspicious behaviour of a workstation that showed several alerts regarding a malware and the use of a “living-off-the-land” binary to run malicious code.

The details reveal that the use of certutil.exe triggered the alert.

We can see other commands like tasklist, net and netstat, which are often used in reconnaissance scripts, executed in the context of a user named “admin”.

We start a “Live Response Session” for further live forensic investigations with the help of THOR.

Since this is our first investigation with that specific script, we have to upload it to the live response library.

We can then verify the upload using the “library” command and run the script from the command line.

It takes about a minute to complete the Rootkit check.

THOR recognized a malicious mutex used by Turla malware and gives further information on the related process and process binary, which can be used for additional verification of the threat.

The HTML report and text log file have been saved back to the file share.

Other Setup Options

Scanner Provisioning

In this chapter we describe different methods to provide a THOR package to an end system during live response investigations.

Option A: File Share

The complete THOR package including binaries and signatures can be provided on a network share. This network share should be read-only to avoid that attackers notice the activity and manipulate the program or signatures on the file share.

Advantages:

Quick setup
Only a file server is needed

Disadvantages:

Requires SMB/CIFS connection from end system to file share
Scanner / signature updates must be scripted (thor-util.exe)
Manual license generation (in Nextron’s customer portal) or expensive IR license (not host-based)

Option B: ASGARD Management Center

The central management platform ASGARD Management Center is hardened Debian-based soft appliance that serves as software repository and licensing server in our use case.

The PowerShell scripts in the script library can retrieve THOR packages via HTTPS from the ASGARD Management Center.

Advantages:

HTTPS download of THOR packages
Integrated licensing
Automatic scanner and signature updates

Disadvantages:

Additional server system (VM; maintenance)

Option C: THOR via Script Library as SFX

The complete THOR program folder can be packaged into a self-extracting & executing archive (SFX), which could then be uploaded into the “live response library”. It could then be executed right from the script library (run) or uploaded to the end system (put).

Advantages:

No servers needed
Microsoft Defender ATP native solution

Disadvantages:

Scanner / signature updates and SFX creation must be scripted on an analyst system (thor-util.exe)
Manual license generation (in Nextron’s customer portal) or expensive IR license (not host-based)

Output Options

The results of the scans can be stored and transmitted to different locations.

Option A: Log and Report on File Share

THOR writes a log file in real-time during the scan and renders an HTML report at the end of the scan. Users can set an output directory other than the working directory for all output files with the “–rebase-dir” parameter.

This output folder can be a file share, e.g. “\\server\share”.

Analysts can check the log file during the scan, which takes between minutes and hours to complete.

Advantages:

Only a file server required

Disadvantages:

Requires access to file share from the end system (SMB/CIFS)
File share must be writable (possible manipulation by the attackers)

Option B: SYSLOG, JSON or CEF to SIEM

THOR can send the logs via SYSLOG (UDP, TCP, TCP+SSL, CEF) or in JSON (UDP, TCP, TCP+SSL) to a remote SIEM or log management system.

Advantages:

Integrates into existing solution and processes

Disadvantages:

Requires SIEM system and some base-lining
Requires connection to port 514 from end system to SIEM system

Option C: SYSLOG, JSON or CEF to ASGARD Analysis Cockpit

ASGARD Analysis Cockpit is the optimized log analysis platform (soft appliance) to process, baseline and forward THOR logs.

It most relevant features in this use case are:

Base-lining and central false positive filtering
Event forwarding of filtered events

ASGARD Analysis Cockpit already has several options to create alerts for incoming logs.

Similar to the current “Webhook” output, Analysis Cockpit could add a feature to connect with Microsoft Defender Security Center and create Alerts as described in the official API documentation.

Advantages:

Optimal THOR log base-lining and forwarding of relevant events only

Disadvantages:

Additional server system (VM; maintenance)
Requires connection to port 514 from end system to Analysis Cockpit

Option D: Local Eventlog

THOR can be instructed to log to the local Windows Eventlog with the “—eventlog” command line parameter. Customers that already forward their Windows Application Eventlog to a central SIEM could then use the existing integration and analyze the THOR events in their SIEM.

Advantages:

Integrates into existing security monitoring
No additional open port needed

Disadvantages:

Requires SIEM system and some base-lining

Option E: Live Response – “getfile”

Local log files that were written to the working directory can be retrieved with the “getfile” command.

Advantages:

Integrates into analyst workflow
No additional open port needed

Disadvantages:

Files could be left on the end system
(causing false positives in other products; in plain sight for attackers)

Future Integrations

This chapter contains an outlook on expected future integrations based on upcoming features and APIs.

Sample Collection

The Microsoft Defender ATP API allows to fetch a certain file from a remote system. Similar to the alerting mechanisms via Webhooks in ASGARD Analysis Cockpit, users will be able to fetch any suspicious or malicious file reported by THOR with a given minimum threat score using the Microsoft Defender ATP API.

THOR Cloud

The upcoming cloud based version of our licensing and download server, which is currently integrated into our customer portal, will be able to serve THOR packages that contain an integrated license for the host which is supposed to be scanned.

This way, you will we be able to run a PowerShell script from the live response library that downloads an up-to-date THOR package with a valid license file right from the new online service and don’t need a local ASGARD server that provides the THOR packages and licenses.

MASTER ASGARD – One ASGARD to Rule Them All

Feb 11, 2019 | ASGARD Management Center, Newsletter, Nextron

We are glad to announce our new product MASTER ASGARD, a central control for a set of ASGARD systems.

MASTER ASGARD is designed to control multiple instances of ASGARD, which itself supports up to 10,000 endpoint agents. Using MASTER ASGARD you are able to control more than 100,000 end points from a single central location.

This control includes:

Run distributed THOR and SPARK scans
Schedule distributed THOR and SPARK scans
Manage and distribute IOCs
Collect files and memory from Windows and Linux end systems

Here are some screenshots:

Management of multiple ASGARDs

Evidence Collection

Distributed Scans

MASTER ASGARD will be available for BETA program customers at the end of February and to the full customer base in May 2019.

ASGARD v1.7.2 with File and Memory Collection

Jan 15, 2019 | ASGARD Management Center, Newsletter

Our brand new ASGARD 1.7 comes with a shiny new feature: Evidence Collection

The evidence collection feature allows you to collect files or main memory from connected end systems.

The memory and file collection tasks provide a throttling option to reduce the upload speed of the dump files in order to save bandwidth and avoid higher response times of servers or workstations.

The file collection feature allows you to get a single file, the contents of a folder with or without its sub directories. You can set size limits for each file and the whole archive.

The “Evidence Collection” tab lists all active and completed tasks.

A log shows you the details of all the collection tasks.

ASGARD version 1.7.2 has been released today and can be upgraded via the “Updates” section.

Please note that the memory collection on Linux endpoints is integrated but not fully supported.

ASGARD Management Center Feature: Scanner Package Download Links

Dec 5, 2018 | ASGARD Management Center, Newsletter

ASGARD features a new section since the last upgrade that you may have missed. It’s called “Downloads” and contains a section in which you can configure a download link for scanner packages.

In previous versions, the scanners have been accessible right from the login screen without any authentication, just like the GRR agents, which are still accessible in that way.

We’ve removed these unauthenticated scanner downloads and created that new “Downloads” section, which can be used by authenticated users in different ways.

While selecting different options in the form, the download link changes.

After you have selected the correct scanner, operating system and target hostname (not FQDN), you can copy the download link and use it to retrieve a full scanner package with included license file for that host. These download links can be send to administrators or team members that don’t have access to ASGARD management center. Remember that the recipients of that link still need to be able to reach ASGARD’s web server port 443/tcp.

If you don’t set a hostname in the “Target Hostname” field, the scanner package will not contain a license file. If you have an unlimited “Enterprise” license, you’ll have to provide it separately.

Use Case 1 – Provide Download Links

You can generate download links for the different scanner packages without included license for yourself or the administration team. A valid license (e.g. “Enterprise” or “Incident Response”) has to be provided and placed in the program folder. You can also use “thor-util” to retrieve licenses for specific hostnames from an ASGARD server (see the “THOR_Util_Manual.pdf” in each scanners “./docs” folder for details)

Use Case 2 – Administrator Asked to Run a Scan

You can copy the final download link and send it to an administrator, which can use this link on one of the servers to retrieve a full scanner package with license and run a scan.

Use Case 3 – Use the URL in Script

You can use the URL in Bash or PowerShell scripts to automate scan runs on systems without installed ASGARD agent. Replace the hostname value with the value of the current host on which the script runs to get a URL for scanner download package with a host-specific license.

Feature: SPARK Sample Quarantine via Bifrost

Aug 20, 2018 | ASGARD Management Center, SPARK

The new SPARK v1.14.16 supports the sample quarantine protocol named Bifrost.

With Bifrost you’re able to send suspicious samples that THOR or SPARK detect on endpoints directly to a central server for analysis.

A Bifrost server is shipped in form of a Python script with THOR and SPARK. (./tools sub folder)
You can also activate the Bifrost server on our ASGARD platform.

All samples that have a score higher than the given limit are dropped into a given directory and are available for further post-processing – e.g. drop them into a sandbox or static analysis.

ASGARD IOC Management

Aug 14, 2018 | ASGARD Management Center, Newsletter, SPARK, THOR

The upcoming ASGARD version 1.5 comes with a IOC management section in which you can manage your own set of IOCs in text files, YARA and Sigma rules.

You can then select each of the folders when creating a new scan run with THOR or SPARK. Selecting one of these folders will not include the sub folders.

You can schedule and run scans with different IOC, Sigma and YARA rule sets. You can review the included custom signatures in the scan details.

The following features are not yet implemented in v1.5 but on the roadmap for ASGARD v1.6:

Signature verification
Exclude the standard rule set (shipped with THOR and SPARK)

ASGARD Management Center version 1.4

May 18, 2018 | ASGARD Management Center, Newsletter

Release notification of the ASGARD Management Center version 1.4

We have release version 1.4 for ASGARD.

This version has major improvements in usability, flexibility, stability and performance.

Plan and run THOR and SPARK scans on up to 10.000 endpoints – with a single 1RU appliance
Plan and run THOR and SPARK scans on up to 5.000 endpoints – with a virtual appliance
Improved the user interface with more information from a single pane
Schedule start date/time for single and group scans
Define frequency rhythm of scheduled scans (hourly, daily, weekly, etc.)
We added our own MySQL database to better track asset data

Improved ASGARD logging
Improved the ASGARD extension for GRR (added log status and scan duration to ASGARD)
You can now download the Scan Log from Scan Control
Import / export function to and from your CMDB system
Added full macOS support (Darwin) for SPARK scans

If you would like to see the core functions in action, check out our demo video:

https://youtu.be/G1VX9AloJNA