End-of-Life ASGARD v1 and Master ASGARD v1
Nextron announces the end-of-sale and end-of-life dates for the ASGARD version 1 and Master ASGARD version 1. The last day to order the affected product(s) is May 31, 2020. Customers with active service contracts will continue to receive support as shown until June 30, 2021.
| End of Life Announcement Date | The date the document that announces the end-of-sale and end-of-life of a product is distributed to the general public. | 22.05.2020 |
| End of Sale Date | The product is no longer for sale after this date. | 31.05.2020 |
| End of Software Maintenance | The last date that Nextron may release any final software maintenance releases or bug fixes. After this date, Nextron will no longer develop, repair, maintain, or test the product software. | 31.05.2021 |
| Last Date of Support | The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete. | 31.06.2021 |
New VALHALLA Features That You Might Have Missed
Rule Info Pages
The new rule info pages allow you to get more information on a certain rule. You can find all the meta data, as well as past rule matches and previous antivirus verdicts.
A second tab contains statistics.
You can also report false positives that you’ve encountered with that rule using the button in the tab bar.
Note that the rule info lookups in the web GUI are rate limited. If you query rule infos too often, you get blocked.
The rule info pages can be access using this URL scheme:
https://valhalla.nextron-systems.com/info/rule/RULE_NAME
For example:
https://valhalla.nextron-systems.com/info/rule/HKTL_Empire_ShellCodeRDI_Dec19_1
Automated Tagging
The automated tagging has been extended to included MITRE ATT&CK threat actor group IDs.
Status Includes Version
The status endpoint now includes a version number.
The version number is an integer value generated from the last update timestamp using a format string “%Y%m%d%H”. This way it is not just a version number that you can compare with you local last change (e.g. “>=”) but also an implicit timestamp.
You can access that endpoint via POST request (/api/v1/status) or Python API’s “get_status()” function.
You can find more information on Valhalla on our web page.
THOR 8 and SPARK End-of-Support
With this blog post we would like to inform you that our End-of-Life (EOL) products THOR 8 and SPARK will reach their End-if-Service-Life (EoSL) on 31th of October 2020.
From this day onwards, product and signature updates will not be available anymore.
Please consider upgrading to THOR 10, which is available for all relevant platforms and architectures.
Upcoming ASGARD Version 2
The last five months we’ve been working on a shiny new version of our ASGARD platform that overcomes previous limitations and includes exciting new features.
ASGARD 2 is a completely rewritten management platform, featuring a new interface, load balancing options, a new lightweight agent, custom response playbooks and greatly improved IOC management.
Fundamental Changes
- Easy to use GUI and API for response functions (replaces GRR as underlying framework)
- Rewritten agents consume much less memory
- New dynamic agent load control allows to connect up to 25,000 endpoints
- Predefined and custom playbooks
- IOC management support for MISP
- Remote consoles
IOC Management
The new IOC management allows to interface with a MISP instance and create rule sets based on filters.
For example, you can search for and select all MISP events containing the keyword “Emotet”, create a new rule set from them and then select this rule set to be used in a new THOR scan.
Playbooks
The so-called playbooks allow you to define a set of steps that the agent executes on an end system.
Each playbook can have up to 16 independant steps of the types “Run Command Line”, “Download File” or “Upload File”.
It is easy to set up new playbooks that e.g. download a certain tool to the endpoints, run it and collect the generated output.
Each or all results of playbook executions can be collected via GUI or API. Playbooks can be triggered via API to allow the integration into security orchestration, automation and response (SOAR) solutions.
ASGARD v2 ships with a set of predefined playbooks including:
- Collect system memory
- Collect file or folders
- Quarantine endpoint
- Collect triage package
- Collect process tree
Remote Console
The remote console allows you to open up a web based command line window on any attached end system. This greatly facilitates the analysis of suspicious events. Analysts can browse the remote system, review or change settings and issue commands.
During the session, you can select files for collection or define certain playbooks to be executed after disconnecting the command line session.
Every session gets recorded for complete traceability.
Time Schedule
Beta customers will test drive ASGARD v2 in March and April. We expect a first release in June.
An upgrade guide for ASGARD v1 customers will be provided.
Automated Citrix Netscaler Forensic Analysis with THOR
In this blog post I’d like to outline an idea on how to perform an automated compromise assessment on Citrix Netscaler / Citrix ADC appliances.
I you haven’t heard about that vulnerability yet, you should read my tweets over the past weekend or try to get a full picture with the help of this Reddit.
This blog post is about a subsequent forensic analysis, not detection, not protection and contains no marketing blah-blah.
The described solution should work with the free / open scanners as well. They just don’t have that huge signature set as it is included in THOR.
The reason for this is that although you’ve implemented the workaround on Monday 13th of January, you can’t trust your gateway anymore.
The vulnerability is known since December 17th and the public exploit code available since Friday the 10th of January. Nation state actors have most likely used Christmas holiday season to analyze Netscaler systems in their lab and produce an exploit, just like many offensive researchers did. Since Friday the 10th, even script kiddies can exploit this vulnerbility.
Strictly speaking, you can’t trust these gateways anymore.
But how can we regain trust?
A. Wait for a patched version and reinstall the gateways from the scratch
B. Perform a manual forensic analysis
C. Perform an automated forensic analysis
Automated Analysis with THOR
We don’t have and plan a THOR (SPARK Core or LOKI) version for FreeBSD 8.4, but we could try to mount the remote filesystem of the Netscaler gateway with SSHFS.
DigitalOcean has a good tutorial on how to enable it on your workstation.
mkdir ~/netscaler-mount
sudo sshfs -o allow_other,defer_permissions nsroot@citrix-gateway.nextron:/netscaler ~/netscaler-mount/
sudo sshfs -o allow_other,defer_permissions nsroot@citrix-gateway.nextron:/netscaler ~/netscaler-mount/
We can then use one of our scanners on that mounted volume using the `–fsonly` parameter (which activates forensic lab mode and scans directories regardless of their type).
./thor64 --fsonly -p ~/netscaler-mount
With this method, we can detect dropped malicious templates.
You can use the public YARA rule, that I’Ve published in LOKI’s and SPARK Core’s signature base. (note that a SPARK Core version that includes that rule hasn’t been released yet)
Important note: this only works for templates that have been dropped since the last reboot. Users reported that dropped malicious templates get removed during a reboot. As the workaround described by Citrix requires a reboot, scanning with this single YARA rule alone won’t be a reliable method.
I recommend scanning with the full signatures set in all scanners, as they also include rules for web shells and other suspicious content in files. I’ll also extend the YARA rules on github and add further indicators.
Additional Indicators
We can use the following YARA rule to check for suspicious strings in log files. But we don’t want to use that rule on any Linux/FreeBSD system. Therefore I won’t integrate that YARA rule in the public signature base. You can just copy it from this blog post and place it in the ‘custom-signatures/yara’ sub folder (‘/signatures’ for LOKI).
This rule for the forensic artefacts is based on remarks made in this article by TrustedSec and shared as gist.
First, we mount the ‘/var/log’ directory from our remote Netscaler system.
mkdir ~/netscaler-logs
sudo sshfs -o allow_other,defer_permissions nsroot@citrix-gateway.nextron:/var/log ~/netscaler-logs/
sudo sshfs -o allow_other,defer_permissions nsroot@citrix-gateway.nextron:/var/log ~/netscaler-logs/
We then start a scan on the mounted log directory.
As you can see, the scanner noticed a an issued ‘whoami’ command in the ‘bash.log’ and ‘notice.log’ files, which is a good starting point for further investigations.
Final Thoughts
I think we’ll develop more rules for post-exploitation payloads over the coming days. Stay tuned and follow my twitter account for updates.
THOR Integration into Microsoft Defender ATP
Why Integrate THOR into Microsoft Defender ATP
While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious process starts and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry, logs and other elements for traces of hacking activity.
While Microsoft Defender ATP features a forensic package collection that retrieves elements from a remote system, THOR scans these elements on the remote system, applying more than 10,000 hand-written YARA rules and thousands of filename, C2, hash, mutex and named pipe IOCs to them. This live forensic scan reduces the work of your forensic analysts to a minimum and generates results as fast as possible for you to react in a timely manner.
THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment.
Deployment Options
Due to the fact that both Microsoft Defender ATP and THOR are very flexible and open products, the integration is no one-lane road with a single possible solution. Depending on the network size, segmentation and available 3rd party solutions like a SIEM the integration allows and requires different setups.
This blog post starts with an example use case and then outlines many of these setup options.
Live Response Scripts
The Microsoft Defender Security Center allows us to upload PowerShell scripts into a so called “live response library”, which is available on the endpoint during “live response” sessions.
These scripts allow us to facilitate the download and execution of THOR on the endpoint.
There are two ways to implement different scan modes and parameters. THOR has numerous command line options, which can be passed either as parameters of the PowerShell scripts or predefined in YAML config files.
Example: Turla Malware
We’ll use a simple demo script that contains a path to a file share providing the THOR package.
It uses a config file named “rootkit-check.yml”, which is located in the program folder on the file share. It activates 3 rootkit related modules, sets the path for all output files as rebase-dir and deactivates some features.
We upload that script into a live response session to investigate suspicious behaviour of a workstation that showed several alerts regarding a malware and the use of a “living-off-the-land” binary to run malicious code.
The details reveal that the use of certutil.exe triggered the alert.
We can see other commands like tasklist, net and netstat, which are often used in reconnaissance scripts, executed in the context of a user named “admin”.
We start a “Live Response Session” for further live forensic investigations with the help of THOR.
Since this is our first investigation with that specific script, we have to upload it to the live response library.
We can then verify the upload using the “library” command and run the script from the command line.
It takes about a minute to complete the Rootkit check.
THOR recognized a malicious mutex used by Turla malware and gives further information on the related process and process binary, which can be used for additional verification of the threat.
The HTML report and text log file have been saved back to the file share.
Other Setup Options
Scanner Provisioning
In this chapter we describe different methods to provide a THOR package to an end system during live response investigations.
Option A: File Share
The complete THOR package including binaries and signatures can be provided on a network share. This network share should be read-only to avoid that attackers notice the activity and manipulate the program or signatures on the file share.
Advantages:
- Quick setup
- Only a file server is needed
Disadvantages:
- Requires SMB/CIFS connection from end system to file share
- Scanner / signature updates must be scripted (thor-util.exe)
- Manual license generation (in Nextron’s customer portal) or expensive IR license (not host-based)
Option B: ASGARD Management Center
The central management platform ASGARD Management Center is hardened Debian-based soft appliance that serves as software repository and licensing server in our use case.
The PowerShell scripts in the script library can retrieve THOR packages via HTTPS from the ASGARD Management Center.
Advantages:
- HTTPS download of THOR packages
- Integrated licensing
- Automatic scanner and signature updates
Disadvantages:
- Additional server system (VM; maintenance)
Option C: THOR via Script Library as SFX
The complete THOR program folder can be packaged into a self-extracting & executing archive (SFX), which could then be uploaded into the “live response library”. It could then be executed right from the script library (run) or uploaded to the end system (put).
Advantages:
- No servers needed
- Microsoft Defender ATP native solution
Disadvantages:
- Scanner / signature updates and SFX creation must be scripted on an analyst system (thor-util.exe)
- Manual license generation (in Nextron’s customer portal) or expensive IR license (not host-based)
Output Options
The results of the scans can be stored and transmitted to different locations.
Option A: Log and Report on File Share
THOR writes a log file in real-time during the scan and renders an HTML report at the end of the scan. Users can set an output directory other than the working directory for all output files with the “–rebase-dir” parameter.
This output folder can be a file share, e.g. “\\server\share”.
Analysts can check the log file during the scan, which takes between minutes and hours to complete.
Advantages:
- Only a file server required
Disadvantages:
- Requires access to file share from the end system (SMB/CIFS)
- File share must be writable (possible manipulation by the attackers)
Option B: SYSLOG, JSON or CEF to SIEM
THOR can send the logs via SYSLOG (UDP, TCP, TCP+SSL, CEF) or in JSON (UDP, TCP, TCP+SSL) to a remote SIEM or log management system.
Advantages:
- Integrates into existing solution and processes
Disadvantages:
- Requires SIEM system and some base-lining
- Requires connection to port 514 from end system to SIEM system
Option C: SYSLOG, JSON or CEF to ASGARD Analysis Cockpit
ASGARD Analysis Cockpit is the optimized log analysis platform (soft appliance) to process, baseline and forward THOR logs.
It most relevant features in this use case are:
- Base-lining and central false positive filtering
- Event forwarding of filtered events
ASGARD Analysis Cockpit already has several options to create alerts for incoming logs.
Similar to the current “Webhook” output, Analysis Cockpit could add a feature to connect with Microsoft Defender Security Center and create Alerts as described in the official API documentation.
Advantages:
- Optimal THOR log base-lining and forwarding of relevant events only
Disadvantages:
- Additional server system (VM; maintenance)
- Requires connection to port 514 from end system to Analysis Cockpit
Option D: Local Eventlog
THOR can be instructed to log to the local Windows Eventlog with the “—eventlog” command line parameter. Customers that already forward their Windows Application Eventlog to a central SIEM could then use the existing integration and analyze the THOR events in their SIEM.
Advantages:
- Integrates into existing security monitoring
- No additional open port needed
Disadvantages:
- Requires SIEM system and some base-lining
Option E: Live Response – “getfile”
Local log files that were written to the working directory can be retrieved with the “getfile” command.
Advantages:
- Integrates into analyst workflow
- No additional open port needed
Disadvantages:
- Files could be left on the end system
(causing false positives in other products; in plain sight for attackers)
Future Integrations
This chapter contains an outlook on expected future integrations based on upcoming features and APIs.
Sample Collection
The Microsoft Defender ATP API allows to fetch a certain file from a remote system. Similar to the alerting mechanisms via Webhooks in ASGARD Analysis Cockpit, users will be able to fetch any suspicious or malicious file reported by THOR with a given minimum threat score using the Microsoft Defender ATP API.
THOR Cloud
The upcoming cloud based version of our licensing and download server, which is currently integrated into our customer portal, will be able to serve THOR packages that contain an integrated license for the host which is supposed to be scanned.
This way, you will we be able to run a PowerShell script from the live response library that downloads an up-to-date THOR package with a valid license file right from the new online service and don’t need a local ASGARD server that provides the THOR packages and licenses.
ASGARD Analysis Cockpit v2.8 with Sandbox Integration
ASGARD Analysis Cockpit’s new version 2.8.2 features an open API to interface with all major sandbox vendors.
It ships with presets for Cuckoo Sandbox and even allows to connect multiple different sandboxes at the same time.
Today users can configure THOR scans in the ASGARD Management Center that collect suspicious files with a given minimum score.
(side note: a clever mechanism in Bifrost protocol v2 collects only files that have not been collected before)
The new version of Analysis Cockpit will automatically receive these samples once it gets connected to an ASGARD Management Center.
With a connected Sandbox, you can decide to send <all> incoming samples to Sandbox or drop only selected samples manually.
Analysis Cockpit’s “Sandbox” section shows all collected samples, the affected hosts, hashes, filenames and other data in the “Files” tab.
The “Reports” tab contains results from each sandbox run.
Each event in “Baselining” section shows an available sandbox report if a hash in the event matches with one of a sample that has been analyzed by the sandbox.
The Analysis Cockpit API allows the retrieval of collected sample files and the upload of any type of report.
Changes in Upcoming THOR Version 10.3
Refactored Handle Detection
We have completely refactored THOR’s malicious Handle detection.
We now allow the use of regular expressions and combined all types in a single signature file named “malicious-handles.dat”.
Users can provide custom indicators by placing a file with the keyword ‘handles’ in name into the folder ./custom-signatures/iocs
Process Handle Match Enrichment
Mutex, Named Pipe or Event matches will now trigger message enrichment in which the alert message is “enriched” with plenty of helpful information on the underlying process, including image file path, parent process and image file hashes.
This helps analysts to evaluate and classify the event.
More Eventlog Sources
We’ve integrated more Windows logs in the default Eventlog scanning to detect keyword and filename IOCs in even more data sources.
This could increase scan duration significantly in cases in which you have defined custom unusually large maximum log sizes.
Custom Eventlog and Registry Exclusions
Users can now exclude certain Registry paths or Eventlogs from scanning.
We’ve added two new and empty exclude files in the ./config sub folder for your convenience.
Support for new Sigma Modifiers
THOR now supports the newest value modifiers used in the most recent version of the Sigma standard.
- endswith
- startswith
Case ID (CID) get renamed
Previous versions of THOR offered a parameter -i / –case-id to set a unique identifier that appears as “CID: identifier” in all log lines of this specific scan.
With version 10.3 this CID gets renamed to SCANID and will be generated by default.
Every log line will contain a SCANID that makes it easier to associate a single line with the complete scan in reporting platforms like SIEM systems or ASGARD Analysis Cockpit.
You can still overwrite that value manually for legacy reasons or in order to group multiple scan runs into a single logical report.
Other Changes
- Feature: Log to local syslog with `–local-syslog` (Linux and macOS only)
- Improvement: Filename IOC “slash to backslash” transformation now works platform independent
- Improvement: SHIMCache Analysis in Registry Hives (not just live Registry)
- Improvement: Support for new license type “silent” (allows silent scans used in deployment tests)
- Improvement: YARA rule date in output messages
- Change: -j hostname will also adjust hostname in output file names
- Change: Don’t skip certain Registry paths with `–fullregistry` or in `–intense` mode
- Change: New value “max_file_size_intense” to be able to set a dedicated value for “intense” or “lab” scans
- Bugfix: missing start and end date in HTML report
- Bugfix: Message enrichment module processed duplicate values (e.g. Eventlog contained the filepath C:\w1.exe three times, the message enrichment included the additional attributes like EXISTS, MD5, SHA1, FIRSTBYTES three times, which is unnecessary)
THOR Remote Demo: Agentless Remote Compromise Assessment
We’ve made a short video demo to showcase the new THOR 10 feature called “THOR Remote”, which allows you to perform compromise assessment scans on multiple remote systems – no agent or scripting required.