ASGARD v2.13 Release

Over the last 4 months, we’ve worked on many new UX improvements and the integration of our endpoint agent Aurora. Today, we are glad to announce the release of ASGARD version 2.13. 

UX Improvements

We’ve reworked many sections and dialogues with user experience (UX) in mind. 

Overall, we’ve made more than 260 changes, reworked complete sections and dialogues and added completely new functions like the new “diagnostics”. 

Some of highlights:

  • Each THOR scan now shows a progress bar that doesn’t only show the state of completion but also the current module and element, the module progress and the amount of time spent on this module. This can help you to identify bottlenecks, issues or elements that should better be excluded from the scan.
  • All tables now have an option for an auto-refresh, which can be set per user and table (persistent setting by user)
  • The new diagnostics section helps you to quickly identify connectivity or configuration issues
  • Export and Import of Scan Templates
  • Reworked THOR download section, which allows to generate links for the “latest available version” and shows an information on the API endpoint usage
  • Improved agent installer repackaging options (e.g. repack all outdated installers)
  • Many dialogues with additional error handling of common user errors

Some of the planned UX improvements are still on the roadmap and will be part of the next update. These include: 

  • More flexible group scan target selection (combine labels with AND instead of OR, filter selection for labels to exclude)
  • Maintenance section in which users can define clean-up rules for old data (remove old assets, automatically remove old log data etc.)

 

 

Scan Progress Bar (Single Scan)

Scan Progress Bar (Group Scan; Collapsed Info)

Auto Refresh Options

System Diagnostics

Background Load Indicators (green line)

Export & Import of Scan Templates

Reworked THOR Download Section (generate link for the latest version, information about the use of the tokens)

Improved Agent Installer Repackaging Options

Aurora Agent Support

This version allows the deployment and management of our Sigma-based endpoint agent.

You can find information about Aurora here.

ASGARD Management Center allows you to:

  • Manage rules that you want to use
  • Add false positive filters to rules
  • Define response actions for certain rules
  • Manage updates on these rules
  • Group rules into rule sets
  • Use rule sets in an Aurora configurations
  • Assign configurations to groups of end systems
  • Put all response actions in a configuration into simulation mode
  • Put single response actions in simulation mode
  • Manage rules that have been in simulation mode for a certain time
  • Apply so-called response sets (groups of response actions provided by Nextron) to your rule set
  • Apply your IOCs or IOCs retrieved from a MISP instance with Aurora

Aurora Agents (Deployed)

Sigma Rule Set Management

Aurora Agent Configurations

More changes in this release

  • AIX support (beta users only)
  • Collect THOR log as JSON (optional)
  • New section “Playbook Files” to manage all files and tools used in playbooks
  • License expiration warning messages
  • many more – see the changelog for all details

Upgrade

ASGARD Management Center customers upgrade their instances in “Updates > Management Center”. 
Important: Make sure to upgrade Master ASGARD instances before upgrading the connected ASGARDs. 

Aurora Lite Agent v1.0 Release

After almost half a year of development, we are pleased to announce the release of our free version of the Aurora Agent named Aurora Lite.

The Aurora agent is a Sigma-based endpoint agent that offers maximum transparency, flexibility, and confidentiality. It doesn’t require an additional kernel driver but uses the native Event Tracing for Windows (ETW). Other detection modules like the “Cobalt Strike Beaconing Detector” or the “LSASS Dump Detector” provide detection capabilities that exceed the scope of pure Sigma matching. 

Aurora Lite is a limited but free version of the endpoint agent. It lacks some features, has no additional detection modules, and cannot be used with the comfortable ruleset and configuration management in ASGARD Management Center. The complete list of limitations can be found here.

Regardless of these limitations, we believe that even the free version can compete with other commercial endpoint agents and provides similar detection coverage. 

Captured Pre-Release Web Session

Slide Deck

The slide deck shown in the recorded web session can be found here.

Slides 8 to 18 contain a quick start guide.

Online Manual

The Aurora Agent online manual can be found under this link.

Product Page and Download

You can find the Aurora Agent product page and the download links here.

ASGARD v2.12 Released

The new ASGARD Management Center version 2.12 adds new features and fixes several issues that were introduced with the version 2.11 in December last year.

Better Sigma Rule Management

We’ve added new features and improved the usability of the sigma rule management section, which is relevant for the released LogWatcher agent and beta customers testing our new Aurora agent.

 The most important new features are the false positive and response editor, which allows Aurora customers to configure response actions for a triggering rule. 

The false positive filter enables users to add filters that, instead of changing the  original rule, extend it during deployment. This makes it easy to use updated rules with the same custom filter values that are only relevant in the user’s environment. 

Revised Updates Section

The update section for the scanners and signatures has been revised. Each action has been reworked. Users can now trigger and update manually and check the log of the update process in a separate tab. 

Full change log:

– Feature: Support Aurora Agent (Beta Only)
– Feature: Manage Sigma Responses and False Positives (Aurora Only)
– Feature: Enable / Disable Sigma Rules
– Feature: Manually check for THOR and Signature Updates
– Feature: Show log of previous update process
– Feature: Auto Config for Sigma Rulesets (Automatically add new Sigma Rules based on level)
– Feature: The UI now has a lot more indicators for e.g. ‘Asset Requests’, ‘Uncompiled Rulesets’ and more
– Feature: Added more graphs to overview page, e.g. incoming Aurora and Log Watcher events
– Feature: Added bulk update for available Sigma rule updates
– Feature: Added default Sigma Rulesets (if no ruleset has been created yet)
– Feature: Added background routine that removes older and unused THOR / Signature versions
– Feature: Edit Scan Templates
– Feature: Search THOR Flags / Aurora Options
– Feature: Download THOR Zip with target hostname as filename
– Change: Improved Server Status indicators
– Change: Improved licensing
– Change: LDAP users require at least one LDAP role, otherwise they are not authenticated anymore
– Change: Updated Sigma rules
– Change: Cosmetics and UX improvements
– Change: Updated default THOR and Signature auto-update config
– Change: Added more links and password reset help to login page
– Change: Improved usability and feedback in IOC Management section
– Change: Require current password for password change
– Bugfix: Re-added and improved “no labels” filter in assets table
– Bugfix: Re-added resize buttons for Remote Console
– Bugfix: Fixed an issue that causes some API keys to be corrupt
– Bugfix: Fixed non-working ‘Install Service Controller’ playbook on Master ASGARD
– Bugfix: Updated interrogate job to detect ‘Windows 11’ correctly
– Bugfix: Fixed corrupt ‘Is Domain Controller: No’ filter
– Bugfix: Fixed missing default value when editing Sigma or YARA rules in IOC Management
– Bugfix: Fixed non-working “use newer Sigma rule” button
– Bugfix: Fixed CRLF issues in IOC Management for some IOC types
– Bugfix: Fixed some missing MISP iocs in THOR download package
– Bugfix: Fixed permissions on some files that caused backup process of ASGARD config files on Master ASGARD to not work properly
– Bugfix: Fixed encryption issues with custom signatures for THOR Lite
– Bugfix: Fixed missing import in ntp config that causes ntp to not work properly on some ASGARDs
– Bugfix: Fixed tasks that are pending forever due to unknown task module
– Bugfix: Fixed non-working rsyslog reload after monthly logrotation
– Bugfix: Fixed wrong file extension of stdout and stderr file in group task result package

To install the update, visit the “Updates > Management Center” section. 

Product Surveys – Tell us what you think

We’d like to know your opinion on our products and therefore ask you to participate in our product surveys. Each of them takes between 2 and 5 minutes of your time, depending on how much you’d like to tell us.

THOR Customer Satisfaction Survey

You find the survey here.

ASGARD Customer Satisfaction Survey

You find the survey here.

Analysis Cockpit Customer Satisfaction Survey

You find the survey here.

Public Feature Collection

We also plan to publicly collect feature requests and allow you to up- or downvote requests of other users, comment on them and get informed when a feature has been implemented.

 

ASGARD: Check your Signature Versions

It came to our attention that under certain circumstances, after the upgrade to ASGARD 2.11, some ASGARD instances lost their scheduled task to automatically assign the newest signatures to scan jobs . We advice customers to review their update configuration if they are affected. Go to Updates > Scanners and Signatures. If you are affected the column ‘Automatically use newest version’ shows ‘not configured’.

In order to resolve this issue, you need to schedule a time for signature updates. Use the action button with the clock icon. We recommend an interval of 1 day (see the screenshot).

After you have entered the new schedule, you should see the configured date and interval in the “Automatically use newest revision” column.

The same mechanism is used to configure when new THOR versions should be used for scans. We recommend to use the default, which is also a daily update interval.

Log4j Evaluations with ASGARD

We’ve created two ASGARD playbooks that can help you find Log4j libraries affected by CVE-2021-44228 (log4shell) and CVE-2021-45046 in your environment. 

Both playbooks can be found in our public Github repository

We’ve created a playbook named “log4j-analysis” that helps you find instances that use versions of “log4j”. An additional evaluation script can be used to process the ASGARD playbook results and distinguish between affected and unaffected versions. 

Another playbook named “log4shell-detector” allows you to run a script provided by our head of research on all Linux systems to detect exploitation attempts in log files.

The results of the evaluation script that processes the results of the “log4j-analysis” playbook look like this. 

Log4Shell Detection with Nextron Rules

The Log4Shell vulnerability (CVE-2021-44228) in log4j is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.

Explanation of the Vulnerability

LunaSec reported first on the vulnerability.

Canary-based Vulnerability Detection

Use this method to detect vulnerable applications and services in your organisation.

Grep / ZGrep Detection Ideas

Different detection patterns and idea to detect exploitation attempts in log files using grep and zgrep.

Log4Shell Detector Python Script

A python script that can be used to detect even the most obfuscated versions of the malicious payload. 

List of Advisories by Vendors

Big collection of advisories and statements by different vendors that use JAVA and log4j. 

List of Vulnerable Software with PoCs

Incomplete list of software products that have proven to be vulnerable.

Log4Shell Vulnerability Scanner (Local Files)

Scans the file system of application servers for vulnerable versions of the log4j module.

Fenrir Log4Shell Release

A bash based IOC scanner that can be used on any Linux/Unix system to detect traces of the attack and vulnerable log4j versions.

Signatures Detecting Log4Shell Attacks

Check for matches with the following rules:

Exploitation

YARA

Sigma

Post-Exploitation

Look for matches with the following rules that trigger on activity observer in-the-wild.

YARA

Sigma

ASGARD Users

It takes us few days to release new rules. The rules that we wrote over the weekend may not be available on Monday 13th of December. ASGARD users that want to use the signatures that are still in our QS, can activate the option for these signatures in “Settings > Advanced > Show Signature SigDev Option”. 

After changing the setting, new scans show an additional option in the dropdown menu. 

Please contact our support in case of any questions. 

THOR Users

Users of our scanner THOR also need to use the signature version that’s in development to get the newest signatures that detect log4j exploitation. 

Retrieve that signature pack with:

thor-util.exe update –sigdev

Aurora – Sigma-Based EDR Agent – Preview

The following recorded video session includes information about our new Sigma-based EDR agent called “Aurora” and the free “Aurora Lite”. It’s a preview of the agent with information on its features, limits, advantages and a live demo.

The release is scheduled for December 2021. Follow us on Twitter or subscribe to the newsletter to get updates about the development of Aurora.

The slides with the pre-release information shared in the talk, can be downloaded here.

ASGARD 2.11 Release

We are glad to announce a new ASGARD Management Center (AMC) release with exciting new features and improvements.

Sigma LogWatcher

LogWatcher is a new service that applies Sigma rules to Windows Eventlog entries. It uses the big public Sigma rule base and has access to the upcoming private Sigma rule feed maintained by Nextron Systems. It’s the first additional service that can be managed and configured in the new “Service Control” section. (add the “Service Control” right to roles to enable the section for these roles)

Improved LDAP Support

The new LDAP configuration now supports all kinds of different selection options to authenticate against Microsoft Active Directory.

Improved IOC Management

The IOC Management moved into the Scan Control section and now allows you to import single or groups of IOCs in a special interface that abstracts from the underlying format required by THOR.

A ruleset contains IOC groups which contain IOCs. Integrated checks verify the provided expressions and give you direct feedback. 

Persistent Column Settings per User

Each user can now configure the table views in each section according to their needs, which persist across sessions.

Performance Improvements

The new version improves the performance of large installations (>10,000 endpoints) significantly. 

THOR and THOR TechPreview Support

It’s now possible to scan with all kinds of THOR version, the current stable version Tech Preview versions and even THOR Lite. 

 

Before you update:

  • the upgrade can take up to one hour in large installations, so please wait and do not reboot during the installation
  • the API has been completely revised so that old API endpoints that you currently use may not work anymore
  • to prevent an inconsistent state, you have to upgrade the Master ASGARD before upgrading the connected ASGARDs

More changes:

  • improved stability and error handling of THOR scans
  • extended CSV output and availability in many more sections
  • requirements for password complexity has been increased

TryHackMe Training Room for THOR Lite

Since THOR and THOR Lite are tools written for digital forensic experts, they can be difficult to use. There is often a steep learning curve in the beginning.

We’d like to help new users pass these first steps in a playful way by providing a TryHackMe challenge in which you analyse a compromised system using THOR Lite.

You’ll learn how to download and run it, interpret the results, write your own signatures and include your own IOCs for a custom threat. 

The room is meant for first time THOR or THOR Lite users.

Target Audience: DFIR professionals, administrators, security analysts
Duration: ~3 hours (without the download of the VM)

You’ll work with a prepared virtual machine that you’re required to download during the training.

Requirements:

  • VMWare or VirtualBox
  • 13 GB download and 23 GB of disk space
To access the TryHackMe room

  1. visit https://tryhackme.com
  2. create an account
  3. access the page “My Rooms”
  4. enter the room code “thorlite”, then “Enter room”

and start with the training lab.

Please help us and send your feedback to feedback@nextron-systems.com

WordPress Cookie Plugin by Real Cookie Banner