Aurora Lite Agent v1.0 Release

After almost half a year of development, we are pleased to announce the release of our free version of the Aurora Agent named Aurora Lite.

The Aurora agent is a Sigma-based endpoint agent that offers maximum transparency, flexibility, and confidentiality. It doesn’t require an additional kernel driver but uses the native Event Tracing for Windows (ETW). Other detection modules like the “Cobalt Strike Beaconing Detector” or the “LSASS Dump Detector” provide detection capabilities that exceed the scope of pure Sigma matching. 

Aurora Lite is a limited but free version of the endpoint agent. It lacks some features, has no additional detection modules, and cannot be used with the comfortable ruleset and configuration management in ASGARD Management Center. The complete list of limitations can be found here.

Regardless of these limitations, we believe that even the free version can compete with other commercial endpoint agents and provides similar detection coverage. 

Captured Pre-Release Web Session

Slide Deck

The slide deck shown in the recorded web session can be found here.

Slides 8 to 18 contain a quick start guide.

Online Manual

The Aurora Agent online manual can be found under this link.

Product Page and Download

You can find the Aurora Agent product page and the download links here.

Antivirus Event Analysis Cheat Sheet v1.9.0

We’ve updated our Antivirus Event Analysis Cheat Sheet to version 1.9.0. 

  • It includes updates in almost all sections
  • add special indicators for all kinds of Microsoft Exchange exploitation activity (ProxyLogon, ProxyShell etc.)
  • moves Ransomware indicators to highly relevant column

You can download the new version here.

Tip: to always find the newest version of the cheat sheet, use this search query.

Aurora – Sigma-Based EDR Agent – Preview

The following recorded video session includes information about our new Sigma-based EDR agent called “Aurora” and the free “Aurora Lite”. It’s a preview of the agent with information on its features, limits, advantages and a live demo.

The release is scheduled for December 2021. Follow us on Twitter or subscribe to the newsletter to get updates about the development of Aurora.

The slides with the pre-release information shared in the talk, can be downloaded here.

Monero Mining Pool FQDNs

Malware that deploys crypto mining software has become more and more popular and annoying. It’s not always possible to scan every device in your network with our free or commercial compromise assessment scanners.

The good news is that the mining pools for the most popular crypto currency Monero (Symbol: XMR) are limited.

Therefore we’ve decided to compile a list of these mining pools that you can use to monitor your firewall or DNS servers.

For a very generic approach, your could try using the following patterns:

*xmr.*
*pool.com
*pool.org
pool.*

Our customers can use THOR to scan for scripts, executables, DNS cache, process connections, log entries and other elements for traces of crypto mining activity.

Monero Mining Pool Addresses

pool.minexmr.com
fr.minexmr.com
de.minexmr.com
sg.minexmr.com
ca.minexmr.com
us-west.minexmr.com
pool.supportxmr.com
mine.c3pool.com
xmr-eu1.nanopool.org
xmr-eu2.nanopool.org
xmr-us-east1.nanopool.org
xmr-us-west1.nanopool.org
xmr-asia1.nanopool.org
xmr-jp1.nanopool.org
xmr-au1.nanopool.org
xmr.2miners.com
xmr.hashcity.org
xmr.f2pool.com
xmrpool.eu
pool.hashvault.pro
moneroocean.stream
monerocean.stream

Antivirus Event Analysis Cheat Sheet v1.8.2

The analysis of Antivirus events can be a tedious task in big organizations with hundreds of events per day. Usually security teams fall back to a mode of operation in which they only analyze events in which a cleanup process has failed or something went wrong. 

This is definitely the wrong approach for a security team. You should instead focus on highly relevant events. 

This cheat sheet helps you select these highly relevant Antivirus alerts.  

Download the Antivirus Event Analysis Cheat Sheet version 1.8.2 here.

Web Proxy Event Analysis Cheat Sheet

The “Web Proxy Event Analysis Cheat Sheet” can help SOCs and security analysts classify proxy events (blocks, alerts) and is based on my ideas and many ideas from experts that helped me collect detection ideas for this document.

You can download version 1.0 here.

We also recommend checking Sigma’s “proxy” section for detection rules that can be used to detect threats in web proxy or similar logs as long as they contain web connection information (EDR, HIDS etc.).

 

Web Proxy Event Analysis Cheat Sheet

Antivirus Event Analysis Cheat Sheet v1.7

We’ve just released an updated version of our Antivirus Event Analysis cheat sheet. You can download version 1.7 here.

The major changes are:

  • Updated AV signature lists
  • Split AV signature cells into two columns to save space
  • Fixed and added some directory names
  • Extended file extension list
  • Google filename search
  • More Virustotal checks

SPARK uses Sigma Rules in Eventlog Scan

Sigma is a rule format for threat detection in log files. It is for log data what “Snort rules” are for network traffic or “YARA signatures” are for file data. It is easy to write and read. Writing a Sigma rule is a matter of minutes.

On the right you can see a simple Sigma rule that checks the “System” eventlog for traces of password dumper activity. The detection section contains 1+ identifiers (selection, keywords, quarkspwdump) that can be defined freely by the rule author. These selectors are used in the condition to build the rule.

It also contains a description, references, possible false positives and a level.

Analysts use Sigma to generate search queries for their SIEM or log management solution. The Sigma repo contains a converter that allows to convert the generic rules to ElasticSearch, Splunk, QRadar, Logpoint, Windows Defender ATP (WDATP) and ArcSight.

Wouldn’t it be great if you could apply Sigma rules on the endpoint?

Well, the upcoming version 1.14 of SPARK, which will be released at the end of July,  does that. It applies Sigma rules to the local Eventlog. This way you’re able to apply searches that you have once defined for your SIEM to the local Eventlogs.

This way you are able “query” the standalone systems that are not connected to your SIEM and uncover otherwise common blind spots in your environment.

 

We ship the current rule set, which is part of the public Sigma repository and contains more than 200 rules with our SPARK program package in an encrypted form. (*.yms)

You can add your own Sigma rules to the “./custom-signatures/sigma/” folder in the SPARK program directory.

To activate Sigma scanning, use the new “–sigma” parameter.

Currently only SPARK supports this feature and there are no plans to implement this in THOR as well.

The feature is currently free for all customers but may become a premium feature that has to be licensed separately by the end of the year depending on the customer’s plan. 

See the comparison table for a complete overview on all features.

WordPress Cookie Plugin by Real Cookie Banner