Antivirus Event Analysis Cheat Sheet v1.10.0

We’ve updated our Antivirus Event Analysis Cheat Sheet to version 1.10.0.

  • It includes updates in several sections
  • add special identifiers for Sliver and Brute Ratel C4 framework implants
  • many new tags for Virustotal assessments

You can download the new version here.

Tip: to always find the newest version of the cheat sheet, use this search query.

Changes:

Aurora Lite Agent v1.0 Release

After almost half a year of development, we are pleased to announce the release of our free version of the Aurora Agent named Aurora Lite.

The Aurora agent is a Sigma-based endpoint agent that offers maximum transparency, flexibility, and confidentiality. It doesn’t require an additional kernel driver but uses the native Event Tracing for Windows (ETW). Other detection modules like the “Cobalt Strike Beaconing Detector” or the “LSASS Dump Detector” provide detection capabilities that exceed the scope of pure Sigma matching. 

Aurora Lite is a limited but free version of the endpoint agent. It lacks some features, has no additional detection modules, and cannot be used with the comfortable ruleset and configuration management in ASGARD Management Center. The complete list of limitations can be found here.

Regardless of these limitations, we believe that even the free version can compete with other commercial endpoint agents and provides similar detection coverage. 

Captured Pre-Release Web Session

Slide Deck

The slide deck shown in the recorded web session can be found here.

Slides 8 to 18 contain a quick start guide.

Online Manual

The Aurora Agent online manual can be found under this link.

Product Page and Download

You can find the Aurora Agent product page and the download links here.

Antivirus Event Analysis Cheat Sheet v1.9.0

We’ve updated our Antivirus Event Analysis Cheat Sheet to version 1.9.0. 

  • It includes updates in almost all sections
  • add special indicators for all kinds of Microsoft Exchange exploitation activity (ProxyLogon, ProxyShell etc.)
  • moves Ransomware indicators to highly relevant column

You can download the new version here.

Tip: to always find the newest version of the cheat sheet, use this search query.

Aurora – Sigma-Based EDR Agent – Preview

The following recorded video session includes information about our new Sigma-based EDR agent called “Aurora” and the free “Aurora Lite”. It’s a preview of the agent with information on its features, limits, advantages and a live demo.

The release is scheduled for December 2021. Follow us on Twitter or subscribe to the newsletter to get updates about the development of Aurora.

The slides with the pre-release information shared in the talk, can be downloaded here.

Monero Mining Pool FQDNs

Malware that deploys crypto mining software has become more and more popular and annoying. It’s not always possible to scan every device in your network with our free or commercial compromise assessment scanners.

The good news is that the mining pools for the most popular crypto currency Monero (Symbol: XMR) are limited.

Therefore we’ve decided to compile a list of these mining pools that you can use to monitor your firewall or DNS servers.

For a very generic approach, your could try using the following patterns:

*xmr.*
*pool.com
*pool.org
pool.*

Our customers can use THOR to scan for scripts, executables, DNS cache, process connections, log entries and other elements for traces of crypto mining activity.

Monero Mining Pool Addresses

pool.minexmr.com
fr.minexmr.com
de.minexmr.com
sg.minexmr.com
ca.minexmr.com
us-west.minexmr.com
pool.supportxmr.com
mine.c3pool.com
xmr-eu1.nanopool.org
xmr-eu2.nanopool.org
xmr-us-east1.nanopool.org
xmr-us-west1.nanopool.org
xmr-asia1.nanopool.org
xmr-jp1.nanopool.org
xmr-au1.nanopool.org
xmr.2miners.com
xmr.hashcity.org
xmr.f2pool.com
xmrpool.eu
pool.hashvault.pro
moneroocean.stream
monerocean.stream

Antivirus Event Analysis Cheat Sheet v1.8.2

The analysis of Antivirus events can be a tedious task in big organizations with hundreds of events per day. Usually security teams fall back to a mode of operation in which they only analyze events in which a cleanup process has failed or something went wrong. 

This is definitely the wrong approach for a security team. You should instead focus on highly relevant events. 

This cheat sheet helps you select these highly relevant Antivirus alerts.  

Download the Antivirus Event Analysis Cheat Sheet version 1.8.2 here.

Web Proxy Event Analysis Cheat Sheet

The “Web Proxy Event Analysis Cheat Sheet” can help SOCs and security analysts classify proxy events (blocks, alerts) and is based on my ideas and many ideas from experts that helped me collect detection ideas for this document.

You can download version 1.0 here.

We also recommend checking Sigma’s “proxy” section for detection rules that can be used to detect threats in web proxy or similar logs as long as they contain web connection information (EDR, HIDS etc.).

 

Web Proxy Event Analysis Cheat Sheet

Antivirus Event Analysis Cheat Sheet v1.7

We’ve just released an updated version of our Antivirus Event Analysis cheat sheet. You can download version 1.7 here.

The major changes are:

  • Updated AV signature lists
  • Split AV signature cells into two columns to save space
  • Fixed and added some directory names
  • Extended file extension list
  • Google filename search
  • More Virustotal checks
WordPress Cookie Plugin by Real Cookie Banner