STIXv2 Support in SPARK

SPARK Version 1.17.0 adds extensive STIXv2 support.

This allows you to easily extend SPARK’s signature bases with IOCs from any sandbox, analysis or threat intel platforms that support STIXv2 export by placing the exported *.json files in the ./custom-signatures folder.

For now, the supported observable object types are:

  • file:name with = != LIKE and MATCHES
  • file:parent_directory_ref.path with = != LIKE and MATCHES
  • file:hashes.sha-256 / file:hashes.sha256 with = and !=
  • file:hashes.sha-1 / file:hashes.sha1 with = and !=
  • file:hashes.md-5 / file:hashes.md5 with = and !=
  • file:size with < <= > >= = !=
  • file:created with < <= > >= = !=
  • file:modified with < <= > >= = !=
  • file:accessed with < <= > >= = !=
  • win-registry-key:key with = != LIKE and MATCHES
  • win-registry-key:values.name with = != LIKE and MATCHES
  • win-registry-key:values.data with = != LIKE and MATCHES
  • win-registry-key:values.modified_time with < <= > >= = !=

These types are applied in different modules:

  • FileScan: file:*
  • Registry: win-registry-key:* and file:name (applied to data field)

You can find a list of products that support the STIX data exchange format here.

New Feature: THOR-util and SPARK-Core-util Signature Encryption

The new THOR-util version 1.2.4 supports the encryption of your custom signatures so that you can deploy your own IOC files and YARA rules in an encrypted form.

We use a public key in the utilities to encrypt the files for our scanners so that admins, Antivirus engines and attackers won’t be able to read the contents of the files.

 

The feature is also available in SPARK Core, our free scanner.

After encryption, place the encrypted IOC files in the “./custom-signatures” directory and the encrypted YARA rules in the “./custom-signatures/yara” directory.

The use of the function is simple. Just point it to a file, a list of files or use wildcards to select a set of files for encryption. The extension of the output file depends on the extension of the input file.

  • IOC Files: .txt > .dat
  • YARA Rules: .yar > .yas
  • Sigma Rules: .yml > .yms

Examples:

thor-util.exe encrypt case44.yar
thor-util.exe encrypt case44-hashes.txt
thor-util.exe encrypt case44-hashes.txt case44.yar
thor-util.exe encrypt case44.*

You can use the “upgrade” feature in both tools to get the newest version of the utility.

thor-util upgrade

SPARK uses Sigma Rules in Eventlog Scan

Sigma is a rule format for threat detection in log files. It is for log data what “Snort rules” are for network traffic or “YARA signatures” are for file data. It is easy to write and read. Writing a Sigma rule is a matter of minutes.

On the right you can see a simple Sigma rule that checks the “System” eventlog for traces of password dumper activity. The detection section contains 1+ identifiers (selection, keywords, quarkspwdump) that can be defined freely by the rule author. These selectors are used in the condition to build the rule.

It also contains a description, references, possible false positives and a level.

Analysts use Sigma to generate search queries for their SIEM or log management solution. The Sigma repo contains a converter that allows to convert the generic rules to ElasticSearch, Splunk, QRadar, Logpoint, Windows Defender ATP (WDATP) and ArcSight.

Wouldn’t it be great if you could apply Sigma rules on the endpoint?

Well, the upcoming version 1.14 of SPARK, which will be released at the end of July,  does that. It applies Sigma rules to the local Eventlog. This way you’re able to apply searches that you have once defined for your SIEM to the local Eventlogs.

This way you are able “query” the standalone systems that are not connected to your SIEM and uncover otherwise common blind spots in your environment.

 

We ship the current rule set, which is part of the public Sigma repository and contains more than 200 rules with our SPARK program package in an encrypted form. (*.yms)

You can add your own Sigma rules to the “./custom-signatures/sigma/” folder in the SPARK program directory.

To activate Sigma scanning, use the new “–sigma” parameter.

Currently only SPARK supports this feature and there are no plans to implement this in THOR as well.

The feature is currently free for all customers but may become a premium feature that has to be licensed separately by the end of the year depending on the customer’s plan. 

See the comparison table for a complete overview on all features.

THOR-Util with HTML Report Generation

The new version of “thor-util” (used with THOR/SPARK) / “spark-core-util” (used with SPARK Core) support a feature that allows a user to convert any scanner log file into a convenient report. 

  • Convert THOR / SPARK / SPARK Core scan logs into HTML reports
  • Convert a single text log file into an HTML report
  • Convert multiple log files (50 max.) in a directory into a single HTML report 
  • Provide a file with filters to suppress false positives in the reports
  • Even LOKI logs can be converted (no support)
  • Hash values linked to Virustotal searches
  • IP values linked to VirusTotal searches
  • Header sections linked to elements via ankers

You can access this feature in the upcoming enterprise products (THOR 8.47.2 and SPARK 1.13) and the free product SPARK Core (SPARK Core 1.13). 

The following screenshot shows a typical text log file. It can be processed in log analysis solutions but it is difficult to read for an analyst. Most analysts search these log files for “(Alert|Warning):” or use grep to get the most relevant messages.

Our tools “thor-util” and “spark-core-util” will help you with this task. 

Generate an HTML report for a single log file

<br /> thor-util report --logfile PROMETHEUS_thor.log<br />

Generate an HTML report for multiple log files

thor-util report --logdir ./logs

You can also provide a file with regular expressions that are applied during log parsing as filters to suppress false positives in the reports. 

The new tools will be in all productive packages at the end of this week.