Scanning for Indications of MOVEit Transfer Exploitation with THOR Lite

Scanning for Indications of MOVEit Transfer Exploitation with THOR Lite

On June 1st, the vendor of MOVEit Transfer, previously known as Ipswitch but now called Progress, announced the discovery of a critical security vulnerability that has been exploited. MOVEit is an enterprise software utilized by numerous organizations globally for secure managed file transfer. According to Shodan, an internet search engine, there are currently over 2,500 servers publicly accessible on the open Internet running MOVEit.

You can find more information on the threat in the vendor’s advisory and the following articles by TrustedSec, Huntress Labs and Mandiant:

Vendor Advisory

The advisory by the vendor Progress was published on 01.06. and gets constantly updated

TrustedSec Article

This article by TrustedSec lists a lot of indicators and contains information on the dropped web shell

Huntress Labs Article

Huntress Labs reports on the activity including log file entries, IOCs and a YARA rule

Mandiant Report

Mandiant’s report attributes the activity to UNC4857

Upon initial awareness of the compromise, we initiated our own investigation and promptly released a series of detection rules to our public repositories. These Indicators of Compromise (IOCs) and YARA rules were immediately accessible to users of THOR Lite.

While having detection mechanisms in place is a positive step, assessing the situation and ensuring that no system in the network has been impacted by the threat is often a challenging task.

To facilitate this process and perform a rapid scan of your own environment at no cost, one option is to utilize the THOR Lite scanner. By employing this tool, you can leverage the rules mentioned earlier and swiftly evaluate your network for potential threats.

Enter THOR Lite

THOR Lite is the streamlined version of our compromise assessment scanner, THOR. It utilizes YARA rules and Indicators of Compromise (IOCs), such as hash values and file names, to effectively identify malicious activity.

In this technical blog article, we will delve into the utilization of THOR Lite for scanning end systems to detect any signs of malicious activity associated with the MOVEit exploitation.

Furthermore, we will explore the diverse range of indicators that THOR Lite can detect, guide you through the process of tool setup and configuration, and offer tips for comprehending the scan results.

By the end of this article, you will have a comprehensive understanding of how to utilize THOR Lite to conduct compromise assessments within your network.

Download THOR Lite

Visit the product page, subscribe to the newsletter to get the program package and a license file.

Email content:

Getting Started

Once you have downloaded the program package in the form of a ZIP archive, extract its contents and locate the license file (.lic). Move the license file to the program folder.

To initiate the program, simply double-click on the “thor64-lite.exe” file without any additional flags. Alternatively, you can open a Windows command line with administrator privileges and navigate to the directory where you extracted the program package.

Upon running the program, a scan window will appear, automatically closing upon completion of the scan. Typically, scans require approximately 1-4 hours to complete, although there are techniques to expedite the scanning process.

 

Flags to Consider

--nosoft --nolowprio

If you are scanning virtual machines or systems that experience constant high load from other processes, it can be beneficial to utilize the “–nosoft” and “–nolowprio” flags. These flags allow THOR to run with the same process priority as any regular process, helping to ensure that the scan operates smoothly alongside other ongoing processes.

--lookback 150 --global-lookback

If you are interested in scanning recently created files and log entries, these flags direct THOR to exclusively scan elements that have been created or modified within the past 150 days. Any file or event log entry older than that timeframe will be ignored, resulting in a significantly smaller set of elements being scanned.

--cpulimit 30

To minimize the impact on end users working on a system during the scanning process, you have the option to reduce the CPU usage of the scanner to, for example, 30%. By doing so, you can prevent them from noticing the scan by decreasing the overall system load and fan noise.

Recommended CommandLine Flags for this Use Case

If a regular scan takes an excessive amount of time, we recommend utilizing the following command line flags to expedite the scan process by limiting it to the changes that have occurred within the last 150 days:

thor64-lite.exe --nolowprio --lookback 150 --global-lookback

To minimize CPU usage and make it as inconspicuous as possible for end users working on the scanned systems, employ the following command:

thor64-lite.exe --lookback 150 --global-lookback --cpulimit 35

Update the Signatures

To ensure that THOR always operates with the latest set of signatures related to the MOVEit exploitation, we are continuously working on enhancing and updating them. To incorporate the newest signatures, utilize the following command:

thor-lite-util.exe upgrade

Interpreting the Scan Results

During the scan you’ll see several messages in green and blue colours. Warning and alert messages use a yellow or red color. But don’t worry when you notice a message of that color. Remember that THOR is a scanner that highlights malicious and suspicious elements for review by an administrator or forensic analyst. Not everything shown as a “warning” message has to be a real threat.

After the scan finishes, users can find an HTML report in the program folder that lists all findings. 

We recommend searching the HTML report for the “MOVEit” keyword and only review matches with the specific IOCs and YARA rules related to this activity.

THOR Lite is able to detect various forensic artefacts:

  • The dropped ASPX web shell
  • The compiled ASPX web shell in caches (even if attackers removed the .aspx file)
  • Exploitation in the web server log files
  • Access to webshell in web server log files
  • Suspicious file types or extensions in the reported staging directories

Signatures 

The subsequent listings display all the publicly available signatures that we have created and implemented in THOR Lite to identify malicious activity.

YARA (public)

WEBSHELL_ASPX_MOVEit_Jun23_1
WEBSHELL_ASPX_DLL_MOVEit_Jun23_1
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2

SIGMA (public)

Emerging Threat Folder: CVE-2023-34362-MOVEit-Transfer-Exploit

Rule Title: Potential MOVEit Transfer CVE-2023-34362 Exploitation
UUID: c3b2a774-3152-4989-83c1-7afc48fd1599

Rule Title: MOVEit CVE-2023-34362 Exploitation Attempt – Potential Web Shell Request
UUID: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b

IOCs

Filename IOCs
filename-iocs.txt @ signature-base

Hash IOCs
hash-iocs.txt @ signature-base

C2 IOCs
c2-iocs.txt @ signature-base

Full THOR Version

Please bear in mind that THOR Lite is solely a demo version of our complete scanner, which encompasses over 27 detection modules and more than 20,000 YARA rules. In contrast, THOR Lite employs only 5 modules and 2,500 rules.

For a comprehensive comparison of features, you can refer to the full feature comparison available here. Additionally, there is a detailed blog post that delves into the dissimilarities between the two versions, which you can find here.

 

How to scan Docker containers using THOR – Part 2

How to scan Docker containers using THOR – Part 2

The first part of this blog series covers how THOR can be used to scan a Docker image. In the second part of this series, we will talk about how you can use THOR to scan running Docker containers. Now, consider this new use case: You want to check if your running Docker container was attacked by some Log4Shell exploit. To do this, we will show you how you can start THOR inside a running container!

Prerequisites

  • Running Docker container with a shell installed (e.g. sh, bash, …)
  • THOR 🙂
    • In this example we will use Thor-Lite. However, for a real-world usecase you should consider using the full Thor version (Thor vs Thor-lite).

Running THOR in a Docker container

First, we have to find the Docker ID of the container we want to check using: docker ps.
This will list all Docker containers running on the current host.

Sidenote: The following should also work with all the other containerization platforms (e.g. podman, Kubernetes, OpenShift, etc.).

In our example, the ID is 84d1624f0083. Now we copy the THOR files to the container:

docker cp thor/. 84d1624f0083:/thor
Next, to run THOR, we need to get an interactive shell inside the container:

docker exec -it 84d1624f0083 /bin/sh

Inside the Docker container you can cd thor and start THOR: ./thor-lite-linux.

After THOR is finished you will find the following files in the Docker container:

  • {docker-id}_files_md5s.csv
  • {docker-id}_thor_{date}.html
  • {docker-id}_thor_{date}.txt

These files contain all findings of the THOR scan.

You can copy the reports back to your host by running the following on your host:

  • docker cp 84d1624f0083:/thor/dffcea1e1fe9_files_md5s.csv .
  • docker cp 84d1624f0083:/thor/dffcea1e1fe9_thor_2023-04-26_0728.html .
  • docker cp 84d1624f0083:/thor/dffcea1e1fe9_thor_2023-04-26_0728.txt .

Note: You have to replace 84d1624f0083 with our Docker ID.

Lastly, to clean up your container run the following: docker exec -it 84d1624f0083 rm -rf thor.
This will delete all files that were created in the earlier steps.

How to scan Docker containers using THOR – Part 2

How to scan Docker images using THOR – Part 1

In this blog article, we will talk about how you can use THOR to scan Docker images. Consider the following use case:  Before using an upstream Docker image, you want to precheck it for known IOCs and backdoors. THOR can help you with this!

Prerequisites

  • Docker image with a shell installed (e.g. sh, bash, etc.)
  • THOR 🙂
    • In this example we will use Thor-Lite. However, for a real-world usecase you should consider using the full Thor version (Thor vs Thor-lite).

Running THOR in a Docker container

In your THOR folder run: docker run --rm -it -v ${PWD}:/thor alpine /bin/sh. This will create a Docker container based on Alpine Linux, mount your working directory (where THOR is stored) to /thor in the container, and will drop you into the sh shell. Inside the Docker container you can cd /thor and start THOR: ./thor-lite-linux. You can exchange alpine with any Docker image, as long as it includes a shell.

After the THOR scan is finished you can exit the shell (the Docker container) and you will find the following files:

  • {docker-id}_files_md5s.csv
  • {docker-id}_thor_{date}.html
  • {docker-id}_thor_{date}.txt

These files contain all findings of the THOR scan.

By using THOR to scan Docker images, you do not have to blindly trust the author of an upstream Docker image – you can see for yourself!

In part 2 of this series we explain how to scan Docker containers using THOR. 

Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise

Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise

On March 29, 2023 CrowdStrike detected malicious activity, originating from a legitimate, signed binary called 3CXDesktopApp. The binary is part of a softphone system developed by 3CX.
The observed malicious activity consisted of beaconing to infrastructure controlled by the actors, leading to the deployment of second-stage payloads and in a few cases direct on-keyboard activity from the attackers.

You can find more information on the threat in the following articles by CrowdStrike, Volexity and Huntress Labs:

CrowdStrike Report

The first report on the activity linking it to LABYRINTH CHOLLIMA aka Lazarus group.

Volexity Article

This article by Volexity lists a lot of indicators and reports on the final stage in form of the stealer ICONIC

Huntress Labs Article

Huntress Labs report on the activity including process patterns, rules and IOCs

After the compromise became first known, we began our own investigation and in the following few hours released a number of detection rules to our public repositories.

While having the detection in place is a great start, often times it’s not an easy task to assess the situation and make sure that no system in the network is affected by the threat.

One way to leverage these rules and quickly scan your own environment for free, is using THOR Lite scanner.

Enter THOR Lite

THOR Lite is the reduced version of our compromise assessment scanner THOR. It uses YARA rules and Indicators of Compromise (IOC) like hash values and file names to detect malicious activity. 

In this technical blog article, we’ll explore how to levreage THOR Lite to scan end systems for signs of malicious activity related to the 3CX compromise.

We’ll also discuss the various types of indicators that THOR Lite can detect, walk through the process of setting up and configuring the tool, and provide tips for interpreting the scan results.

By the end of this article, you should have a solid understanding of how to use THOR Lite to run a compromise assessments within your network.

Download THOR Lite

Visit the product page, subscribe to the newsletter to get the program package and the license file.

(note: we offer a special license file to 3CX customers that enables an additional module from the full version to extend the detection coverage even more)

You can download this special license here: (expires 30.04.2023) 

Email content:

Getting Started

After you’ve downloaded the program package as a ZIP archive, extract it and place the license file (.lic) in the program folder.

Double click on the “thor64-lite.exe” to run it without any flags or open a Windows command line as an administrator and navigate to the folder where you’ve extracted the program package.

You should then see the scan window that closes automatically when the scan is complete. Usually scans take between 1-4 hours, but there are some ways to speed up the scan.

 

Flags to Consider

--nosoft --nolowprio

If you’re scanning virtual machines or systems that are under a constant high load by other processes, it could be helpful to use the “–nosoft” and “–nolowprio” flags to let THOR run with the same process priority as any other regular process.

--lookback 150 --global-lookback

If you’re interested in scanning recently created files and log entries. These flags instruct THOR to only scan elements created or changed within the last 150 days (why 150?). It would ignore any file or eventlog entry older than that and thus scan a much smaller set of elements.

--cpulimit 30

To minimize the impact for the end user working on a system while it is getting scanned, you can reduce the CPU usage of the scanner to e.g. 30% to avoid them taking notice of the scan by reducing the overall load and fan noise.

Recommended CommandLine Flags For The 3CX Use Case

If a normal scan takes too long, we recommend the following command line flags in order to reduce the scan duration by restricting the scan to the changes of the last 150 days:

thor64-lite.exe --nolowprio --lookback 150 --global-lookback

In order to reduce the CPU usage and make it as imperceptible as possible to the end user working on the scanned systems use the following command:

thor64-lite.exe --lookback 150 --global-lookback --cpulimit 35

Update the Signatures

We’re constantly working on enhancing and updating the signatures related to the 3CX compromise. Updates are to be expected over the weekend and next week. To make sure THOR always works with the newest set of signatures use the following command:

thor-lite-util.exe upgrade

Interpreting the Scan Results

During the scan you’ll see several messages in green and blue colours. Warning and alert messages use a yellow or red color. But don’t worry when you notice a message of that color. Remember that THOR is a scanner that highlights malicious and suspicious elements for review by an administrator or forensic analyst. Not everything shown as a “warning” message has to be a real threat.

After the scan finishes, users can find an HTML report in the program folder that lists all findings. 

We recommend searching the HTML report for the “3CX” keyword and only review matches with the specific IOCs and YARA rules related to this activity.

THOR Lite is able to detect various forensic artefacts:

  • The installer files
  • The malicious binaries
  • The loaded malware in-memory
  • Process connections to known C2 addresses
  • Traces of activity in local log files

We’re also offering a special license (3cx.lic) to 3CX and their customers that will activate a special feature called “Sigma Scanning” in THOR Lite instances. This allows them to apply the Sigma rules mentioned below (and 1600+ more) on the event logs of a scanned end system.

A match with one of these Sigma rules would look like this: 

You can download this special license here: (expires 30.04.2023) 

Continuous Compromise Assessment: Enhancing Detection Capabilities to Mitigate High-Profile Cyber Attacks

One more time, we are all taken aback by yet another sudden high-profile compromise. Just like the Sunburst or HAFNIUM Attack, the 3CX compromise arose out of nowhere, putting companies of all kinds across the globe at risk. We may later discover that some organizations were exploited for months before the 3CX compromise was ultimately made public.

But does it truly have to come as such a surprise to everyone? Looking back at the Hafnium attack, Nextron discovered that many organizations had been breached by various attack groups, all of whom appeared to have used the proxy shell/proxy logon weakness. All attackers who expanded their breach brought their own toolset for persistence and post-exploitation. Nothing new so far.

However, what if we could automatically detect an attacker’s toolkit after it has been deployed? In this case, we could efficiently detect these breaches long before day zero simply by identifying secondary tools that appear magically on a system. Let’s assume we scan our systems weekly, searching for all kinds of Indicators of Compromise, known attacker tools, or traces of their methods. Then, even without knowing that the 3CX compromise exists, we would most likely be able to detect attacks that make use of it within a week. This would give us a heads up before bad things even begin to happen, shocking everyone.

This is precisely Nextron’s “Continuous Compromise Assessment” approach. With our orchestration platform ASGARD, we can conduct recurrent and automated compromise assessments using our full-featured Scanner THOR. Our first and initial scan represents what we call the baseline. We would analyze all events from the first scan and, starting with the next week, focus on any deviations from this baseline. In such a scenario, we would detect breaches based on secondary toolsets from one week to another. While we still would not detect the 0-day itself, the secondary toolset would show up very prominently as a deviation from the baseline.

There is not much effort required to gain a considerable amount of additional detection capabilities.

Signatures 

The following listings show all the signatures we’ve made public and used in THOR Lite to detect malicious activity

YARA (public)

SIGMA (public)

Potential Compromised 3CXDesktopApp Beaconing Activity – Proxy
UUID: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26

Potential Compromised 3CXDesktopApp ICO C2 File Download
UUID: 76bc1601-9546-4b75-9419-06e0e8d10651

Potential Compromised 3CXDesktopApp Beaconing Activity – DNS
UUID: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8

Potential Compromised 3CXDesktopApp Beaconing Activity – Netcon
UUID: 51eecf75-d069-43c7-9ea2-63f75499edd4

Potential Suspicious Child Process Of 3CXDesktopApp
UUID: 63f3605b-979f-48c2-b7cc-7f90523fed88

Malicious DLL Load By Compromised 3CXDesktopApp
UUID: d0b65ad3-e945-435e-a7a9-438e62dd48e9

Potential Compromised 3CXDesktopApp Execution
UUID: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c

Potential Compromised 3CXDesktopApp Update Activity
UUID: e7581747-1e44-4d4b-85a6-0db0b4a00f2a

IOCs

C2 IOCs
c2-iocs.txt @ signature-base

Filename IOCs
filename-iocs.txt @ signature-base

Hash IOCs
hash-iocs.txt @ signature-base

Full THOR Version

Keep in mind that THOR Lite is only a demo version of our full scanner with more than 27 detection modules and more than 20,000 YARA rues compared to the 5 modules and 2,500 rules used in THOR Lite.

You can find a full feature comparison here and a blog post that explains the differences in more detail here

 

THOR Log Conversion to CSV

THOR Log Conversion to CSV

We are excited to announce that the upcoming version 1.11 our tool, THOR Util, now has the capability to convert log output files from both the default and JSON format into CSV files. This new feature will make it easier for users to analyze their log data and extract the information they need.

With the ability to convert log files into CSV, users can now import their log data into their favorite spreadsheet software and manipulate it to create custom reports and visualizations.

This will save time and increase productivity, as users will no longer need to manually parse and extract data from their log files.

We recommend taking a look at Modern CSV as alternative to Microsoft Excel for this kind of task.

 

THOR Util has many more functions to post-process THOR logs, and this new feature further expands its capabilities.

E.g. Did you know that you can use the “report” function to generate a single combined HTML report for a set of log files from different end systems?

You can find more information on THOR Util and its features here.

Users registered as beta testers can already test the functionality available in the nightly unstable builds of THOR 10.7 TechPreview and THOR Lite.

The release is planned for calendar week 11, 2023.

How to scan ESXi systems using THOR

How to scan ESXi systems using THOR

More and more often, adversaries target and exploit Internet-facing appliances or devices with exotic or restricted operating systems. Users ask if there is a way to run a compromise assessment scan on these systems with the YARA rules used in THOR.

Following up on the exploitation of Internet-facing ESXi servers, this blog post describes ways to remotely scan remote systems like an ESXi using THOR or the free THOR Lite YARA and IOC scanners. This method can also be be used to scan other devices usually unsupported by real-time Antivirus engines or EDRs, e.g. Citrix Netscaler gateways. 

So, we plan to mount the remote file system using SSH (SSHFS) and then we instruct THOR to scan the mounted remote filesystem. 

Prerequisites

  • We need to reach port 22/tcp on the target system
  • A source system with support for sshfs (on Debian use: sudo apt install sshfs to install it)
  • A version of THOR Lite or the full THOR with a lab license

Mounting the Remote File System via SSH

First we create a new folder and mount the remote file system to that local folder:

sudo mkdir -p /mnt/esx
sudo sshfs -o reconnect root@esx1.company:/ /mnt/esx

The -o reconnect option makes sure to reconnect the

Scanning the Mount Point with THOR Lite

With THOR Lite we can now run a so-called “Filescan” on the mounted drive.

sudo ./thor-lite-linux-64 -a FileScan --alldrives -p /mnt/esx

The following scan is much more intense as it scans every single file regardless of its extension or type. Scanning every file usually leads to much longer scan times and higher network load. (be careful when using the --intense flag)

sudo ./thor-lite-linux-64 -a FileScan --alldrives -p /mnt/esx --intense

Scanning the Mount Point with THOR

With a full featured THOR and a so-called Lab license we can use the –virtual-map flag to virtually map the folder /mnt/esx to / internally. This means that signatures and filename patterns that make use of the virtual and not the actual path. We can also define a hostname that will appear in the log file using the -j flag. Otherwise the log would always contain the hostname of the scanning workstation.

sudo ./thor-linux-64 -a FileScan --alldrives -p /mnt/esx --virtual-map /mnt/esx:/ -j esx1

Using the full version, we would use a different flag combination for a more intense scan of the remote system. The full version with a lab license allows us to use the --lab flag.

sudo ./thor-linux-64 --lab -p /mnt/esx --virtual-map /mnt/esx:/ -j esx1

The --lab flag automatically activates the intense scan mode that checks every file, multi-threaded scanning, deactivates resource control and some other flags that can be useful in a lab scanning scenario.

Example Match

The following screenshot shows an example match on a malware found on systems affected by the ESXiArgs attacks. The rules and IOCs for this attack are available in THOR and the free THOR Lite version.

Other Notes

  • Test scans on our internal ESX/ESXi systems took between 8 and 30 minutes. (scans via VPN)
  • A network disconnect only pauses the scan, a forced umount crashes the scanner.
  • We tested network disconnects of 1 and 5 minutes. After a reconnect THOR just resumes the scan where it left off. 

Advantages of the full THOR version

Apart from the usual advantages of the full THOR version over THOR Lite, there are a few more reasons to use the full version in this scenario:

  • Use multiple instances on a single source system to scan many different remote systems at the same time
  • Use virtual drive mapping to allow for additional detection opportunities
  • Set a custom host name that appears in the log files (helpful when you scan many different targets)

If you’re interested in the full version, contact us using the “Get Started” button in the upper right corner. 

Virustotal Lookups in THOR v10.7

Virustotal Lookups in THOR v10.7

We’re glad to announce a new feature that allows users to enrich events generated by THOR with information from Virustotal

The feature is available in the full THOR v10.7 TechPreview and THOR Lite.

It can be used in any scan mode: live endpoint scanning, lab scanning, dropzone mode, or even with THOR Thunderstorm. 

Virustotal Account

You can use it with a Virustotal Enterprise account or even a free account that requires registration. 

The free account limits the number of requests per minute, but since THOR only checks findings with a particular score, only a few files are checked. 

By default THOR skips the enrichment when the quota is exhausted. The flag “–vtwaitforquota” can be used to make him wait for more quota.

Command Line Flags

The following command line flags are available:

Two lookup modes are available:

  1. Limited = hash lookups only (default)
  2. Full = hash lookup or sample upload (if hash is unknown)

A typical command line using the new feature would look like this:

thor64.exe --vtaccepteula --vtkey fb2c3babb1796f97dcd0a877e05207294110bea8a9b93a933b...

Example Match with Virustotal Information

Use API key in Scan Templates

Remember that you can make use of scan templates to avoid exposing your secret API key in command line flags.

Extending Coverage

You may already know that THOR focuses on different types of threats and handles findings differently than Antivirus software. 

The additional Virustotal lookups allow us to:

  1. increase the level of a finding that THOR would otherwise have mentioned only as ‘noteworthy’ or not at all
  2. enrich the existing alert message with information found on Virustotal to confirm the finding

Inspiration

The new lookup feature allows for some exciting detection ideas, which combine YARA rule matching and Virustotal lookups. 

YARA as Preselector for Uploads

This idea could be helpful in the case in which you know that an actor makes use of compiled Go (Golang) binaries. You could write a YARA rule that detects all compiled Go binaries for the Windows platform, set a score of 40 (noteworthy) to let the new feature pick them up, and submit them to Virustotal for analysis. (remember that you can use the –customonly flag to only apply your custom YARA rules if needed)

Check New Files with Virustotal

Imagine that you want to check all new .aspx files dropped on an MS Exchange server. You could write a YARA rule that looks for certain contents or the file extensions .aspx and give that rule a score of 40. You could then run a THOR scan on MS Exchange server setting the –lookback flag with the number of days you want to include and instructing it to scan only the C:\inetpub folder. If you schedule this scan to run daily, you will let THOR find all .aspx files changed during the last 24 hours, scan them with its own rules and check them on Virustotal for a verdict of 60+ scan engines. It’s hard to imagine better coverage for web shells than this. 

The full command line would look like this:

thor64.exe --vtaccepteula --vtkey fb2c3babb1796f97dcd0a877e05207294110bea8a9b93a933b... --lookback 1 -p C:\inetpub

FAQs

Does a low Antivirus detection rate reduce the score of the THOR matches?

No, that wouldn’t be smart, as THOR focuses on other types of threats that Antivirus software often is unable to detect. However, positive Antivirus matches increase the score for a scanned file depending on the number of Antivirus engines with matches.

THOR adds the following sub-scores based on the lookup result:

  • more than 5 engines with matches > score 40
  • more than 10 engines with matches > score 60
  • more than 20 engines with matches > score 75

What happens when the quota for lookups per minute exceeds?

THOR will not add additional information to the printed event. By default, the lookups will not slow down the scan significantly. If you see too many notice or warning level messages in your environment, adjust the --vtscore value or filter out some known false positives using the false_positive_filters.cfg file.

Can I use this feature with the free THOR Lite version and a free Virustotal account?

Yes.

Which THOR modules trigger a Virustotal lookup?

Basically, only the ‘FileScan’ module uses the lookups. But since THOR also triggers a file scan on the image file during ‘ProcessCheck’, other modules also benefit. 

Where can I register a Virustotal account?

Visit this link to register a free account. 

How can I get THOR Lite?

You can download THOR Lite here

 

 

Get the full THOR version

Apart from the usual advantages of the full THOR version over THOR Lite, there are a few more reasons to use the full version in this scenario:

  • Much bigger number of so-called “threat hunting” rules with low scores that would trigger a Virustotal Lookup
  • Multi-threaded scanning significantly reduces the scan duration

If you’re interested in the full version, contact us using the “Get Started” button in the upper right corner. 

Extended ProxyNotShell Detection Covering OWASSRF

In a report published on the 20th of December CrowdStrike published a report of a new technique exploiting the Microsoft Exchange vulnerability called ProxyNotShell. The called the new technique OWASSRF as it uses Outlook Web Access, CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE). 
PaolAlto Networks’ Unit42 released their report one day later. 

Dray Agha's Tweet

The security researcher Dray Agha noticed the proof-of-concept (POC) in an unprotected open directory used by an unknown threat actor

CrowdStrike's Report on OWASSRF

The report contains information on the exploitation, log patterns and a script to detects possible exploitation attempts

Unit42's report on OWASSRF

PaloAlto Networks Unit42 also published a report that also contains information on observed TTPs and information on a PowerShell backdoor called SilverArrow

Signatures That Detect This Attack

Exploitation

YARA (public)

SIGMA (public)

Potential OWASSRF Exploitation Attempt – Proxy
UUID: 1ddf4596-1908-43c9-add2-1d2c2fcc4797

Potential OWASSRF Exploitation Attempt – Webserver
UUID: 181f49fa-0b21-4665-a98c-a57025ebb8c7

Post-Exploitation

SIGMA (Private)

Microsoft Exchange ProxyNotShell Exploit
UUID: df23d4fb-b12b-4425-a340-8d59e2460c43

Webshell Detection Suspicious Children
UUID: 9a8e8057-32a7-432d-bf80-197dacf1a77f

Shells Spawned by Web Servers in Process Tree
UUID: 6dc0f4e1-7a11-429f-b240-d9f852cea8b3

SIGMA (Public)

Suspicious File Drop by Exchange
UUID: 6b269392-9eba-40b5-acb6-55c882b20ba6

Shells Spawned by Web Servers
UUID: 8202070f-edeb-4d31-a010-a26c72ac5600

 

 

Mjolnir Security: Blue Team Incident Response Training

Our partner Mjolnir Security offers a training named “Blue Team Incident Response Training” from 19th of September to 23rd of September.

It’s 3,5 hours a day, starting 4:00 pm and finishing 7:30 pm Eastern time. Each session will be recorded, so you’ll also be able to catch up on anything you’ve missed.

On day 4 you’ll learn how to write YARA rules and use the full potential of the THOR scanner together with ASGARD Management Center, our centralized management platform for easy scan management, incident response features and much more.

An analysis of the findings with our Analysis Cockpit is demonstrated as well as part of the training.

It’s a great opportunity to see a combination of our enterprise grade tools working seamlessly together, allowing you to get hands-on experience and a clear picture of how a full deployment would look like.

As a THOR Lite subscriber you can get a 30% discount on the training. In order to benefit from this discount, use the following discount code on checkout: NextronThorLite

Or use the direct link: https://www.eventbrite.ca/e/393153361287/?discount=NextronThorLite

Existing Nextron customers can even get a 50% discount. Please contact us for details.
The training is free for law enforcement and government agencies. We provide a contact method for said agencies to benefit from this discount.

Registration URL: https://www.eventbrite.ca/e/blue-team-incident-response-training-tickets-393153361287

Training Organizer: training@mjolnirsecurity.com

Reasons Why to Use THOR instead of THOR Lite

We have received reports from customers that were approached by service providers that offered compromise assessments with our scanner THOR. Subsequently, it appeared, however, that these providers used THOR Lite in their engagements and, when asked about this, argued that THOR Lite would be “just as good as the full version”.

In this article we would like to explain why this is not the case.  

1. The Small Rule Set

The rule set of THOR Lite is much smaller. While THOR uses more than 16,000 YARA rules, THOR Lite only uses the open source signature base, which has ~4000 rules. Of these 4000 rules, 800 are old webshell rules, 300 are written for old Equation Group implants that should be long gone, many others were written for past threat group activity.

Don’t get us wrong – these rules were good at their time and the set contains solid generic rules for some kinds of threats but the effectiveness of the older rules decreases and it is less and less likely that they catch something significant.

The number 4000 compared to 16,000 doesn’t mean that you would still see 1/4 of what THOR is able to detect – honestly, it’s rather 1/30. 

2. The Limited Modules

It is correct that the filesystem often contains evidence, but not traces of adversary activity are not always visible on the filesystem. It’s not unusual that adversaries remove their tools when they’ve finished their job.

Therefore the full version of THOR runs more than 25 modules that look for the IOCs and apply YARA rules in many different locations like the Eventlog, SHIM Cache, Registry and performs checks for hidden implants that can only be identified with their mutex or a handshake on a certain named pipe.

The screenshot on the right shows all disabled modules and features in the Lite version. 

Findings in these other modules aren’t just evidence of a compromise but often point to other techniques used by the attackers or other systems that are also affected.

THOR Lite lacks not only depth of visibility with a much smaller rule set but also breadth due to the limited set of modules and features.

All modules and features disabled in the Lite version

The Few Exceptions

There are a few exceptions to the rule of very limited visibility in THOR Lite.

  • To showcase what the full version is able to detect, we’ve included all available signatures for the various campaigns against Microsoft Exchange, namely ProxyShell and ProxyLogon. Scanning Exchange servers for this kind of threat is almost as good as using the full version of THOR.
  • The few generic detection rules provide a good coverage of common threats, like webshells and crypto miners. Arnim Rupp provided a great set of generic webshell detection rules that are able to highlight new, yet unknown web shells of all kinds (ASP, JSP, PHP etc.).
  • The coverage of some well-known hack tools like Mimikatz is also pretty good. 

For whom is THOR Lite intended?

THOR Lite is meant as a free community edition to showcase the functionality.

It is meant to be used by private individuals or small organisations without a budget that face common threats like crypto miners and crime groups. 

From time to time, we add sets of rules and IOCs to detect dangerous threats with high importance and / or a wide spread – e.g. Exchange vulnerability exploiting, crypto coin miners, Ransomware worms like WannaCry.  

Test Drive the Full Version

We recommend a test drive of the full version on compromised or possibly compromised systems to see the big difference in detection capabilities. We also offer affordable license packs for small organisations and give attractive discounts on license packs that are used by IR teams all over the world.

Just use the “get started” contact form and state that you’d like to test the full version of THOR.

GDPR Cookie Consent with Real Cookie Banner