THOR Log Conversion to CSV

THOR Log Conversion to CSV

We are excited to announce that the upcoming version 1.11 our tool, THOR Util, now has the capability to convert log output files from both the default and JSON format into CSV files. This new feature will make it easier for users to analyze their log data and extract the information they need.

With the ability to convert log files into CSV, users can now import their log data into their favorite spreadsheet software and manipulate it to create custom reports and visualizations.

This will save time and increase productivity, as users will no longer need to manually parse and extract data from their log files.

We recommend taking a look at Modern CSV as alternative to Microsoft Excel for this kind of task.

 

THOR Util has many more functions to post-process THOR logs, and this new feature further expands its capabilities.

E.g. Did you know that you can use the “report” function to generate a single combined HTML report for a set of log files from different end systems?

You can find more information on THOR Util and its features here.

Users registered as beta testers can already test the functionality available in the nightly unstable builds of THOR 10.7 TechPreview and THOR Lite.

The release is planned for calendar week 11, 2023.

How to scan ESXi systems using THOR

How to scan ESXi systems using THOR

More and more often, adversaries target and exploit Internet-facing appliances or devices with exotic or restricted operating systems. Users ask if there is a way to run a compromise assessment scan on these systems with the YARA rules used in THOR.

Following up on the exploitation of Internet-facing ESXi servers, this blog post describes ways to remotely scan remote systems like an ESXi using THOR or the free THOR Lite YARA and IOC scanners. This method can also be be used to scan other devices usually unsupported by real-time Antivirus engines or EDRs, e.g. Citrix Netscaler gateways. 

So, we plan to mount the remote file system using SSH (SSHFS) and then we instruct THOR to scan the mounted remote filesystem. 

Prerequisites

  • We need to reach port 22/tcp on the target system
  • A source system with support for sshfs (on Debian use: sudo apt install sshfs to install it)
  • A version of THOR Lite or the full THOR with a lab license

Mounting the Remote File System via SSH

First we create a new folder and mount the remote file system to that local folder:

sudo mkdir -p /mnt/esx
sudo sshfs -o reconnect root@esx1.company:/ /mnt/esx

The -o reconnect option makes sure to reconnect the

Scanning the Mount Point with THOR Lite

With THOR Lite we can now run a so-called “Filescan” on the mounted drive.

sudo ./thor-lite-linux-64 -a FileScan --alldrives -p /mnt/esx

The following scan is much more intense as it scans every single file regardless of its extension or type. Scanning every file usually leads to much longer scan times and higher network load. (be careful when using the --intense flag)

sudo ./thor-lite-linux-64 -a FileScan --alldrives -p /mnt/esx --intense

Scanning the Mount Point with THOR

With a full featured THOR and a so-called Lab license we can use the –virtual-map flag to virtually map the folder /mnt/esx to / internally. This means that signatures and filename patterns that make use of the virtual and not the actual path. We can also define a hostname that will appear in the log file using the -j flag. Otherwise the log would always contain the hostname of the scanning workstation.

sudo ./thor-linux-64 -a FileScan --alldrives -p /mnt/esx --virtual-map /mnt/esx:/ -j esx1

Using the full version, we would use a different flag combination for a more intense scan of the remote system. The full version with a lab license allows us to use the --lab flag.

sudo ./thor-linux-64 --lab -p /mnt/esx --virtual-map /mnt/esx:/ -j esx1

The --lab flag automatically activates the intense scan mode that checks every file, multi-threaded scanning, deactivates resource control and some other flags that can be useful in a lab scanning scenario.

Example Match

The following screenshot shows an example match on a malware found on systems affected by the ESXiArgs attacks. The rules and IOCs for this attack are available in THOR and the free THOR Lite version.

Other Notes

  • Test scans on our internal ESX/ESXi systems took between 8 and 30 minutes. (scans via VPN)
  • A network disconnect only pauses the scan, a forced umount crashes the scanner.
  • We tested network disconnects of 1 and 5 minutes. After a reconnect THOR just resumes the scan where it left off. 

Advantages of the full THOR version

Apart from the usual advantages of the full THOR version over THOR Lite, there are a few more reasons to use the full version in this scenario:

  • Use multiple instances on a single source system to scan many different remote systems at the same time
  • Use virtual drive mapping to allow for additional detection opportunities
  • Set a custom host name that appears in the log files (helpful when you scan many different targets)

If you’re interested in the full version, contact us using the “Get Started” button in the upper right corner. 

Virustotal Lookups in THOR v10.7

We’re glad to announce a new feature that allows users to enrich events generated by THOR with information from Virustotal

The feature is available in the full THOR v10.7 TechPreview and THOR Lite.

It can be used in any scan mode: live endpoint scanning, lab scanning, dropzone mode, or even with THOR Thunderstorm. 

Virustotal Account

You can use it with a Virustotal Enterprise account or even a free account that requires registration. 

The free account limits the number of requests per minute, but since THOR only checks findings with a particular score, only a few files are checked. 

By default THOR skips the enrichment when the quota is exhausted. The flag “–vtwaitforquota” can be used to make him wait for more quota.

Command Line Flags

The following command line flags are available:

Two lookup modes are available:

  1. Limited = hash lookups only (default)
  2. Full = hash lookup or sample upload (if hash is unknown)

A typical command line using the new feature would look like this:

thor64.exe --vtaccepteula --vtkey fb2c3babb1796f97dcd0a877e05207294110bea8a9b93a933b...

Example Match with Virustotal Information

Use API key in Scan Templates

Remember that you can make use of scan templates to avoid exposing your secret API key in command line flags.

Extending Coverage

You may already know that THOR focuses on different types of threats and handles findings differently than Antivirus software. 

The additional Virustotal lookups allow us to:

  1. increase the level of a finding that THOR would otherwise have mentioned only as ‘noteworthy’ or not at all
  2. enrich the existing alert message with information found on Virustotal to confirm the finding

Inspiration

The new lookup feature allows for some exciting detection ideas, which combine YARA rule matching and Virustotal lookups. 

YARA as Preselector for Uploads

This idea could be helpful in the case in which you know that an actor makes use of compiled Go (Golang) binaries. You could write a YARA rule that detects all compiled Go binaries for the Windows platform, set a score of 40 (noteworthy) to let the new feature pick them up, and submit them to Virustotal for analysis. (remember that you can use the –customonly flag to only apply your custom YARA rules if needed)

Check New Files with Virustotal

Imagine that you want to check all new .aspx files dropped on an MS Exchange server. You could write a YARA rule that looks for certain contents or the file extensions .aspx and give that rule a score of 40. You could then run a THOR scan on MS Exchange server setting the –lookback flag with the number of days you want to include and instructing it to scan only the C:\inetpub folder. If you schedule this scan to run daily, you will let THOR find all .aspx files changed during the last 24 hours, scan them with its own rules and check them on Virustotal for a verdict of 60+ scan engines. It’s hard to imagine better coverage for web shells than this. 

The full command line would look like this:

thor64.exe --vtaccepteula --vtkey fb2c3babb1796f97dcd0a877e05207294110bea8a9b93a933b... --lookback 1 -p C:\inetpub

FAQs

Does a low Antivirus detection rate reduce the score of the THOR matches?

No, that wouldn’t be smart, as THOR focuses on other types of threats that Antivirus software often is unable to detect. However, positive Antivirus matches increase the score for a scanned file depending on the number of Antivirus engines with matches.

THOR adds the following sub-scores based on the lookup result:

  • more than 5 engines with matches > score 40
  • more than 10 engines with matches > score 60
  • more than 20 engines with matches > score 75

What happens when the quota for lookups per minute exceeds?

THOR will not add additional information to the printed event. By default, the lookups will not slow down the scan significantly. If you see too many notice or warning level messages in your environment, adjust the --vtscore value or filter out some known false positives using the false_positive_filters.cfg file.

Can I use this feature with the free THOR Lite version and a free Virustotal account?

Yes.

Which THOR modules trigger a Virustotal lookup?

Basically, only the ‘FileScan’ module uses the lookups. But since THOR also triggers a file scan on the image file during ‘ProcessCheck’, other modules also benefit. 

Where can I register a Virustotal account?

Visit this link to register a free account. 

How can I get THOR Lite?

You can download THOR Lite here

 

 

Get the full THOR version

Apart from the usual advantages of the full THOR version over THOR Lite, there are a few more reasons to use the full version in this scenario:

  • Much bigger number of so-called “threat hunting” rules with low scores that would trigger a Virustotal Lookup
  • Multi-threaded scanning significantly reduces the scan duration

If you’re interested in the full version, contact us using the “Get Started” button in the upper right corner. 

Extended ProxyNotShell Detection Covering OWASSRF

In a report published on the 20th of December CrowdStrike published a report of a new technique exploiting the Microsoft Exchange vulnerability called ProxyNotShell. The called the new technique OWASSRF as it uses Outlook Web Access, CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE). 
PaolAlto Networks’ Unit42 released their report one day later. 

Dray Agha's Tweet

The security researcher Dray Agha noticed the proof-of-concept (POC) in an unprotected open directory used by an unknown threat actor

CrowdStrike's Report on OWASSRF

The report contains information on the exploitation, log patterns and a script to detects possible exploitation attempts

Unit42's report on OWASSRF

PaloAlto Networks Unit42 also published a report that also contains information on observed TTPs and information on a PowerShell backdoor called SilverArrow

Signatures That Detect This Attack

Exploitation

YARA (public)

SIGMA (public)

Potential OWASSRF Exploitation Attempt – Proxy
UUID: 1ddf4596-1908-43c9-add2-1d2c2fcc4797

Potential OWASSRF Exploitation Attempt – Webserver
UUID: 181f49fa-0b21-4665-a98c-a57025ebb8c7

Post-Exploitation

SIGMA (Private)

Microsoft Exchange ProxyNotShell Exploit
UUID: df23d4fb-b12b-4425-a340-8d59e2460c43

Webshell Detection Suspicious Children
UUID: 9a8e8057-32a7-432d-bf80-197dacf1a77f

Shells Spawned by Web Servers in Process Tree
UUID: 6dc0f4e1-7a11-429f-b240-d9f852cea8b3

SIGMA (Public)

Suspicious File Drop by Exchange
UUID: 6b269392-9eba-40b5-acb6-55c882b20ba6

Shells Spawned by Web Servers
UUID: 8202070f-edeb-4d31-a010-a26c72ac5600

 

 

Follina CVE-2022-30190 Detection with THOR and Aurora

The Follina 0day vulnerability (CVE-2022-30190) in Microsoft Windows is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.

Kevin Beaumont's Blog Post

Kevin’s post contains links to tweets of researchers that discovered the 0day exploit, information on the timeline, and mitigations

Huntress Labs Blog Post

Explains the exploit in more detail

Counter Measures

Recommended counter measures by Benjamin Deplhy

Signatures Detecting Follina / CVE-2022-30190 Attacks

Check for matches with the following rules:

YARA

Rules shared in the public signature-base and used in THOR and THOR Lite

Only available in THOR

Sigma

Public Sigma rules used in Aurora, THOR and Aurora Lite

Private Sigma rules only available in Aurora

  • Sdiagnhost Loading System.Management.Automation.dll – 1a4a0e9c-e47d-492c-800f-545f83fac88a
  • Sdiagnhost Calling Suspicious Descendant Process – 8655fa4b-e956-4ed4-b20d-151dfd8c802d

Product Surveys – Tell us what you think

We’d like to know your opinion on our products and therefore ask you to participate in our product surveys. Each of them takes between 2 and 5 minutes of your time, depending on how much you’d like to tell us.

THOR Customer Satisfaction Survey

You find the survey here.

ASGARD Customer Satisfaction Survey

You find the survey here.

Analysis Cockpit Customer Satisfaction Survey

You find the survey here.

Public Feature Collection

We also plan to publicly collect feature requests and allow you to up- or downvote requests of other users, comment on them and get informed when a feature has been implemented.

 

Log4Shell Detection with Nextron Rules

The Log4Shell vulnerability (CVE-2021-44228) in log4j is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.

Explanation of the Vulnerability

LunaSec reported first on the vulnerability.

Canary-based Vulnerability Detection

Use this method to detect vulnerable applications and services in your organisation.

Grep / ZGrep Detection Ideas

Different detection patterns and idea to detect exploitation attempts in log files using grep and zgrep.

Log4Shell Detector Python Script

A python script that can be used to detect even the most obfuscated versions of the malicious payload. 

List of Advisories by Vendors

Big collection of advisories and statements by different vendors that use JAVA and log4j. 

List of Vulnerable Software with PoCs

Incomplete list of software products that have proven to be vulnerable.

Log4Shell Vulnerability Scanner (Local Files)

Scans the file system of application servers for vulnerable versions of the log4j module.

Fenrir Log4Shell Release

A bash based IOC scanner that can be used on any Linux/Unix system to detect traces of the attack and vulnerable log4j versions.

Signatures Detecting Log4Shell Attacks

Check for matches with the following rules:

Exploitation

YARA

Sigma

Post-Exploitation

Look for matches with the following rules that trigger on activity observer in-the-wild.

YARA

Sigma

ASGARD Users

It takes us few days to release new rules. The rules that we wrote over the weekend may not be available on Monday 13th of December. ASGARD users that want to use the signatures that are still in our QS, can activate the option for these signatures in “Settings > Advanced > Show Signature SigDev Option”. 

After changing the setting, new scans show an additional option in the dropdown menu. 

Please contact our support in case of any questions. 

THOR Users

Users of our scanner THOR also need to use the signature version that’s in development to get the newest signatures that detect log4j exploitation. 

Retrieve that signature pack with:

thor-util.exe update –sigdev

Reasons Why to Use THOR instead of THOR Lite

We have received reports from customers that were approached by service providers that offered compromise assessments with our scanner THOR. Subsequently, it appeared, however, that these providers used THOR Lite in their engagements and, when asked about this, argued that THOR Lite would be “just as good as the full version”.

In this article we would like to explain why this is not the case.  

1. The Small Rule Set

The rule set of THOR Lite is much smaller. While THOR uses more than 16,000 YARA rules, THOR Lite only uses the open source signature base, which has ~4000 rules. Of these 4000 rules, 800 are old webshell rules, 300 are written for old Equation Group implants that should be long gone, many others were written for past threat group activity.

Don’t get us wrong – these rules were good at their time and the set contains solid generic rules for some kinds of threats but the effectiveness of the older rules decreases and it is less and less likely that they catch something significant.

The number 4000 compared to 16,000 doesn’t mean that you would still see 1/4 of what THOR is able to detect – honestly, it’s rather 1/30. 

2. The Limited Modules

It is correct that the filesystem often contains evidence, but not traces of adversary activity are not always visible on the filesystem. It’s not unusual that adversaries remove their tools when they’ve finished their job.

Therefore the full version of THOR runs more than 25 modules that look for the IOCs and apply YARA rules in many different locations like the Eventlog, SHIM Cache, Registry and performs checks for hidden implants that can only be identified with their mutex or a handshake on a certain named pipe.

The screenshot on the right shows all disabled modules and features in the Lite version. 

Findings in these other modules aren’t just evidence of a compromise but often point to other techniques used by the attackers or other systems that are also affected.

THOR Lite lacks not only depth of visibility with a much smaller rule set but also breadth due to the limited set of modules and features.

All modules and features disabled in the Lite version

The Few Exceptions

There are a few exceptions to the rule of very limited visibility in THOR Lite.

  • To showcase what the full version is able to detect, we’ve included all available signatures for the various campaigns against Microsoft Exchange, namely ProxyShell and ProxyLogon. Scanning Exchange servers for this kind of threat is almost as good as using the full version of THOR.
  • The few generic detection rules provide a good coverage of common threats, like webshells and crypto miners. Arnim Rupp provided a great set of generic webshell detection rules that are able to highlight new, yet unknown web shells of all kinds (ASP, JSP, PHP etc.).
  • The coverage of some well-known hack tools like Mimikatz is also pretty good. 

For whom is THOR Lite intended?

THOR Lite is meant as a free community edition to showcase the functionality.

It is meant to be used by private individuals or small organisations without a budget that face common threats like crypto miners and crime groups. 

From time to time, we add sets of rules and IOCs to detect dangerous threats with high importance and / or a wide spread – e.g. Exchange vulnerability exploiting, crypto coin miners, Ransomware worms like WannaCry.  

Test Drive the Full Version

We recommend a test drive of the full version on compromised or possibly compromised systems to see the big difference in detection capabilities. We also offer affordable license packs for small organisations and give attractive discounts on license packs that are used by IR teams all over the world.

Just use the “get started” contact form and state that you’d like to test the full version of THOR.

TryHackMe Training Room for THOR Lite

Since THOR and THOR Lite are tools written for digital forensic experts, they can be difficult to use. There is often a steep learning curve in the beginning.

We’d like to help new users pass these first steps in a playful way by providing a TryHackMe challenge in which you analyse a compromised system using THOR Lite.

You’ll learn how to download and run it, interpret the results, write your own signatures and include your own IOCs for a custom threat. 

The room is meant for first time THOR or THOR Lite users.

Target Audience: DFIR professionals, administrators, security analysts
Duration: ~3 hours (without the download of the VM)

You’ll work with a prepared virtual machine that you’re required to download during the training.

Requirements:

  • VMWare or VirtualBox
  • 13 GB download and 23 GB of disk space
To access the TryHackMe room

  1. visit https://tryhackme.com
  2. create an account
  3. access the page “My Rooms”
  4. enter the room code “thorlite”, then “Enter room”

and start with the training lab.

Please help us and send your feedback to feedback@nextron-systems.com

THOR 10.6.11 with Support for Apple M1 Architecture

The newest version 10.6.11 of THOR for macOS now has support for Apple’s M1 platform. 

The THOR scanner binary is now a “universal” binary that runs on both supported platforms. 

You can find a list of supported architectures and operating systems in the respective chapter of the online documentation.

GDPR Cookie Consent with Real Cookie Banner