More robust custom YARA signature initialisation (syntax check and tests before compilation)<\/li>\n<\/ul>\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
New Module “Events” This module checks registered Events in the system environment as they are used by advanced malware and rootkits.\u00a0 We have checked for malicious Events before, in the Rootkit module, but these checks were hardcoded. We’ve spun out that section and can now provide regular updates in a separate signature file.\u00a0 The “Events” module extends our set of rootkit related modules that already include the “Mutex” and “Named Pipe” modules.THOR DB with Timing Statistics THOR v10.2 features an unencrypted table in THOR DB that shows timing information for the scanned elements. This could help you identifying elements that lengthen scans significantly and determine a time range in which certain elements have been scanned.\u00a0Reduced Output A new switch “–reduced” allows to limit events to “Warning” and “Alert” types only.\u00a0Other Changes Upgrade to YARA 3.11 Improved module messages (better description) Bugfix: Golden ticket detection module reported far too many Kerberos tickets with too long lifetime, message: “Kerberos\u00a0ticket\u00a0with\u00a0very\u00a0long\u00a0life\u00a0time\u00a0detected\u00a0–\u00a0likely\u00a0a\u00a0Golden\u00a0Ticket”. The issue has been fixed. Please make sure that you haven’t filtered \/ base-lined that event type.\u00a0 Added\u00a0ExecFlag\u00a0to\u00a0SHIMCache\u00a0output Apply YARA rules on\u00a0WMI\u00a0Event\u00a0Filters Passing\u00a0new\u00a0external\u00a0YARA\u00a0variables\u00a0‘timezone’\u00a0and\u00a0‘language’\u00a0to\u00a0registry rule set More robust custom YARA signature initialisation (syntax check and tests before compilation)<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46,32],"tags":[213,215,211,212,214,216],"class_list":["post-4917","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-thor","tag-basenamedobject","tag-kerberos","tag-malicious-events","tag-malicious-mutex","tag-rootkit-detection","tag-yara-3-11"],"yoast_head":"\n
THOR v10.2 Changes - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"THOR v10.2 Changes\",\"datePublished\":\"2019-10-22T11:16:38+00:00\",\"dateModified\":\"2022-03-25T13:15:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/\"},\"wordCount\":459,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"BaseNamedObject\",\"Kerberos\",\"Malicious Events\",\"Malicious Mutex\",\"Rootkit Detection\",\"YARA 3.11\"],\"articleSection\":[\"Newsletter\",\"THOR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/\",\"name\":\"THOR v10.2 Changes - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2019-10-22T11:16:38+00:00\",\"dateModified\":\"2022-03-25T13:15:00+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"THOR v10.2 Changes - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"THOR v10.2 Changes","datePublished":"2019-10-22T11:16:38+00:00","dateModified":"2022-03-25T13:15:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/"},"wordCount":459,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["BaseNamedObject","Kerberos","Malicious Events","Malicious Mutex","Rootkit Detection","YARA 3.11"],"articleSection":["Newsletter","THOR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/","url":"https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/","name":"THOR v10.2 Changes - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2019-10-22T11:16:38+00:00","dateModified":"2022-03-25T13:15:00+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2019\/10\/22\/thor-v10-2-changes\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/4917","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=4917"}],"version-history":[{"count":12,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/4917\/revisions"}],"predecessor-version":[{"id":7233,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/4917\/revisions\/7233"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=4917"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=4917"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=4917"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}