[et_pb_section fb_built=”1″ _builder_version=”4.0.2″][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.0.6″][et_pb_column type=”2_5″ _builder_version=”4.0.6″][et_pb_text _builder_version=”4.0.6″]<\/p>\n
We have completely refactored THOR’s malicious Handle detection.<\/p>\n
We now allow the use of regular expressions and combined all types in a single signature file named “malicious-handles.dat”.\u00a0<\/p>\n
Users can provide custom indicators by placing a file with the keyword ‘handles’ in name into the folder .\/custom-signatures\/iocs<\/p>\n
<\/p>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.0.6″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-04-at-11.10.30.png” _builder_version=”4.4.2″ hover_enabled=”0″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.0.6″][et_pb_column type=”2_5″ _builder_version=”4.0.6″][et_pb_text _builder_version=”4.0.6″]<\/p>\n
Mutex, Named Pipe or Event matches will now trigger message enrichment in which the alert message is “enriched” with plenty of helpful information on the underlying process, including image file path, parent process and image file hashes.\u00a0<\/p>\n
This helps analysts to evaluate and classify the event.\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.0.6″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-04-at-12.44.20.png” _builder_version=”4.4.2″ hover_enabled=”0″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.0.6″][et_pb_column type=”2_5″ _builder_version=”4.0.6″][et_pb_text _builder_version=”4.0.6″]<\/p>\n
We’ve integrated more Windows logs in the default Eventlog scanning to detect keyword and filename IOCs in even more data sources.\u00a0<\/p>\n
This could increase scan duration significantly in cases in which you have defined custom unusually large maximum log sizes.\u00a0<\/p>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.0.6″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-04-at-12.36.58.png” _builder_version=”4.4.2″ hover_enabled=”0″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.0.6″][et_pb_column type=”2_5″ _builder_version=”4.0.6″][et_pb_text _builder_version=”4.0.6″]<\/p>\n
Users can now exclude certain Registry paths or Eventlogs from scanning.\u00a0<\/p>\n
We’ve added two new and empty exclude files in the .\/config sub folder for your convenience.\u00a0\u00a0<\/p>\n
<\/p>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.0.6″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-04-at-12.53.14.png” _builder_version=”4.4.2″ hover_enabled=”0″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.0.2″][et_pb_column type=”2_5″ _builder_version=”4.0.2″][et_pb_text _builder_version=”4.0.4″]<\/p>\n
THOR now supports the newest value modifiers used in the most recent version of the Sigma standard.<\/p>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.0.2″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2019\/11\/Screenshot-2019-11-22-at-17.14.16.png” _builder_version=”4.4.2″ hover_enabled=”0″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.0.2″][et_pb_column type=”2_5″ _builder_version=”4.0.2″][et_pb_text _builder_version=”4.0.2″]<\/p>\n
Previous versions of THOR offered a parameter -i \/ –case-id to set a unique identifier that appears as “CID: identifier” in all log lines of this specific scan.\u00a0<\/p>\n
With version 10.3 this CID gets renamed to SCANID and will be generated by default.<\/p>\n
Every log line will contain a SCANID that makes it easier to associate a single\u00a0 line with the complete scan in reporting platforms like SIEM systems or ASGARD Analysis Cockpit.<\/p>\n
You can still overwrite that value manually for legacy reasons or in order to group multiple scan runs into a single logical report.<\/p>\n
[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.0.2″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2019\/11\/Screenshot-2019-11-22-at-17.22.46.png” _builder_version=”4.4.2″ hover_enabled=”0″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.0.2″][et_pb_column type=”4_4″ _builder_version=”4.0.2″][et_pb_text _builder_version=”4.0.2″]<\/p>\n
Other Changes<\/p>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
Refactored Handle Detection We have completely refactored THOR’s malicious Handle detection. We now allow the use of regular expressions and combined all types in a single signature file named “malicious-handles.dat”.\u00a0 Users can provide custom indicators by placing a file with the keyword ‘handles’ in name into the folder .\/custom-signatures\/iocs Process Handle Match Enrichment Mutex, Named Pipe or Event matches will now trigger message enrichment in which the alert message is “enriched” with plenty of helpful information on the underlying process, including image file path, parent process and image file hashes.\u00a0 This helps analysts to evaluate and classify the event.\u00a0More Eventlog Sources We’ve integrated more Windows logs in the default Eventlog scanning to detect keyword and filename IOCs in even more data sources.\u00a0 This could increase scan duration significantly in cases in which you have defined custom unusually large maximum log sizes.\u00a0Custom Eventlog and Registry Exclusions Users can now exclude certain Registry paths or Eventlogs from scanning.\u00a0 We’ve added two new and empty exclude files in the .\/config sub folder for your convenience.\u00a0\u00a0 Support for new Sigma Modifiers THOR now supports the newest value modifiers used in the most recent version of the Sigma standard. endswith startswith Case ID (CID) get […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46,32],"tags":[6,82,7,78,101,5,48],"class_list":["post-5020","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-thor","tag-apt","tag-ioc","tag-scanner","tag-scanning","tag-signatures","tag-thor","tag-yara"],"yoast_head":"\n