LOKI/Spark Core

[spamtrash]

W sumie to nie tu chcialem wrzucic ale nie mam pomysla gdzie indziej wiec jesli @OXYGEN THIEF lub @Grandalf zdecyduja inaczej to sie nie bede sprzeciwial.
Ghostwriter, czyli malware uzywane przy wspieraniu rosjan w sferze cyber. Wrzucam tutaj dlatego ze na koncu artykulu sa gotowe regulki yara ktore mozna uzyc jako custom signatures.

Zaloguj lub Zarejestruj się aby zobaczyć!

 

[spamtrash]

THOR Version 10.7.1
=====================
- Feature: Sigma rules are now applied to running processes on the system
- Feature: New command line option '-follow-symlinks' that causes the FileScan module to follow symlinks.
- Feature: Checking e.g. log lines from a file with YARA will now set the THOR external variables like 'filepath' appropriately
- Feature: THOR now shows modules names where string matches were found if a YARA rule matches on process memory
- Feature: THOR now shows a warning if low rlimits are detected
- Change: THOR will now scan processes even in soft mode, with a maximum process size of 250MB.
- Change: '--max_file_size_intense' is now deprecated. Instead, '--max_file_size' should be used.
- Change: '--virtual-map' now supports mounts in subpaths on Windows, e.g. as '--virtual-map G:\mount:C'
- Change: Upgrade PE-Sieve to v0.3.3
- Change: Filescan progress report for folders without subfolders was improved

 

[spamtrash]

10.7.5.
=====================
- Feature: Add new ETL feature for parsing ETL files
- Feature: Add '--vtkey', '--vtmode', and '--vtaccepteula' flag for integration of VirusTotal in THOR
- Feature: Improve progress reports when scanning complex files
- Feature: Support Sigma scans with THOR Lite for specific licenses
- Change: Unify logging fields for many filename IOC, keyword IOC and YARA matches
- Change: Unify logging fields for many messages in the NetworkShares module
- Change: Update to Golang v1.19.5
- Change: Upgrade PE-Sieve to v0.3.5
- Change: '--print-signatures' now silences the normal initialization output
- Change: Use mimalloc for YARA allocations on Linux and MacOS
- Change: Scanning network paths now requires a Lab license
- Bugfix: Reduce log level for corrupt /etc/passwd entries from Notice to Info
- Bugfix: Identify packed samples correctly with --customonly set

THOR Version 10.7.4
=====================
- Feature: New OLE feature for extraction of Office macros
- Feature: ExeDecompress feature is now also supported on Linux
- Feature: Added '--lowioprio' flag for lowered IO priority
- Change: Update to Golang v1.19.2
- Change: CPU limit now applies only to THOR's CPU usage, not the the complete system
- Change: Windows Access Groups (e.g. in file permissions) are now always displayed in English
- Change: Modified the scoring formula to further reduce the impact of multiple subscores on the full score. As compensation, the default threshold for alerts has been reduced.
- Bugfix: .lnk file processing with '--virtual-map' no longer causes link targets to be scanned without applying the virtual mapping
- Bugfix: Access faults while reading memory mapped files no longer cause THOR to crash
- Bugfix: Panics on opening an archive are now handled properly

 

[spamtrash]

Spoiler: Bedzie dlugo, i do tego po angielsku, ale zmiany sa ciekawe.

Zaloguj lub Zarejestruj się aby zobaczyć!

 

[spamtrash]

Dwa nowe produkty ze stajni nextron, przy czym jeden jest dostepny w wersji (troszke) rozszerzonej do konca marca za free:
Aurora:

Zaloguj lub Zarejestruj się aby zobaczyć!

Thor Cloud:

Zaloguj lub Zarejestruj się aby zobaczyć!

oba imho, przydadza sie bardziej w malej firmie niz w domu, ale poniewaz sa niezle konfigurowalne, to moga sie przydac.

 

[spamtrash]

Thor/Thor lite, wersja costam costam 13. Zmiany:
- Feature: New '--max-hits' flag to limit the number of hits per IOC or YARA rule
- Feature: '--eventlog-target' now supports '*' as a target
- Change: Memory dump files are now scanned with process memory YARA rules rather than the default YARA rules
- Change: Update to Golang v1.20.13
- Bugfix: '--lab --collector' now activates the artifact collector, as intended
- Bugfix: Fix an issue where THOR could crash during initialization
- Bugfix: Dataless files on MacOS are now ignored
- Bugfix: Fix an issue where some network drives on Linux were scanned even if '--alldrives' was not activated
- Bugfix: Fix an issue where THOR for Linux could crash in the 'Crontab' module
- Bugfix: Fix an issue where some eventlogs could cause a crash in the 'Eventlog' module
- Bugfix: Fix an issue where, if an error occurred when reading a file, incorrect file hashes were displayed

 

[spamtrash]

Wersja costam costam 15: pare zmian, JEDNA nader istotna dla predkosci skanowania:
THOR Version 10.7.15
=====================
- Feature: Shell completions can now be generated for bash, zsh, fish and powershell with '--completions'
- Feature: Multithreading is now available for all license types (use '--threads' to set the number of threads)
- Bugfix: Fix an issue where usage of '--syslog' with CEF output caused a crash