AC-Hunter v5.0.0 Is in the Wild!
Intro
There’s nothing quite as peaceful as a light snowfall outside, a lovely fire to keep us warm, and software release notes to kindle the true spirit of the new year. 🙂
Our developers have been working tirelessly to bring you AC-Hunter* 5.0.0 . Here are the highlights from this release…
Spotlight Feature
Espy
One of our most-requested features relates to the fact that so many people are working from home. Unlike an office with a network that can be easily monitored by Zeek, we now have hundreds of single-employee homes, making it impractical to set up Zeek sensors at all of them.
We’d like to introduce Espy. Espy is an agent that runs on the employees’ Windows machines. In a manner similar to how BeaKer collects forensic information on network connections, Espy provides the information AC-Hunter needs to perform Threat Hunting with no network sensor! This means that we can monitor for Threats on individual workstations without having to provide all the hardware to run Zeek at every home.
Espy is open-source so you can use it with or without AC-Hunter. It’s also considered to be beta-level; it’s likely we’ll have improvements to it over the next few months.
Upgrading to 5.0 will automatically upgrade recent databases to support the Espy database requirements.
Improvements and bug fixes
To save memory, Zeek used to forget connections if they sat idle for more than 5 minutes. It had the side effect that a single actual connection could appear to be tens of connections, filling up the display. We’ve changed the default timeout to 60 minutes to clean up the display and reduce the number of connections to consider.
We had a bug that showed up if one attempted to import a range of IP addresses from a json whitelist file. This only showed up if one attempted to manually edit the whitelist file. It has now been fixed.
AC-Hunter includes the new release of RITA, 4.0. This supports faster data import, has new Threat Intel Feeds to reduce false positives and supports Espy by allowing logs to combine multiple sysmon feeds. It also removes two lower quality Threat Intel Feeds. This means you should see less noise in your Threat Intel screen.
The timeline connection chart at the bottom of the beacons and threat intel page now shows times in the browser’s local timezone rather than UTC.
Upgrade Notes
Databases created under earlier versions will need to be converted during the AC-Hunter upgrade. The installer will offer to upgrade the most recent 7 days of databases automatically.
The whitelist format has been updated. During the install, the currently active whitelist will be automatically updated. You’ll want to export the whitelist after the upgrade. If you have any saved whitelist files you wish to later import these will need to be manually converted. We’ll have a FAQ entry for how to do this at https://portal.activecountermeasures.com/support/faq/.
Errata:
The Active-Flow, Zeek, and Espy packages need to run on separate machines if you’re using more than one of them. The install script does not currently block you from installing them on the same machine, though this check will be added in the next release.
As always, the new release includes additional behind-the-scenes improvements to make it more stable.
We hope you enjoy it and had a good holiday break!
– The ACM Elves
*Our commercial tool AI-Hunter has been renamed to AC-Hunter. More info here.
1/15/2020 Update:
AC-Hunter version 5.0.1 is provided to address an issue in 5.0.0 related to upgrading the whitelist. This issue only shows up on upgrades (not on fresh installs) and only on some systems that have whitelist entries. We encourage you to upgrade to 5.0.1 if you have entries in or plan to add entries to your AC-Hunter whitelist.
You should be aware that all upgrade approaches to the 5.0 series (both 5.0.0 and 5.0.1) run some risk of losing misformatted whitelist entries. For that reason, we encourage you to make a backup of your whitelist before trying any upgrade. If any whitelist entries are lost during the upgrade and you end up re-entering them you’ll have the old whitelist file for reference.
Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.