4. Administration¶
4.1. License Management¶
Login to ASGARD, navigate to Licensing
and upload a valid license.
After uploading, the license details are displayed.
4.2. System Status¶
The initial system status page provides a summary of the most important system components.
It also includes the current resource consumption (disk, CPU and memory) and lists the currently installed ASGARD software version along with available versions of THOR. Additionally, the connection status to the update servers, Master ASGARD and Cockpit are shown with a graph that shows asset connections and asset streams.
Note: The THOR version numbers may be missing in a new installation. THOR is not included in the installed packages. THOR is downloaded automatically after the installation and should show up not later than one hour after installation.
The logs section shows the latest and most relevant logs. Complete logs can be found at /var/lib/nextron/asgard2/log
4.3. ASGARD Agent Deployment¶
In order to register a new endpoint to the ASGARD Management Center, download and install the ASGARD agent on the system you want to register.
The ASGARD agent can be downloaded from ASGARD directly through the button Download ASGARD Agent
. A list of available agents for various operating systems appears.
After installation, the endpoints will connect to ASGARD, register automatically and appear in the Asset Management Section in the tab Requests
. Please allow two or three minutes for systems to show up. The agents use the hostname to connect to ASGARD, ensure that your endpoints can resolve and reach the ASGARD hostname.
In the requests tab, select the agents you want ASGARD to manage and click Accept
. After that, the endpoint shows up in the asset tab and is now ready to be managed or scanned.
A registered agent will poll to the ASGARD Management Center at a given interval between 10 seconds and 600 seconds – depending on the number of connected endpoints (see chapter 7.1 Performance Tuning for details). If ASGARD has scheduled a task for the endpoint (for example: run THOR scan) it will be executed directly after the poll.
4.4. Asset Management¶
4.4.1. Overview¶
Management of all endpoints registered with ASGARD can be performed in Asset Management. The assets will be presented as a table with an individual ASGARD ID, their IP addresses and host names.
By clicking the control buttons in the Actions column, you can start a new scan, run a response playbook, open a command line or switch the endpoints ping rate to a few seconds instead of a maximum of 10 minutes.

Available Actions (left to right): Run Scan, Run Playbook, Start Remote Console, Decrease/Increase Endpoint Ping Rate
Please note:
- The internal ping between the ASGARD agent and ASGARD is based on HTTPS not ICMP
- Depending on the user’s role some of the control buttons may be disabled
4.4.2. Column Visibility¶
Users can select various columns and adjust their view according to their needs.
4.4.3. Asset Labels¶
Labels are used to group assets. These groups can then be used in scans or tasks.
You can add multiple labels to an asset or a group of assets. This is done by selecting the particular assets in the left column, typing the label name (e.g. New_Label) and clicking the red (+)
button in the upper right corner.
Note: Don’t use labels with white space characters as it could cause issues in syncs with Analysis Cockpit, exports / imports or other underlying legacy functions.
In order to remove labels, select your assets, type the name of the label you want to remove for these assets and click the (-)
button.
The asset management section has extensive filtering capabilities, e.g. it is easy to select only Linux endpoints that have been online today and have a particular label assigned.
4.4.3.1. Export Asset List¶
The Import/Export Section allows you to export your assets to a .csv file.
4.4.3.2. Import Labels¶
The import function allows you to add or remove labels on assets based on columns in that CSV file.
The import function processes the values in the columns Add Labels ...
and Remove Labels ...
only. In order to change labels, use the already exported list, add values in these columns and re-import it. Separate multiple labels with comma. Leading or ending white space characters will be stripped from the labels.
4.5. Scan Control¶
4.5.1. Managing Scan Templates¶
Scan templates are the most convenient way to make use of THOR’s rich set of scan options. Starting with ASGARD 1.10., it is possible to define scan parameters for THOR 10 and store them in different templates for later use in single scans and grouped scans.
Imagine you want to use dedicated scan options for different system groups (e.g. Linux Servers, Domain Controllers, Workstations, etc.) and make sure to use exactly the same set of scan options every time you scan a particular group of systems. With ASGSARD you can now add a scan template for every group.
A popular use case for scan templates is providing additional resource control – for example telling THOR to set the lowest process priority for itself and never use more that 50% of a single CPU.
Please keep in mind, that we have already optimized THOR to use the most relevant scan options for a particular system (based on type, numbers of CPUs and system resources) and a comprehensive resource control is enabled by default.
For more details please refer to the THOR manual. Only use the scan templates if you want to deviate from the default for a reason.
Scan templates are protected from being modified by ASGARD users without the “Manage Scan Templates” - permission and can also be restricted from being used by ASGARD users in case the flag “ForceStandardArgs” is set for this user. (see user management section for details).
In order to create a scan template, navigate to “Scan Control” > “Scan Templates” and click the “Add” button. The “Add Scan Template” dialogue appears. You will find the most frequently used options on the top of this page. You can view all THOR options by clicking on the “Collapse / Expand” button.
By checking the “Default” box, you can make this scan template the default template for every new scan. Checking the “Restricted” box restricts this scan template from being used by any ASGARD user with the “ForceStandardArgs” restriction set. After clicking the “Add” button on the bottom of the template page, an overview of all existing scan templates is shown.
4.5.2. Scan a Single System¶
4.5.2.1. Create a Single Scan¶
The creation of a scan is performed within the Asset Management. There is a button for each asset to create a new scan and to show all past scans.
Just click on the “crosshair” button in the Action column in the Asset Management view. It takes you to the scan control section.
Within this form, you can choose the scan flags and custom signatures can be selected.
After the desired parameters have been set, the scan can be started by clicking the Submit
button.
4.5.2.2. Stopping a Single Scan¶
To stop a single scan, navigate to the “Single Scans” tab in Scan Control section and click the “stop” (square) button for the scan you want to stop.
4.5.2.3. Download Scan Results¶
After the scan completion, you can download the scan results via the download button in the actions column.
The download button has the following options:
- Download THOR Log (the text log file)
- Download HTML Report (as *.gz compressed file; available for successful scans only)
- Show HTML Report (opens another tab with the HTML report)
4.5.3. Scan Groups of Systems¶
4.5.3.1. Create Grouped Scans¶
A scan for a group of systems can be created in the Scan Control section.
As with the single scans, various parameters can be set. Aside from the already mentioned parameters, the following parameters can be set:
Description
Freely selectable name for the group scan.
Limit
ASGARD will not send additional scans to the agents when the client limit is reached.
Rate
The number of scans per minute that a scan should run. This is where the network load can be controlled. Additionally, it is recommended to use this parameter in virtualized and oversubscribed environments in order to limit the number of parallel scans on your endpoints.
Expires
After this time frame, no scan orders will be issued to the connected agents.
Labels
Here you can define which assets will be affected by the group scan. In case more than one label is chosen: An asset must have at least one chosen label attached to it to be affected by the scan. If no label is selected, all known assets will be scanned.
Custom IOCs
If you have provided custom IOCs in the IOC Management section, they can be selected here.
After the group scan has been saved or saved and started, you will automatically be forwarded to the list of grouped scans.
4.5.3.2. List of all Group Scans¶
The list of all group scans contains, among other items, the unique Scan-ID and the name.
In addition, information can be found about the chosen scanner, the chosen parameters, the start and completion times and the affected assets (defined by labels). Additional columns can be added by clicking on “Column Visibility”.
The Status field can have the following values:
Started: Scan is started, ASGARD will issue scans with the given parameters
Stopped: No additional scan jobs are being issued. All single scans that are currently running will continue to do so.
Completed: The group scan is completed. No further scan jobs will be issued.
4.5.3.3. Starting a Group Scan¶
A group scan can be started by clicking on the “play” button in the “Actions” column of a group scan.
Subsequently, the scan will be listed as “Started”.
4.5.3.4. Starting a Scheduled Group Scan¶
Scans that are to run on a frequent basis can be created in the “New Scheduled Grouped Scan” tab.
The Scheduled Group Scan section shows all schedules along with their periodicity. All group scans that have been started through the scheduler will show up on top of the Group Scan section the moment they are started.
4.5.3.5. Details of a Group Scan¶
Further information about a group scan can be observed from the detail page of the group scan. Click the scan you are interested in and the details section will appear.
Aside from information about the group scan, there is a graph that shows the number of assets started and how many assets have already completed the scan.
4.6. Response Control¶
4.6.1. Opening a Remote Shell on an endpoint¶
In order to open a remote shell on an endpoint, open the Asset Management section and click the “command line” button in the Actions column.
Depending on your configuration it may take between 10 seconds and 10 minutes for the remote shell to open. Please note that all actions within the remote shell are recorded and can be audited. All shells open with root privileges or system privileges.
In order to replay a remote console session, navigate to Response Control, select the task that represents your session and click the play button.
ASGARD users can only see their own remote shell session. Only users with the RemoteConsoleProtocol permission are able to replay all sessions from all users.
4.6.2. Response Control with pre-defined playbooks¶
In addition to controlling THOR scans, ASGARD Management Center contains extensive response functions. Through ASGARD, you can start or stop processes, modify and delete files or registry entries, quarantine endpoints, collect triage packages and execute literally any command on connected systems. All with one click and executed on one endpoint or groups of endpoints.
It is also possible to download specific suspicious files. You can transfer a suspicious file to the ASGARD Management Center and analyze it in a Sandbox.
To execute a predefined response action on a single endpoint, navigate to the Asset Management view and click the “play” button in the Actions Column. This will lead you to a dialogue where you can select the desired action.
In this example, we collect a full triage package.
ASGARD ships with pre-defined playbooks for the following tasks:
- Collect full triage pack (Windows only)
- Isolate endpoint (Windows only)
- Collect system memory
- Collect file
- Collect directory
- Execute command and collect stdout and stderr
Nextron provides additional playbooks via ASGARD updates.
Caution !!!
The collection of memory can set the systems under high load and impacts the systems response times during the transmission of collected files. Consider all settings carefully! Also be aware that memory dumps may fail due to kernel incompatibilities or conflicting security mechanisms. Memory dumps have been successfully tested on all supported Windows operating systems with various patch levels. The memory collection on Linux systems depends on kernel settings and loaded modules, thus we cannot guarantee a successful collection. Additionally, memory dumps require temporary free disk space on the system drive and consume a significant amount of disk space on ASGARD as well. The ASGARD agent checks if there is enough memory on the system drive and adds a 50% safety buffer. If there is not enough free disk space, the memory dump will fail.
4.6.3. Response Control for Groups of Systems¶
Response functions for groups of systems can be defined in the New Group Tasks
tab or the New Scheduled Group Task
tab.
4.6.4. Response Control with custom playbooks¶
You can add your own custom playbook by clicking the Add Playbook
button in the Response Control
section.
This lets you define a name and a description for your playbook. After clicking the Add Playbook
button, click on your new playbook and start adding entries.
You can have up to 16 entries in each playbook that are executed in a row. Every entry can be either “download something from ASGARD to the endpoint”, “execute a command line” or “Upload something from the endpoint to ASGARD”. If you run a command line the stdout and stderr are reported back to ASGARD.
4.7. Evidence Collection¶
ASGARD provides two forms of collected evidence:
- Playbook output (file or memory collection, command output)
- Sample quarantine (sent by THOR via Bifrost protocol during the scan)
All collected evidence can be downloaded in the “Collected Evidence” section.
4.8. IOC Management¶
4.8.1. Integrating Custom IOCs¶
The section IOC management gives you the opportunity to easily integrate custom signatures into your scans.
You may upload your own signatures in any of THOR’s IOC formats (e.g. files for keyword IOCs, YARA Files and SIGMA files). Refer to the THOR manual for a complete list and file formats.
In order to create your own custom ruleset, navigate to IOC Management
and click Upload IOC
in the IOCs tab.
Browse to the file you want to add and click upload. This adds your IOC file to the default ruleset. The default ruleset is executed with every scan job, unless you remove the default ruleset within your scan templates or at every scan start. No further configuration is required.
Even existing scheduled scans that are executed on a frequent basis will start using the default ruleset once it is created. Merely modify the default ruleset; the modified rules will come into effect immediately after you hit the “Upload” button.
Note: In case that you don’t want the default IOC ruleset to be included in every scan: Remove it from your scan templates and/or from the new New Group Scan
dialogue in the Custom IOCs
field. See picture below.
In the event you don’t want to add specific IOCs to the default ruleset, just remove “default” in the “Upload IOC File(s)” dialogue and select the name of the ruleset you want to add the IOC files to. If the ruleset doesn’t exist it will be created. These rulesets must be selected manually for every scan job – otherwise they will not be used in the scan.
Please note, ASGARD does not provide a syntax check for your IOC files. Should THOR be unable to parse your IOC files for the scan, THOR will skip the particular file with syntax issues and send an error message in the scan log. All other files with correct syntax will be used for scanning. THOR will report files that can be parsed and are used for scanning in the scan log.
4.8.2. Integrating IOCs through MISP¶
ASGARD provides an easy to use interface for integrating IOCs from a connected MISP into THOR scans. In order to add rules from a MISP, navigate to IOC Management
, select the IOCs in the MISP events
tab and add them to the desired ruleset by using the button in the upper right corner.
Contrary to the custom IOC handling, there is no default ruleset for MISP. You must create at least one ruleset (see tab “MISP Rulesets”) before you can add MISP rules.
The figure below illustrates how to use filters and select all known rules for Emotet. These could then be added to your specific Emotet ruleset if you wish.
Of course, your Emotet ruleset would have to be created in advance. In order to do that, click Add Ruleset
in the MISP Rulesets
tab. Select a name and the type of IOCs you want to use in this ruleset. By default, all types are selected, but there may be reasons for deselecting certain categories. For example, filename IOCs tend to cause false positives and may be deselected for that reason. The picture below shows the dialogue for adding a MISP ruleset.
In order to use a MISP ruleset in a scan: add the ruleset in the MISP Rulesets
field when creating your scan.
4.9. Collected Files¶
If Bifrost is used with your THOR scans, all collected samples show up here. You will need the “ResponseControl” permission in order to view or download the samples. See section User Roles
within the User Management
section for details.
4.10. Generate Download Links¶
The Downloads
section lets you create and download a full THOR package including scanner, custom IOCs and MISP rulesets along with a valid license for a specific host. This package can then be used for systems that cannot be equipped with an ASGARD agent for some reason. For example, this can be used on air gapped networks. Copy the package to a USB stick or a CD ROM and use it where needed.
While selecting different options in the form, the download link changes.
After you have selected the correct scanner, operating system and target hostname (not FQDN), you can copy the download link and use it to retrieve a full scanner package including a license file for that host. These download links can be sent to administrators or team members that don’t have access to ASGARD management center. Remember that the recipients of that link still need to be able to reach ASGARD’s web server port (443/tcp).
Note: The scanner package will not contain a license file if you don’t set a hostname in the Target Hostname
field. If you have an Incident Response license, you must provide it separately.
4.10.3. Use Case 3 - Use the URL in Scripts¶
By default, the generated download link is protected with a token that makes it impossible to download a package or generate a license without knowing that token. This token is specific to every ASGARD instance.
You can use that URL in Bash or PowerShell scripts to automate scans on systems without an installed ASGARD agent.
$Type = "server"
$Download_Url = "https://asgard2.nextron:8443/api/v0/downloads/thor/thor10-win?hostname=$($Hostname)&type=$($Type)&iocs=%5B%22default%22%5D&misps=%5B%222%22%5D&token=fQku7OKvDal2SMub4pv2QJOCCDL9P7dh5h"
4.11. Licensing¶
ASGARD requires an Issuer-License in order to scan systems. The Issuer-License contains the number of server- and workstation systems that can be scanned with ASGARD Management Center.
ASGARD will automatically issue a valid single-license for a particular system during its initial THOR scan.
In addition, ASGARD can create single-licenses that can be used for agentless scanning. In this case the license is generated and downloaded through the Web frontend.
The screenshot below shows the licensing section of an ASGARD with the ability to issue five server licenses and 5 workstation licenses. One of the workstation licenses has already been issued.
The following systems require a workstation license in order to be scanned:
- Windows 7 / 8 / 10
- Mac OS
The following systems require a server license in order to be scanned:
- All Microsoft Windows server systems
- All Linux systems
4.11.1. Provide an THOR Incident Response License (optional)¶
In case you have an THOR Incident Response license and want to use it with ASGARD, just upload it through the web based UI. This will remove all endpoint count restrictions from ASGARD. You can scan as many endpoints as you like – regardless of the type (workstation / server).
4.12. Updates¶
4.12.1. ASGARD Updates¶
ASGARD will search for ASGARD updates on a daily basis. Available updates will automatically be shown in the section “Updates”.
As soon as an ASGARD update is available, a button Install Update
appears. Clicking this button will start the update process. The ASGARD service will be restarted and the user will be forced to re-login.
4.12.2. Updates of THOR and THOR Signatures¶
By default, ASGARD will search for signature updates and THOR updates on an hourly basis. These updates will be set to active automatically. Therefore, a triggered scan will always employ the current THOR version and current signature version.
You may disable or modify the automatic THOR and Signature updates by deleting or modifying the entries in this section.
It is possible to intentionally scan with an old scanner version by clicking on the pencil icon and selecting the respective version from the drop-down menu.
Please be aware, that this is a global setting and will affect all scans!
4.13. User Management¶
Access user management via Settings
> Users
. This section allows administrators to add or edit user accounts.
Editing a user account does not require a password although the fields are shown in the dialogue.
Access the user roles in Settings
> Roles
.
4.13.1. Roles¶
By default, ASGARD ships with the following pre-configured user roles. The pre-configured roles can be modified or deleted. The ASGARD role model is fully configurable.
Note that all users except users with the right ReadOnly
have the right to run scans on endpoints.
The following section describes these predefined rights and restrictions that each role can have.
4.13.2. Rights¶
Admin |
---|
Unrestricted |
ManageScanTemplates |
---|
Allows scan templates management |
ResponseControl |
---|
Run playbooks, including playbooks for evidence collection, to kill processes or isolate an endpoint |
RemoteConsole |
---|
Connect to endsystems via remote console |
RemoteConsoleProtocol |
---|
Review the recordings of all remote console sessions |
4.13.3. Restrictions¶
ForceStandardArgs |
---|
Creat and start scans with predefined arguments or scan templates that are not restricted |
NoInactiveAssets |
---|
Cannot view inactive assets in asset management. |
NoTaskStart |
---|
Cannot start scans or task (playbooks) |
ReadOnly |
---|
Can’t change anything, can’t run scans or response tasks. Used to generate read-only API keys |
4.13.4. LDAP Configuration¶
In order to configure LDAP, navigate to Settings
> LDAP
. Then provide role mapping after clicking Add LDAP Role
.
All local users get disabled except for the built-in admin
user when LDAP is configured.
4.14. Other Settings¶
4.14.1. Syslog Forwarding¶
Syslog forwarding can be configured in Settings
> RSYSLOG
. To add a forwarding for local log source click Add RSYSLOG Forwarding
.
The following log sources can be forwarded individually:
Log | Description |
---|---|
ASGARD Log | Everything related to the ASGARD service, processes, task and scan jobs |
ASGARD Audit Log | Detailed audit log of all user activity within the system |
Agent Log | All ASGARD agent activities |
THOR Log | THOR scan results (available if scan config has Syslog to ASGARD enabled) |
4.14.2. TLS Certificate Installation¶
Instead of using the pre-installed self-signed TLS Certificate, users can upload their own TLS Certificate for ASGARD.
In order to achieve the best possible compatibilty with the most common browsers, we recommend using the system’s FQDN in both fields Common Name
AND Hostnames
.
Please note that the generating a CSR on the command line is not supported.
This CSR can be used to generate a TLS Certificate. Subsequently, this TLS Certificate can be uploaded in the Settings
> TLS
section.
4.14.3. Manage Services¶
The individual ASGARD services can be managed in Settings
> Services
. The services can be stopped or restarted with the respective buttons in the Actions
column.
4.14.4. NTP Configuration¶
The current NTP configuration can be found in the NTP sub-section.
A Source Pool or Source Server can be removed by clicking the X
button. To create a new Source Pool or Source Server, click Add NTP Source
in the upper right corner.
4.14.5. Settings for Bifrost¶
Bifrost allows you to automatically upload suspicious files to your ASGARD during a THOR scan. If an Analysis Cockpit is connected, these files get automatically forwarded to the Analysis Cockpit in order to drop them into a connected Sandbox system. However, the collected files will stay on ASGARD for the amount of time specified in Retention time
(0 days represent an indefinite amount of time).
The collected files can be downloaded in the Evidence Collection
section. All files are zip archived and password protected with the password specified in the setting Download Password
.
If no password is set, ASGARD will use the default password infected
.
In order to automatically collect suspicious files, you have to create a scan with Bifrost enabled. Check the Send Bifrost2 to ASGARD
option to send samples to the system set as bifrost2Server
. Use the placeholder %asgard-host%
to use the hostname of you ASGARD instance as the Bifrost server.
This will collect all files with a score of 60 or higher. and make them available for download in ASGARDs Collected Files
section.
For Details on how to automatically forward to a sandbox system please refer to the Analysis Cockpit manual.
4.14.6. Link Analysis Cockpit¶
In order to connect to an Analysis Cockpit, enter the respective hostname or IP in the field Analysis Cockpit
, enter the Cockpit’s API key and click Connect
.
The Cockpit’s API key can be found on the right side of the Analysis Cockpit’s Overview
page.
ASGARD must be able to connect to the Analysis Cockpit on port 443/TCP for a successful integration. Once connected, the Cockpit will show up in ASGARDs overview section along with the “last synced date” (lower left corner).
Please wait up to five minutes for the status to change on ASGARD’s system status page. It will change from Not linked
to Online
.
4.14.7. Link MISP¶
In order to connect to a MISP navigate to the Settings section -> Connections -> Link MISP
.
Insert the MISP’s address along with the API Key and click Connect
.
The MISP connectivity status is shown in the Overview
section. Please allow five minutes for the connection status to show green and MISP rules to show up in the IOC Management
section.
4.14.8. Change Proxy Settings¶
In this dialogue, you can add or modify ASGARDs proxy configuration. Please note, you need to restart the ASGARD service (Tab Services) afterwards.
4.14.9. Link Master ASGARD¶
In order to control your ASGARD with a Master ASGARD, you must generate a One-Time Code and use it in the “Add ASGARD” dialogue within the Master ASGARD frontend.
4.14.10. Advanced¶
The Advanced tab lets you specify additional global settings. The session timeout for web-based UI can be configured. Default is 24 hours. If Show Advanced Tasks
is set, ASGARD will show system maintenance jobs (e.g. update ASGARD Agent on endpoints) within the response control section.
Inactive assets can be hidden in the Asset Management Section by setting a suitable threshold for Hide inactive Assets
.
Finally, the download for THOR packages can be protected with a token. If unprotected, anybody can request a THOR package with a valid license for a particular host just by sending a https request with the hostname included (for Details see chapter “4.9 Downloads”). This may lead to unwanted exhaustion of the ASGARD license pool.
4.15. User Settings¶
4.15.1. Changing your password¶
To change your password, navigate to the User Settings
section.
4.15.2. API Key¶
This section also allows you to set and modify an API key.
Note that currently an API key always has the access rights of the user context in which it has been generated. If you want to create a restricted API key, add a new restricted user and generate an API key in the new user’s context.
4.16. Uninstall ASGARD Agents¶
The following listings contain commands to uninstall ASGARD Agents on endpoints.
Note: The commands contain names used by the default installer packages. In cases in which you’ve generated custom installer packages with a custom service and binary name, adjust the commands accordingly.
4.16.1. Uninstall ASGARD Agents on Windows¶
sc stop asgard2-agent
sc delete asgard2-agent
del /F /Q C:\Windows\System32\asgard2-agent
4.16.2. Uninstall ASGARD Agents on Linux¶
RPMs via yum
yum remove 'asgard2-agent*'
DPKGs via apt-get
apt-get remove 'asgard2-agent*'
Manual uninstall
/usr/sbin/asgard2-agent-amd64 stop
/usr/sbin/asgard2-agent-amd64 uninstall
rm -rf /usr/sbin/asgard2-agent-amd64
rm -rf /var/tmp/nextron/asgard2-agent
rm -rf /var/lib/nextron/asgard2-agent
4.16.3. Uninstall ASGARD Agents on macOS¶
sudo /var/lib/asgard2-agent/asgard2-agent --uninstall
sudo rm -rf /var/lib/asgard2-agent/asgard2-agent