Use THOR in CrowdStrike Falcon Real Time Response

by Aug 24, 2020

One of our customers has successfully deployed THOR using CrowdStrike’s Falcon Real Time Response.

Falcon’s Real Time Response provides a remote shell that is very similar to Microsoft Defenders ATP’s Live Response, which we’ve already combined with THOR Cloud (see this page). 

The most important feature that allows us to integrate THOR is the ability to upload binaries to a remote system and execute them.

The Real Time Response shell offers a set of commands to interact with the remote system.

We used “put” and “run” to upload and run THOR and “get” to download the scan results.

Since the “run” command doesn’t accept any command line flags, it comes in handy that THOR accepts all his command line flags with config files in YAML format.

You can simply put all command line flags that you’d like to use into `thor.yml`, which is the default config file that gets initialized automatically during startup.

You can find more information on the YAML config files in chapter 10 of THOR’s manual. 

 

We recommend editing the “thor.yml” before uploading the THOR package to the remote system using the “put” command.

It is advisable to set a specific output path for the log file or use the “rebase-dir” flag to create all output files in a certain folder. Many users reduce THOR’s CPU load to a lower value to influence the remote system as little as possible.

...
rebase-dir: C:\Temp
cpulimit: 70

You can then expand the archive using “Expand-Archive thor.zip” (PowerShell) or upload a “7z.exe” on very old systems with old PowerShell versions that don’t support the “Expand-Archive” command.

You have to configure a “Sensor Visibility Exclusion” for THOR for the complete host group. Exclusions are relative to the file system’s root, so the pattern should look like:

\temp\thor\**\*.exe

After a successful scan run, you can download the results using the “get” command and remove the exclusion.

It is possible to integrate THOR into many endpoint solutions. If you’d like to check the integration into your solution, please contact us to get a trial version of THOR. We offer special discounts for customers that help us showcase interesting integrations. 

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Subscribe to our Newsletter

Monthly news, tips and insights.

Follow Us

Upgrade Your Cyber Defense with THOR

Detect hacker activity with the advanced APT scanner THOR. Utilize signature-based detection, YARA rules, anomaly detection, and fileless attack analysis to identify and respond to sophisticated intrusions.

GDPR Cookie Consent with Real Cookie Banner