THOR Version 8.49.0 Changes

by Jul 27, 2018

There are a few relevant changes in the upcoming THOR version 8.49.0 that we would like to announce.

Interpreter and Module Upgrades

The integrated Python interpreter will be upgraded to Version 2.7.15. We have also upgraded several modules. All our tests showed no signs of problems even with the oldest Windows version like Windows 2003 Server. (officially unsupported)

If you encounter any issues, please let us know.

4th Generation License Format Support

THOR 8.49.0 supports the newest license format which allows us to:

  • set a start date for the period of validity
  • enable or disable certain modules and features in THOR and SPARK
    (e.g. we could license a SPARK version that only scans endpoint logs with Sigma rules)

THOR-util Report Generation

The new included THOR-util version 1.2 allows to generate HTML reports from scan log files. It can also generate reports for a directory that contains THOR or SPARK scan logs (up to 50 per HTML report). We’ve discussed this feature in detail in a previous blog post.

Noresume Becomes the New Default

The Scan Resume feature has caused many problems during incident response engagements in the past. The feature activates a journal in THOR DB that tracks the state of the scan and resumes the scan automatically if it was interrupted by a user or terminated due to a system shutdown. This feature seemed to be helpful but actually caused some problems.

THOR logs are created in “write” (w) mode, not in “append” (a) mode. When an administrator started THOR on a system, terminated the scan and then restarted it shortly after, the first part of the local log file was overwritten by the second scan. Sometimes a scan was interrupted on a system due to different reasons. When an administrator received the order to start a new scan on that system, the scan resumed the last scan and the log file and report contained only info of the resumed part of the scan.

We therefore decided to not resume scans by default. If you still want to maintain the old behaviour, please use the new “–resume” parameter. The old “–noresume” parameter is still valid but has no effect and is marked “obsolete” in the help.

Analysis Cockpit Web Session

We’ve just recently published a web session that gives an overview on our whole product portfolio and describes the features of our Analysis Cockpit in detail. (18 minutes, English language)

The main features of the Analysis Cockpit are:

  • THOR / SPARK Log Baselining
  • Automatic case creation based on similarities of the events
  • Filtered Forwarding of Logs to a SIEM system

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner