Introduction THOR TechPreview

Since its early days, THOR has always been focused on stability and detection rate. With the early module and feature set, we never had to make a compromise. 

However, during the last 1-2 years, we had to make some decisions on the integration of new features and their default state in favor of stability. These decisions include e.g. the process dump feature, the PE-Sieve integration and Sigma scanning. 

Detection and stability have become two competing goals. We do not want to make these hard decisions anymore and leave them to you. You decide, based on your use case, if you want to use the version with newest features and detection capabilities or the one with a maximum of stability. 

With THOR version 10.6 we introduce a version named THOR TechPreview, which includes the newest features, refactored modules and new modes of operation. 

THOR TechPreview is a special THOR version that contains the newest modules and great detection features, which have not yet been tested on thousands of systems.

Florian Roth

Head of Research

The first release of THOR TechPreview will be version 10.6.
The standard version of THOR remains version 10.5 until the refactored and new features of the TechPreview have been proved to be stable. The expected release cycles of new version of THOR Tech Preview will be once a month, while new minor versions of THOR will be released only twice a year. Both versions receive bugfix updates and use the same signature set. 

ASGARD and THOR TechPreview

The current ASGARD Management Centers continue to use the standard THOR versions. The next minor release ASGARD 2.6, which is planned for October 2020, includes the option to use the TechPreview variant.  

Recommended Use Cases

The TechPreview version is recommended for all use cases in which detection capabilities have higher priority than stability. We would e.g. always recommend the TechPreview for image scans in a forensics labs.

Internal Testing

THOR TechPreview is not an untested version. It still goes through our internal testing on almost a hundred different test systems in 4 different test configurations.

Getting Started

Customers can download the new THOR TechPreview version from the download section in the customer portal once it gets released. Thor-Util version 1.11+ also supports the TechPreview download. We’ve planned the release for September 8.

Use THOR in CrowdStrike Falcon Real Time Response

One of our customers has successfully deployed THOR using CrowdStrike’s Falcon Real Time Response.

Falcon’s Real Time Response provides a remote shell that is very similar to Microsoft Defenders ATP’s Live Response, which we’ve already combined with THOR Cloud (see this page). 

The most important feature that allows us to integrate THOR is the ability to upload binaries to a remote system and execute them.

The Real Time Response shell offers a set of commands to interact with the remote system.

We used “put” and “run” to upload and run THOR and “get” to download the scan results.

Since the “run” command doesn’t accept any command line flags, it comes in handy that THOR accepts all his command line flags with config files in YAML format.

You can simply put all command line flags that you’d like to use into `thor.yml`, which is the default config file that gets initialized automatically during startup.

You can find more information on the YAML config files in chapter 10 of THOR’s manual. 

 

We recommend editing the “thor.yml” before uploading the THOR package to the remote system using the “put” command. 

It is advisable to set a specific output path for the log file or use the “rebase-dir” flag to create all output files in a certain folder. Many users reduce THOR’s CPU load to a lower value to influence the remote system as little as possible.

...
rebase-dir: C:\Temp
cpulimit: 70

You can then expand the archive using “Expand-Archive thor.zip” (PowerShell) or upload a “7z.exe” on very old systems with old PowerShell versions that don’t support the “Expand-Archive” command. 

You have to configure a “Sensor Visibility Exclusion” for THOR for the complete host group. Exclusions are relative to the file system’s root, so the pattern should look like: 

\temp\thor\**\*.exe

After a successful scan run, you can download the results using the “get” command and remove the exclusion.

It is possible to integrate THOR into many endpoint solutions. If you’d like to check the integration into your solution, please contact us to get a trial version of THOR. We offer special discounts for customers that help us showcase interesting integrations. 

Sigma Scanning with THOR

Our compromise assessment scanner THOR is able to apply Sigma rules during the local Eventlog analysis. This can help any customer that has no central SIEM system or performs a live forensic analysis on a system group that does not report to central monitoring. 

By running THOR on these systems with activated Sigma feature, THOR becomes a kind of a distributed and portable SIEM.

Since the Sigma scan module isn’t active by default, we thought it a good idea to explain how to activate an use it in the best possible way. 

Open Source Rule Set

By default THOR uses the open-source Sigma rule set with more than 500+ rules provided by the Sigma project on their Github page

Since our head of research is also one of the project maintainers, it was reasonable to combine the detection capabilities of Sigma with THOR’s scanning functionality on the endpoint. 

We comply with Sigma’s DRL (Detection Rule License) by including the rule authors in the event data produced by these rules.  

Custom Sigma Rules

You can easily add you own Sigma rules by placing them in the “./custom-signatures/sigma” sub folder.

THOR’s Sigma Config

The THOR default configuration for Sigma can be found in the Sigma repository. 

This configuration shows you, which Windows Eventlogs and Linux/Unix log files get analyzed by the Sigma module in THOR.

 

Sigma Scanning

To activate the Sigma module simply use the “–sigma” flag (or “sigma: True” in a YML config file).

You can start a THOR scan that analyzes the local Eventlog and activates the Sigma feature with:

thor64.exe -a Eventlog --sigma

To run a Sigma scan on a single Eventlog e.g. Sysmon’s log, use the “-n” flag.

thor64.exe -a Eventlog --sigma -n "Microsoft-Windows-Sysmon/Operational"

To include the Sigma feature in a standard THOR scan and check only the last 3 days of the Windows Eventlogs to reduce the scan duration, use:

thor64.exe --sigma -lookback 3

Sigma Matches

Once a Sigma rule matches on a log entry, you’ll see it listed in one of the REASON’s that lead to the classification of an event. 

The following example shows the detection of a China Chopper (Caidao) ASP web shell. That web shell has been detected by multiple Sigma rules. 

  1. Webshell Detection With Command Line Keywords 
  2. Shells Spawned by Web Servers
  3. Whoami Execution

Getting Started

Since this feature isn’t available in THOR Lite, please contact us via the “Get Started” button in the upper right corner and get a free trial voucher. Most customers that use THOR with Sigma choose one of our THOR license packs, especially the SOC Toolkit Pack, which was geared to the needs of today’s SOC teams. 

New VALHALLA Web Features

The newest update of our popular YARA rule feed named VALHALLA adds new features to its web interface.

The most awaited new feature is a keyword search that allows you to query the database for certain keywords, rule names, reports, MITRE ATT&CK ids or tags.

The result page shows you if VALHALLA already has related rules in its database. 

 

Keyword Search

The search results show all rules in our database related to the search keyword.

You can see the rule name, description, the rule date, a reference URL and a set of links.

The new search function helps you to determine if VALHALLA and THOR already contain rules for a given report or threat. 

New Links

We have integrated new links that lead you to:

  1. the reference listed in the rule (report, source)
  2. a Virustotal lookup for that rule / sample
  3. a detailed info page for that specific rule

Rule Info Pages

The rule info page contains all the details to a certain rule. These include all metadata values liks score, tags, reference links, required YARA version and modules, the rule date and the average AV detection ratio.

Two additional tables include all antivirus verdicts for samples on which that rule has matched and a list of all observed samples with links to Virustotal. 

 

Community Rule Info

We’ve also added notes on the 2400+ rules that are available as open source in the signature-base repository on github, e.g. try SUSP_LNK_Big_Link_File.

Category Counts

A new table on the start page informs users about the rules per subscribable category. 

Also note that queries of any type to Valhalla are rate limited. Too many requests in a relatively short time frame will lead to complete blocks as well as a high amount of requests over a longe time period and other suspicious activity. Customers can get their source IP addresses whitelisted on request. 

The new version will be deployed in the coming days.

Web Proxy Event Analysis Cheat Sheet

The “Web Proxy Event Analysis Cheat Sheet” can help SOCs and security analysts classify proxy events (blocks, alerts) and is based on my ideas and many ideas from experts that helped me collect detection ideas for this document.

You can download version 1.0 here.

We also recommend checking Sigma’s “proxy” section for detection rules that can be used to detect threats in web proxy or similar logs as long as they contain web connection information (EDR, HIDS etc.).

 

Web Proxy Event Analysis Cheat Sheet