Reasons Why to Use THOR instead of THOR Lite

We have received reports from customers that were approached by service providers that offered compromise assessments with our scanner THOR. Subsequently, it appeared, however, that these providers used THOR Lite in their engagements and, when asked about this, argued that THOR Lite would be “just as good as the full version”.

In this article we would like to explain why this is not the case.  

1. The Small Rule Set

The rule set of THOR Lite is much smaller. While THOR uses more than 16,000 YARA rules, THOR Lite only uses the open source signature base, which has ~4000 rules. Of these 4000 rules, 800 are old webshell rules, 300 are written for old Equation Group implants that should be long gone, many others were written for past threat group activity.

Don’t get us wrong – these rules were good at their time and the set contains solid generic rules for some kinds of threats but the effectiveness of the older rules decreases and it is less and less likely that they catch something significant.

The number 4000 compared to 16,000 doesn’t mean that you would still see 1/4 of what THOR is able to detect – honestly, it’s rather 1/30. 

2. The Limited Modules

It is correct that the filesystem often contains evidence, but not traces of adversary activity are not always visible on the filesystem. It’s not unusual that adversaries remove their tools when they’ve finished their job.

Therefore the full version of THOR runs more than 25 modules that look for the IOCs and apply YARA rules in many different locations like the Eventlog, SHIM Cache, Registry and performs checks for hidden implants that can only be identified with their mutex or a handshake on a certain named pipe.

The screenshot on the right shows all disabled modules and features in the Lite version. 

Findings in these other modules aren’t just evidence of a compromise but often point to other techniques used by the attackers or other systems that are also affected.

THOR Lite lacks not only depth of visibility with a much smaller rule set but also breadth due to the limited set of modules and features.

All modules and features disabled in the Lite version

The Few Exceptions

There are a few exceptions to the rule of very limited visibility in THOR Lite.

  • To showcase what the full version is able to detect, we’ve included all available signatures for the various campaigns against Microsoft Exchange, namely ProxyShell and ProxyLogon. Scanning Exchange servers for this kind of threat is almost as good as using the full version of THOR.
  • The few generic detection rules provide a good coverage of common threats, like webshells and crypto miners. Arnim Rupp provided a great set of generic webshell detection rules that are able to highlight new, yet unknown web shells of all kinds (ASP, JSP, PHP etc.).
  • The coverage of some well-known hack tools like Mimikatz is also pretty good. 

For whom is THOR Lite intended?

THOR Lite is meant as a free community edition to showcase the functionality.

It is meant to be used by private individuals or small organisations without a budget that face common threats like crypto miners and crime groups. 

From time to time, we add sets of rules and IOCs to detect dangerous threats with high importance and / or a wide spread – e.g. Exchange vulnerability exploiting, crypto coin miners, Ransomware worms like WannaCry.  

Test Drive the Full Version

We recommend a test drive of the full version on compromised or possibly compromised systems to see the big difference in detection capabilities. We also offer affordable license packs for small organisations and give attractive discounts on license packs that are used by IR teams all over the world.

Just use the “get started” contact form and state that you’d like to test the full version of THOR.

TryHackMe Training Room for THOR Lite

Since THOR and THOR Lite are tools written for digital forensic experts, they can be difficult to use. There is often a steep learning curve in the beginning.

We’d like to help new users pass these first steps in a playful way by providing a TryHackMe challenge in which you analyse a compromised system using THOR Lite.

You’ll learn how to download and run it, interpret the results, write your own signatures and include your own IOCs for a custom threat. 

The room is meant for first time THOR or THOR Lite users.

Target Audience: DFIR professionals, administrators, security analysts
Duration: ~3 hours (without the download of the VM)

You’ll work with a prepared virtual machine that you’re required to download during the training.

Requirements:

  • VMWare or VirtualBox
  • 13 GB download and 23 GB of disk space
To access the TryHackMe room

  1. visit https://tryhackme.com
  2. create an account
  3. access the page “My Rooms”
  4. enter the room code “thorlite”, then “Enter room”

and start with the training lab.

Please help us and send your feedback to feedback@nextron-systems.com

Silent Scanning – Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server

The following video shows a compromise assessment with our free THOR Lite scanner on a Microsoft Exchange 2019 server detecting ProxyShell and ProxyToken exploitation.

We’ve done no post-editing in this video. You can jump to all findings using the video chapters. You’ll see log entries, web shells and a modified IIS server configuration as reported by HuntressLabs in various reports. We added some Synth-wave tracks to create the right atmosphere. Enjoy.

By the way, we compiled a blog article regarding compromise assessments of Exchange servers with THOR Lite to detect ProxyLogon exploitation with some recommendations that still apply. You can find that blog post here

Use YARA math Module Extension in THOR TechPreview and THOR Lite

Not long ago, we’ve created a pull request for the official YARA repository on Github, that would introduce new functions in the `math` module to improve the flexibility in cases in which a sample is heavily scrambled or obfuscated. These cases require further statistical evaluations that go beyond the currently available “entropy”, “mean” or “deviation” functions.

The example on the right shows a heavily obfuscated PHP web shell, as used by a Chinese actor. 

You immediately notice the high amount of “%” characters, but since each of them is preceded and followed by different characters, it’s difficult to find atoms that are long enough to maintain an acceptable performance / stability of that rule. 

 

If you could, you would formulate a rule like this: “Detect files smaller 400 bytes, that begin with ‘<?’ and consist of at least 25 percent ‘%’ characters”. 

Well, the new module extension allows you to do exactly that.

Read the documentation provided with the pull request for details on all three new functions:

  • count(byte/string, offset, size)
  • percentage(byte, offset, size)
  • mode(offset, size)

While the first two functions are self-explanatory, the “mode” function isn’t. It is is a term used in statistics for the most common value.

For your convenience, we’ve already patched our versions of THOR TechPreview and THOR Lite to support these extensions of the “math” module. You need at least v10.6.6 to use the new function in your rules. 

We wish you good hunting. 

THOR Lite Usage in Mjolnir Security’s Introduction to Incident Response Training

Our partner Mjolnir Security offers a training named “Introduction to Incident Response” from 3th of May to 13th of May.

It’s 3 hours a day, from 5pm to 8pm Eastern time, but will be recorded for you to watch it whenever you like. On day 6 you’ll learn to write YARA rules and use THOR Lite to search for evidence on compromised machines. 

As a THOR Lite user, you can use the promo code NextronThorLite to get a 30% discount on the course fee. 

The training is free for law enforcement agencies. 

Registration URL: 

https://www.eventbrite.ca/e/mjolnir-securitys-introduction-to-incident-response-training-tickets-142536595795

New Detection Rules for Exchange Exploitation Activity

Last week, we’ve released a blog post on how to detect HAFNIUM activity with the use of THOR Lite. Since our first set of rules, we’ve added several important new rules from fellow researchers and moved even more rules from our commercial set into the open source rule set.

This alone would be reason enough to recommend another scan. But during the last three days, we’ve added a special group of rules (see below) and fixed some bugs in the code base of THOR that could have lead to false negative on some of the relevant log files (exclusion under certain conditions).

We therefore recommend a signature update, an upgrade to THOR v10.5.12 (THOR TechPreview v10.6.4) and a new scan run to uncover traces of hacking activity using the newest detection rules.

The following sections explain the extended coverage.

Compiled ASPX Files

We’ve added rules for the compiled ASPX files that often remain on a system even in cases in which an attacker has removed the original web shell.

These are perfect rules to uncover actual post-exploitation attacker activity and not “just an exploitation” and a webshell drop.

You can find more information on the creation and meaning of these forensic artefacts in this Trustwave blog post.

(Source: Trustwave)

Improved Generic Webshell Coverage

Arnim Rupp provided many improvements to its public rule set that detect all kinds of webshells based on generic characteristcs. 

Frequent updates improved these rules and extended the coverage to include the newest unknown webshells mentioned in the most recent reports. 

More Filename IOCs

Over the last few days we’ve added many new filename IOCs mentioned in reports by ESET and others. 

The ESET report mentions and lists IOCs of 10 different APT groups exploiting the Exchange vulnerbility and leaving traces on compromised systems.

Rule Improvements

We’ve improved several rules to extend their coverage.

E.g. the rule that looked for POST requests to a single letter JavaScript file now looks for a certain pattern that includes exploitation attempts with the new Metasploit module.

Due to all the mentioned improvements and bugfixes, we recommend another scan run on your Exchange servers. The following commands upgrade THOR and its signature set.

THOR

thor-util.exe upgrade

THOR Lite

thor-lite-util.exe upgrade

Remember these recommendations from the initial blog post:

  • If you’ve installed Exchange on a drive other than C: use `–allhds`
  • Use `–sigma` feature when scanning with THOR (not available in THOR Lite)
  • Add the following exclusion to the file `./config/directory-excludes.cfg` to skip all mailbox directories:

\\(MDBDATA|Mailbox|Mailbox Database)\\

Which extra value provides THOR in Exchange ProxyLogon related assessments?

Since we’ve decided to migrate many of the HAFNIUM / Exchange vulnerability related signatures into the open source signature database of our free scanner THOR Lite, both users of the free and the commercial version started asking questions of coverage and if a scan of the respective other version is still recommended.

This blog post tries to shed some light on the issue by pointing out the differences between both scanners regarding coverage, scan intensity and availability of signatures.

The obvious advantage of THOR Lite – which is usually one of the disadvantages – is the immediate availability of untested new YARA signatures. While users usually prefer tested signatures that won’t cause hundreds or thousands of false positives, in case of the ProxyLogon vulnerability, new releases of rules cannot be fast enough.

So the obvious and only advantage of THOR Lite is that it receives rule updates multiple times a day, while THOR currently gets new signatures every 1-2 days.

The signature release schedule is as follows: 

  • THOR Lite (untested): on every commit in the repository
  • VALHALLA (goodware tested): once per day
  • THOR (goodware tested, full CI tests on 20+ operating systems): currently every 1-2 days, normally 1 per week

A good example of a rule that caused several false positives and, as a consequence, some trouble is an experimental rule named APT_fnv1a_plus_extra_XOR_in_x64_experimental, which even triggered on files from the Microsoft software catalogue.

It has never been quality tested and has only been in the community signature set used in THOR Lite.

Since we just extend our coverage with every new signature, users who use the ruleset released on Monday the 8th should at least see all different types of exploitation attempts, successful or unsuccessful. They also see many types of web shells, old and new, tools like PowerCat and Nishangs PowerShell one-liner as well as LSASS process memory dumps and other more generic indicators.

So both scanners provide a reasonable coverage and should indicate a successful attack.

THOR may not have the newest signatures, but it provides the bigger rule set with many generic signatures for all kinds of malicious activity, including post-exploitation activity. The following list tries to cover the advantages of a THOR scan in contrast to a THOR Lite scan.

Undisclosed Signatures

We have included many rules in the open source signature set that we use for LOKI and THOR Lite, but not all of them. As stated in a previous post, we have kept some of the more elaborate ones secret to avoid attackers evading the detection in future attacks. 

These rules include detection for specific forensic evidence that is often still present on a once compromised system even when the attackers have already removed the previously dropped web shells. 

This rule e.g. looks for compiled DLLs that we believe are generated once a dropped web shell gets executed at least once and often resides on a compromised system after the attackers removed their tools, data and web shells.  

They are usually not detected by Antivirus software and proved to be a good indicator for a successful compromise and actual malicious activity. 

More Modules, Better Coverage

As you can see in the scanner comparison table, the full THOR version provides many different modules in which it scans different elements of an operating system to discover traces of hacking activity. 

We apply many different IOCs like filename patterns, hash values and keywords in these modules to provide the best possible coverage. Find more information on THOR’s IOC scanning in this blog post. 

In regards to the HAFNIUM and ProxyLogon activity, we’ve seen enterprise customers with additional findings in

  • the Eventlog (Sigma scanning) and
  • Scheduled Task module

Other modules that could reveal HAFNIUM activity and are not available in THOR Lite are: MFT, ShimCache, Registry

Better Overall Coverage

The following graph aims to visualise the coverage differences of both scanners only in relation to the HAFNIUM / ProxyLogon activity. In all other cases, the coverage provided by THOR is much higher, since it uses a signature database with more than 14,000 YARA rules and applies these signatures in more than 20 different modules. 

As you can see, especially payloads/evidence used the “delivery” and “exploitation” phase are covered very well by both scanners, but THOR is much better when it comes to detecting post exploitation activity and backdoors or activity other than the described HAFNIUM group activity.

ESET has just recently published a report in which it mentions activity of more than 10 different APT groups.

As this vulnerability attracts more and more threat groups, it gets more and more important to cover as many shells, tools and techniques as possible and widen the view for other actors.  

We continue to provide IOCs and signatures regarding that threat in both scanners and also merge rules provided by community members as quickly as possible. 

Scan for HAFNIUM Exploitation Evidence with THOR Lite

Since we’ve heard from partners and friends about many non-profit organisations affected by the Exchange server vulnerability, we’ve decided to transfer many detection rules from our commercial scanner into the free community version.

If you haven’t heard of THOR or THOR Lite before, I’d recommend reading the product page of at least THOR Lite.

TLDR: It’s a forensic scanner with the focus on traces of hacking activity, configuration backdoors, file anomalies and other things that an Antivirus often misses like web shells or the output of hack tools that has been left over by the attackers. It is portable and doesn’t require an installation.

What we did to improve THOR Lite

We’ve added many of the signature that we also sell with THOR and the VALHALLA rule feed to the Open Source repository. Fellow researchers provided additional YARA signatures for some webshell types and traces in log files.

Only a few rules haven’t been published with THOR Lite in order to keep some detection logic secret. (creative ways to detect the compiled ASP.NET DLLs)

YARA rules, filename IOCs and hash IOCs provided by Microsoft and Volexity are also already included.

We estimate the coverage provided by the open source rules and IOCs to be around 95%. 

We even have translated the Sigma rules used in THOR into YARA rules in order to enable the detection of these patterns in THOR Lite (as THOR Lite doesn’t allow Sigma scanning but can apply these rules in the available ‘Logscan’ module).  

Included IOCs and YARA Rules

Getting Started

We offer THOR Lite for free. All we require is a newsletter subscription. (side note: we’ve never sent a newsletter to that list so far. This will be the first blog post that will be sent to all subscribers)

Just visit the download page, subscribe, receive a license file and download links to download the scanner package.

After the download you place the license file sent to you in a separate email into the extracted program folder and should immediately update the signatures with the following command:

thor-lite-util.exe update

If you want to use a web proxy to connect to the Internet, use the following command to get a help for the “update” command.

thor-lite-util.exe update --help

If you are already a user of THOR Lite, make sure to use at least signature set version “21.3.6-090007”.

Specific Recommendations

Exclude Mailbox Folders

We recommend excluding the mailboxes from the scan by adding the following lines to the file ./config/directory-excludes.cfg

\\(MDBDATA|Mailbox|Mailbox Database)\\

Scanning this directory would just slow down the scan and – according to all available reports – wouldn’t be necessary to produce relevant findings.

Exchange on Drives Other than C:

If your Exchange server isn’t installed on drive C:, use the “–allhds” flag.

thor64-lite.exe --allhds

Otherwise just run a standard scan without flags.

Antivirus Exclusion

Since THOR Lite doesn’t provide modules for “Rootkit” detection or problematic modules like “Mutex” or “NamedPipes”, you shouldn’t have problems scanning systems without an Antivirus exclusion filter. 

All YARA rules are included in a compressed and encrypted form so that an Antivirus shouldn’t trigger on clear text signatures as it is the case for most of the other YARA scanners including LOKI. 

However, since some realtime engines check every file that THOR Lite has “touched” during its scan, an Antivirus exclusion can increase the scan speed by ~30% and avoid any interference (blocked access to some files etc.).

Scanning a Subset Only

You could run a scan on a subset only and skip other system folders. If you have a good picture of the location of the Exchange folder and all relevant sub directories (log files, owa web service folders), you could run a selective scan using the following command. 

thor64-lite.exe -a Filescan -p "C:\Program Files\Microsoft\Exchange Server"

However, we do not know if all relevant forensic evidence can be found in that folder.

Intense Mode

Don’t use the “–intense” flag or use it only in cases in which it is okay for the scan to take 12+ hours to complete and system stability isn’t a concern – which is almost never the case. The “–intense” flag is meant for lab scenarios or use cases in which a maximum detection rate is very important. Warning: That flag disables all system resource monitoring safe guards that we’ve integrated into THOR.

Lab Scans

Test the scan on samples that you’ve collected using the following commands:

thor64-lite.exe -a Filescan -p D:\collected-samples

thor64-lite.exe --fsonly -p D:\collected-samples

The first command reflects the scan mode that is used during a default scan with all modules. The second command starts THOR in “lab scanning” mode, which scans samples regardless of their extension and magic header. If you discover samples that get detected only in lab scanning mode, please let us know. (see “How Can I Help” below)

 

How Can I Help

  • Please provide feedback on false positives. Include all information that you’re allowed to share, e.g. file name, file hash, rule name or the full log line with all confidential information removed. Use the issues section on Github or send an email to rules@nextron-systems.com.
  • Please help us cover false negatives. If you’ve found a webshell or forensic evidence that THOR Lite wasn’t able to detect, please provide that evidence and we add coverage for everyone in the community to use. (open source YARA rule usable in any scanner including LOKI and THOR Lite)

FAQs

Where can I find help? 

Please first check the documentation, which is provided as PDF in the ./docs sub folder. It’s written for THOR, but many chapters also apply to THOR Lite.

You can report THOR Lite issues on Github

How can I scan unsupported Windows version? 

We provide a legacy version of THOR to scan outdated Windows version (2003, 2008) for our customers only. Sorry. You can find information on pricing in the license packs section.

How can I provide samples that haven’t been detected? 

Please add information about them to a new issue on Github or send them to rules@nextron-systems.com

I’ve subscribed to the Newsletter but didn’t get an email with a license file or the download links. What can I do?

The response emails sometimes get classified as SPAM. Please check your junk mail folder. In 100% of the cases in which subscribers didn’t get a corresponding email, this was the reason. 

THOR Process Memory Matches with Surrounding Strings

Following THOR’s approach of showing suspicious elements, it is not feasible to completely avoid false positives. Therefore we always try to provide as much information as possible for an analyst to assess such a suspicious element as quickly as possible.

Users liked the DeeDive feature in which a string match on a chunk of data does not only include the matching string but also the surrounding strings, which help enormously to evaluate the criticality of a matching YARA signature. 

The TechPreview version of THOR 10.6 now introduces this extra information in many other modules. 

The following example shows a false positive in which the string ‘ -p 0x53A4C60B’ matched on the process memory of the ‘svchost.exe’ process with the full command line as ‘svchost.exe -k ClipboardSvcGroup -p’.   

In previous versions THOR you would only see the matching string, but the new versions will also show the 40 bytes before and after the string match. (in the example it has been set to 100 bytes by using `–string-context 100`)

This helps analysts to assess the match more easily without having a process memory dump. In the example above, analyst can review that data block in which the string match occurred and see that it has been within HTML text that has been copied to memory. It could be an analyst system on which someone handling forensic reports copied sections from one document to another, but it’s certainly not the threat, which the YARA rule tried to detect. 

This feature will be available in the upcoming THOR TechPreview 10.6.4. 

New Features: Progress Bar and HTML Report Filter Functions

We would like to inform you about three new comfort features that will be available in the upcoming THOR versions including THOR Lite. 

Improved HTML Reports

The new HTML reports allow analysts to filter elements that turn out to be false positives and remove them from the current view. It also adds useful lookup functions for Virustotal, RiskIQ and VALHALLA. 

Filter and remove false positives in your analysis

Apply filters directly from the modules menu and reduce the events to events from module X only

Direct lookups on Virustotal, RiskIQ and VALHALLA right from the report

The new report functions will be available in the upcoming THOR v10.5.10 and THOR TechPreview v10.6.3, which will be released in January 2021. 

Smart Progress Bar

Due to ongoing demand, we’ve added a progress bar to all longer running modules and a progress indicator to all the other modules. So far, we’ve avoided adding a progress bar or any kind of command line output that works with control characters to reduce the risks of side effects caused by THOR running in non-interactive sessions, e.g. with Splunk Forwarders’ scripted input. 

But THOR version 10 is able to determine if it is running in an interactive session and enables the progress bar only in these cases.

Progress bar in “Filescan” module

Progress bar in “Eventlog” module

New Option in Interrupt Menu

Another feature to highlight is the option to skip a module that doesn’t finish or seems to be stalled. 

The interrupt menu (CTRL+C) offers another option (X) to skip the current module and continue with the next one.

WordPress Cookie Plugin by Real Cookie Banner