THOR v10.1 features a mode of operation that is especially helpful in incident response or compromise assessment scenarios – remote scanning.
Imagine that you’re in a firefighting scenario – a breach has been confirmed and management wants to have quick results on the extent of the compromise.
The new remote scanning feature called “THOR Remote” allows you to perform triage scans on hundreds of remote systems from a single admin workstation. You can think of it as an integrated PsExec.
No scripting, no agents, no hustle.
Benefits
No agent
No scripting
Painless scans of many remote systems
Requirements
Available on Windows only
Accessible remote ports (135/tcp, 445/tcp)
Account with local admin rights
All you need is the new version 10.1 of THOR and a command line of an admin user with the required privileges and open Windows ports (135/tcp, 445/tcp) on the remote systems.
THOR will then switch into a new mode of operation and present a command line interface showing scan information and a scrollable pane for each log file. (see screenshot)
THOR writes the log files to a local folder on the admin workstation or sends them via SYSLOG to your SIEM system.
You can also define a number of concurrent scans (workers) and delay the scan starts to distribute the load evenly among the target systems. This is beneficial when you scan numerous virtual machines running on a few host systems.
A complete triage scan of your internal domain can’t be more comfortable.
It replaces our successful scanners THOR 8 and SPARK and combines the best of both worlds. It is a completely new code base that features all modules of our 4 year old compromise assessment flagship THOR 8 and the speed and extra features of our triage scanner SPARK.
You can find an overview of the major changes in this article.
Download
All customers with an active contract (rental license) and license pack users can download THOR 10 from the “downloads” section in the customer portal.
You can find the new manual as PDF in that section and the ‘./docs’ folder of the downloaded program package.
Updates
Please note that signatures updates will be much more frequent due to the decoupling of program and signature files. Make sure to use thor-util version 1.8 or higher.
We plan to release new signature packs every 1-3 days and new program binaries about once a month.
The old scanners will receive updates until mid-2019. However, these updates will be less frequent.
ASGARD
After upgrading to ASGARD version 1.10 you’ll immediately see the new scanner in all menus.
THOR 10 will be the new default for newly scheduled scan jobs. Old scan jobs will not be touched.
Updates of program binaries and signatures can now be managed separately from the “Updates” section.
Changes to Consider
All the old command line options stayed the same as in THOR 8. However, we’d like to bring some addition features and changes to your attention.
The THOR 10 program package now also contains a 64-bit executable (thor-x64.exe), which should produce much better process memory detection results. (ASGARD automatically selects the right binary)
Custom settings are now configured via ./conf/thor.yml and not ./conf/thor.cfg.
The active modules per scan mode and the log contents have been reworked. You can’t make a comparison with previous THOR 8 scan data. The log format (default) stayed the same, so that old field extractions should still work.
The log contents are more detailed and more consistent (e.g. timestamp format).
THOR has more output options (SYSLOG formats and JSON log file output, see manual).
Scan durations will change. The scanner is faster but has more active features like “archive YARA scanning” (better detection for Office document macro droppers).
Sigma scanning is available, but has to be activated with “–sigma”. It uses all rules from the public rule repository.
See the already mentioned article for more changes.
In anticipation of our new scanner THOR 10 Fusion, we would like to show you some of the exciting new features and upcoming changes.
Modes and Feature Cleanup
We’ve reviewed and reworked all scan modes in order to clarify the overview of active modules and features for the user.
In the past, it wasn’t always clear which module and feature has been auto-deactivated and auto-activated during the scan runs.
We’ve dropped the “–fast” mode, which was rarely used intentionally but auto-activated on Workstations.
Most of the modules have been completely rewritten.
Due to higher scan speeds we didn’t have to make many compromises. The “default” scan should take roughly as long as with THOR 8 but is much more intensive.
Modules like the “Rootkit” module have been split up in two different sections, one with important and less dangerous checks and one with less relevant checks that could lead to an Antivirus intervention (e.g. Double Pulsar check).
This refactoring allows us to activate the module in “Soft” scan mode and set e.g. “Double Pulsar” as extra feature for that module, which is activated in “Default”, “Quick” and “Intense” scan mode.
Separate Program and Signature Updates
Former versions of THOR have been shipped and upgraded as a complete package.
The new thor-util allows you to upgrade program files and signatures separately.
We’ll try to publish new signature packs as fast as new YARA signatures get published in VALHALLA.
Time Stamp Harmonization
The timestamps in all the different modules have been harmonized to ANSIC standard.
This was an important step to allow the creation of meaningful timelines of the discovered events.
Configuration Files Become Scan Templates
THOR 10 uses so-called scan templates in YAML format, instead of the old config file format.
The parameters in these scan templates reflect 1:1 the command line parameters. With these new scan templates it is easy to define a set of parameters for your scan and ship them as the default scan template.
You can even mix the configurations from multiple scan templates, e.g. define a default template and separate templates with different syslog targets for each branch office.
JSON and Key/Value Output
You can choose from multiple options to influence the output format of the log files and SYSLOG messages sent to remote servers.
We handle log messages internally as objects and can easily render JSON or Key/Value pair outputs.
This greatly simplifies the SIEM integration of all output streams.
Difference Scan
The difference scan makes use of the THOR DB and checks only elements on disk that have been created or changed since the last scan start.
This is a new ultra fast scan mode, albeit susceptible to timestomping attacks.
Sigma Scanning
THOR 10 inherits the Sigma scanning feature from SPARK and can now apply Sigma rules to local Eventlog entries (Windows) or log files (Windows, Linux and macOS).
Find more information on the Sigma scanning feature in this older blog post.
Better Process Memory Matches
Process memory matches now show the matching strings or code sequences found in the memory of scanned processes.
Tagged Matches
Since our YARA rules are tagged during the integration into VALHALLA, all of them have tags including the MITRE ATT&CK tags, that help your analysts putting matches into context.
ASGARD Integration
THOR 10 integrates seamlessly with ASGARD and shows up as third scanner next to THOR 8 and SPARK.
The “Updates” section will show separate update settings for the scanner’s program components and signatures.
The ASGARD menu to create new THOR 10 hunts contains all command line options dynamically extracted from the current executable.
This way it adapts to all future features and command line options that will be integrated into THOR 10 over time.
These are only some of the changes coming with THOR 10 Fusion.
We are in schedule and excited to release it in July.
We are proud to announce the upcoming release of THOR 10 code named “Fusion”.
It will replace our scanners THOR 8 and SPARK before the end of this year. Both of the current scanners will still receive updates until the end of this year.
THOR 10 “Fusion” combines the advantages of our current scanners, the intensive analysis capabilities of THOR with the unmatched flexibility and speed of SPARK.
It features all modules of THOR 8, including Registry, SHIM Cache, Eventlog, Mutex, WMI, Service and Autoruns analysis.
It runs on all major operating systems – Windows, Linux and macOS.
With THOR 10 “Fusion” you will not have to decide between an intense or fast scan anymore. THOR 10 provides the best of both worlds.
We plan to release THOR 10 in July this year. Follow us on twitter or subscribe to the newsletter for updates.
Customers will get a separate notification with changes and instructions for an upgrade.
With the upcoming version 8.53 of THOR, we’re testing a new feature called “Difference” or “Diff” mode (–diff).
The idea behind “Diff” mode is that a scan could be much faster, if it would only consider elements that have been created or changed since the last scan on that system. We can apply this principle to various modules and increase scan speed massively.
Diff mode is currently supported in the long running modules
Filesystem – files with MAC timestamps older than the last scan (start) will be skipped
Registry – registry keys with last modification dates older than the last scan (start) will be skipped
Eventlog – runs until it reaches eventlog entries with timestamps older than the last scan (start)
Diff mode requires the use of THOR DB, which is the default but could have been disabled with “–nothordb”. This is necessary to determine information from the last scan, e.g. “when did it start” but also “which modules were used in the last scan”.
The main advantage is an incredible fast scan. Our tests showed that scans in “Diff” mode complete within 5 and 15 minutes. In “Diff” mode, the longest running module is “ProcessCheck” with run times between 3 and 6 minutes.
The main disadvantage of “Diff” mode is the inability to detect Timestomping attacks, in which attackers or malware changes the timestamps of files and other elements.
As we have announced in May, the old “thor-upgrade.exe” is already out-of-support and the old update servers accessed by “thor-upgrade.exe” will be decommissioned at the end of October.
The new all-round utility “thor-util.exe” now supports all of the features provided by the old “thor-upgrade.exe” including NTLM Authentication with corporate proxy servers.
You can use “thor-util.exe upgrade –help” to see all options of the “upgrade” feature.
Also note that “thor-util” has an “encrypt” feature that allows you to encrypt custom signature files and the “report” feature that creates HTML reports from plain text log files.
The only valid update servers that should be accessible to get updates from November onward are:
update1.nextron-systems.com
update2.nextron-systems.com
The “thor-util” utility is part of the THOR and SPARK packages and can also be downloaded from the Customer Portal in the “Downloads” section.
If you are a customer and don’t have access to the Customer Portal yet, please contact us or the respective partner.
The new THOR-util version 1.2.4 supports the encryption of your custom signatures so that you can deploy your own IOC files and YARA rules in an encrypted form.
We use a public key in the utilities to encrypt the files for our scanners so that admins, Antivirus engines and attackers won’t be able to read the contents of the files.
The feature is also available in SPARK Core, our free scanner.
After encryption, place the encrypted IOC files in the “./custom-signatures” directory and the encrypted YARA rules in the “./custom-signatures/yara” directory.
The use of the function is simple. Just point it to a file, a list of files or use wildcards to select a set of files for encryption. The extension of the output file depends on the extension of the input file.
The upcoming ASGARD version 1.5 comes with a IOC management section in which you can manage your own set of IOCs in text files, YARA and Sigma rules.
You can then select each of the folders when creating a new scan run with THOR or SPARK. Selecting one of these folders will not include the sub folders.
You can schedule and run scans with different IOC, Sigma and YARA rule sets. You can review the included custom signatures in the scan details.
The following features are not yet implemented in v1.5 but on the roadmap for ASGARD v1.6:
Signature verification
Exclude the standard rule set (shipped with THOR and SPARK)
There are a few relevant changes in the upcoming THOR version 8.49.0 that we would like to announce.
Interpreter and Module Upgrades
The integrated Python interpreter will be upgraded to Version 2.7.15. We have also upgraded several modules. All our tests showed no signs of problems even with the oldest Windows version like Windows 2003 Server. (officially unsupported)
If you encounter any issues, please let us know.
4th Generation License Format Support
THOR 8.49.0 supports the newest license format which allows us to:
set a start date for the period of validity
enable or disable certain modules and features in THOR and SPARK
(e.g. we could license a SPARK version that only scans endpoint logs with Sigma rules)
THOR-util Report Generation
The new included THOR-util version 1.2 allows to generate HTML reports from scan log files. It can also generate reports for a directory that contains THOR or SPARK scan logs (up to 50 per HTML report). We’ve discussed this feature in detail in a previous blog post.
Noresume Becomes the New Default
The Scan Resume feature has caused many problems during incident response engagements in the past. The feature activates a journal in THOR DB that tracks the state of the scan and resumes the scan automatically if it was interrupted by a user or terminated due to a system shutdown. This feature seemed to be helpful but actually caused some problems.
THOR logs are created in “write” (w) mode, not in “append” (a) mode. When an administrator started THOR on a system, terminated the scan and then restarted it shortly after, the first part of the local log file was overwritten by the second scan. Sometimes a scan was interrupted on a system due to different reasons. When an administrator received the order to start a new scan on that system, the scan resumed the last scan and the log file and report contained only info of the resumed part of the scan.
We therefore decided to not resume scans by default. If you still want to maintain the old behaviour, please use the new “–resume” parameter. The old “–noresume” parameter is still valid but has no effect and is marked “obsolete” in the help.
Analysis Cockpit Web Session
We’ve just recently published a web session that gives an overview on our whole product portfolio and describes the features of our Analysis Cockpit in detail. (18 minutes, English language)
The main features of the Analysis Cockpit are:
THOR / SPARK Log Baselining
Automatic case creation based on similarities of the events
The new version of “thor-util” (used with THOR/SPARK) / “spark-core-util” (used with SPARK Core) support a feature that allows a user to convert any scanner log file into a convenient report.
Convert THOR / SPARK / SPARK Core scan logs into HTML reports
Convert a single text log file into an HTML report
Convert multiple log files (50 max.) in a directory into a single HTML report
Provide a file with filters to suppress false positives in the reports
Even LOKI logs can be converted (no support)
Hash values linked to Virustotal searches
IP values linked to VirusTotal searches
Header sections linked to elements via ankers
You can access this feature in the upcoming enterprise products (THOR 8.47.2 and SPARK 1.13) and the free product SPARK Core (SPARK Core 1.13).
The following screenshot shows a typical text log file. It can be processed in log analysis solutions but it is difficult to read for an analyst. Most analysts search these log files for “(Alert|Warning):” or use grep to get the most relevant messages.
Our tools “thor-util” and “spark-core-util” will help you with this task.
Generate an HTML report for a single log file
thor-util report --logfile PROMETHEUS_thor.log
Generate an HTML report for multiple log files
thor-util report --logdir ./logs
You can also provide a file with regular expressions that are applied during log parsing as filters to suppress false positives in the reports.
The new tools will be in all productive packages at the end of this week.
