Analyze VMware ESX Systems with THOR Thunderstorm

Since the release of THOR Thunderstorm in the summer of 2020, our customers used it to analyse a variety of systems that are usually considered as “out of scope”. In some cases the EULA prevents the installation of Antivirus scanners or EDR agents. In other cases the used platforms are simply outdated, customised or unsupported. 

A use case that we would like to highlight in this blog post is the analysis of VMWare ESXi systems.

In the past, our customers frequently asked if the Linux version of THOR would run on Photon OS used by ESX/ESXi. The need to analyse these systems is well justified. ESX/ESXi systems and the services running on these systems have vulnerabilities and are definitely in scope of an attack. Therefore they should also be in the scope of a compromise assessment.    

 However, VMware writes on its website:

With THOR Thunderstorm, we can simply copy the thunderstorm-collector.sh bash script to an ESXi appliance and start the collection to a THOR Thunderstorm service running in a local network.

Using a blank Debian system and the installer script, this only takes a few minutes.

In our case, we simply watched the log file written by THOR Thunderstorm with “tail -f” for incoming alert messages to showcase the use case for our customer. By default, the collector submits all files created or modified during the last 14 days and smaller 2 MB.

In our demo, we’ve detected a webshell named “shell.jsp” in the “/tmp” folder and a command that indicates a back connect shell using Linux sockets in the “.bash_history” of the root account. 

You can add the collector script run to the local crontab or execute it using Ansible to perform frequent collection runs once a day. 

If you’re interested in a test setup, please contact us using the “Get Started” button. 

There’s a Thunderstorm Coming

We are proud to announce a groundbreaking new scan mode named “Thunderstorm” that we’ve integrated into preview builds of the upcoming THOR version 10.6.

This mode of operation turns THOR into a RESTful web service that is able to process thousands of samples per minute sent from any device within the network.

Think of it as your ultra-fast on-premise scan service, wich is bundled with more than 13,000 hand-crafted YARA rules focusing on persistent threats and forensic artefacts.

Collect files and submit them for analysis from any operating system and any hardware platform. The possibilities are limitless.

With this blog post, we’d like to highlight some of these new possibilities.

Thunder rolls, lightning strikes & the hammer flies across the sky.
God of the weather,
chariot of the storm,
master of rain & torrents.
Son of the strength
of Mother Earth,
I ask you to grant me that strength for myself.

Norse Poem

What is THOR Thunderstorm?

A RESTful web service that receives samples and returns a scan result. It is feature-rich and very fast.

Use Cases

Use Case 1 – Remote File Collection

During forensic investigations, automated file collection (ESI) from one or multiple remote systems can be combined with THOR Thunderstorm to improve the forensic anylsis.

Alerts and warnings produced by THOR Thunderstorm highlight interesting elements in file data, registry hives, eventlog files and more.

Use Case 2 – ICS Networks

ICS networks are mission critical, requiring immediate and high-availability. The installation of an endpoint agent or running a portable scanner is often out of question.

With THOR Thunderstorm, you just have to collect and submit the files.

Use Case 3 – Out of Reach Devices

Since file collection is a lot easier than endpoint scanning, all you need is way to export the remote system’s files or directly send them to THOR Thunderstorm.

Imagine that you can collect and submit files from network devices, telephone systems or embedded devices.

Use Case 4 – Out of Reach Operating Systems

File collection scripts for many old or usually unsupported operating systems allow you to upload samples for analysis.

Select files based on size, age or type and schedule frequent upload tasks to analyze only new or modified files. 

Use Case 5 – S3 Bucket Scanning

We’ve been working with our partner Adolus to showcase a tuned version of AirBnb’s BinaryAlert in which the standard YARA analyzer has been replaced by THOR Thunderstorm.

By using it in a container that scales with the demand, you can process millions of files in a few minutes.

Flexibility

Most operating system provide tools to walk the file system and submit files via HTTP. The following examples are intentionally short and compact to inspire you with their simplicity. Think of all devices that you could analyze this way. No agent, no portable scanner, just simple file submission via HTTP.

Windows 10 Batch

This example shows a simple batch file that walks recursively over a given folder an submits all files. You could extend it to the whole disk and reduce the submission to certain file extensions (e.g. exe, bat, ps1, js).

Linux Web Server

This examples shows how easy it is to get all files in a web server root checked by THOR Thunderstorm just by using bash, find and curl.

 

Thunderstorm Components

The following slide lists the different components that can be used with THOR Thunderstorm. We provide a server installer script, collectors, a Python API client and update scripts. 

In addition to the Thunderstorm server we provide a set of simple sample collection tools called Thunderstorm Collectors, a Python-based API library with command line client and a set of helper scripts

Thunderstorm Collectors

The Thunderstorm Collector repository contains a Go based collector, precompiled for many different operating systems and architectures as well as collectors scripts (Batch, Bash, PowerShell).

We have pre-build collectors for Windows, Linux, macOS, AIX, Solaris on x86, x64, Arm, PowerPC, MIPS, RISC-V, Plan9, S390x (IBM Z) architectures.

These collectors allow you select files based on age, size and type for submission to a Thunderstorm server.

It is easy to set up a task like: 

“Select all files that have been created or modified within the last 24 hours and submit them to Thunderstorm for analysis. Run this task daily.”

Low CPU and RAM Usage

A collection task requires 0.75-2% of the CPU and 20MB memory. 

Any OS, Any Arch

Our collectors run on any operating system and processor architecture

High Speed

It allows ultra fast collection runs. (Our tests: Win 10, collect last 3 days, any type, full disk = 3 minutes run)

Thunderstorm API Client

We provide a Python module and Python based API client that supports multi-threaded submission to the THOR Thunderstorm service.

Modes of Operation

Service Mode

The service can be started in two scan modes:

  • Pure YARA
  • Full-Featured

Pure YARA

In the pure YARA mode (–pure-yara) THOR Thunderstorm only applies the 13,000 internal and all custom YARA rules to the submitted samples. It’s leightweight and super fast.

Full-Featured

The full-featured mode is the default. In this mode Thunderstorm also parses and analyses Windows Eventlogs (EVTX), registry hives, memory dumps, Windows error reports (WER) and more. It’s not just a YARA scan, but a full forensic processing.

More Features

Completely On Premise

THOR Thunderstorm can be installed on any internal system and runs as a service within your network

Sample Storage

Store suspicious or all transmitted samples with a reference to the source system to facilitate the deeper analysis

Forensic Modules

THOR Thunderstorm supports the analysis of different file types that get collected for forensic analysis purposes (e.g. EVTX files, Registry Hives)

Custom Signatures and IOCs

Add you own YARA signatures, Sigma rules, hash and filename IOCs and apply them to incoming samples

SIEM Integration

THOR Thunderstorm offers many ways to output information (Text, JSON, Syslog), which makes it easy to integrate the findings into your favorite SIEM system

Web GUI and API Documentation

The API documentation is embedded into the web service itself. You can even send requests right from the browser to test it live.

The Web GUI contains important information about the service like the signature set version, uptime, number of processed and queued samples and much more. 

It contains some graphs that help you to assess the actual server load and processing speed. 

It also contains links to the API documentation, the Python API library and the Thunderstorm Collectors for your convenience. 

 

On The Roadmap

The following tasks are on our roadmap for THOR Thunderstorm

  • Collector service that uses file system notifications to submit new files in real-time
  • Cortex Analyzer
  • ICAP Support (allows interfacing with Web Proxies)
  • File format support: PCAP, MFT
  • Recursive extraction of nested archives
  • Docker setup guide

Getting Started

Please use the “GET STARTED” button in the upper right corner or this link to request more information.

The release slide deck contains more detailed information on some of the mentioned aspects.

 

THOR v10.6 TechPreview

We are proud do announce the version 10.6 of THOR, which is the first one that gets released as a TechPreview. We’ve discussed the split-up into THOR and THOR TechPreview in a previous post.  

The following post describes the most important new feature of the THOR v10.6 TechPreview version.

THOR Thunderstorm

THOR 10.6 is the first version that support a new mode of operation – a RESTful web API service named THOR Thunderstorm. THOR Thunderstorm is able to receive thousands of samples per minute via web requests, scans them and returns a scan result. 

We’ve outlined many use cases and features of THOR Thunderstorm in a separate blog post

THOR Thunderstorm requires a separate license named “service license” to run. 

 

Multi-Threaded Scanning

Especially the customers with a lab license should be happy to hear that we’ve implemented multi-threaded scanning. 

From now on, THOR can use multiple threads to process elements (files, registry keys, events in eventlog etc.). 

This can boost the scan speed on mounted images significantly. Our tests on a 16 Core system showed a scan speed improvement of 1400%. 

Reworked Quick Scan

Quick scan (–quick) is used when fast scan results are crucial. It usually takes less than 25 minutes to complete. This is achieved by skipping elements in the scan. Quick in versions previous to 10.6 do the following: they skip the Eventlog scan and scan only a set of 40+ highly relevant folders on disk. 

The new quick scan doesn’t skip whole modules or directories anymore. For all previously skipped elements the new quick scan evaluates if they have been modified or created within the last 72 hours and scans only these elements. 

This way the new quick scan is much more intense but should  be only slightly slower. 

Other Changes

  • We’ve changed the ambigious “–fsonly” flag to “–lab” to indicate the best settings for scanning in a forensic lab (the old flag is still usable but hidden in the usage description)
  • Virtual drive name mapping (used in lab scans to map the actual mount point to the original one)
  • Minor changes to some log lines (extended field values) 

Getting Started

Customers can download the THOR TechPreview version 10.6 in the Downloads section of the customer portal or use thor-util in it’s newest version to download that version with the flag “–techpreview”. ASGARD version 2.5.3 also supports scan runs with THOR TechPreview. 

GDPR Cookie Consent with Real Cookie Banner