Compromise assessments provide an in-depth analysis including anomalies, suspicious elements and sometimes malicious activity. They focus on any activity that could have been missed by other security solutions. Compromise assessments provide answers to the question “did our current or past security solutions miss a persistent threat?”
Due to its extensive feature set, unmatched flexibility and big and highly valued and well-known signature set our scanner THOR is the perfect tool to facilitate compromise assessments.
Continuous Compromise Assessment
The thorough analysis provided by compromise assessments comes at a price: time and effort.
In combination with the baselining features of our Analysis Cockpit, we limit the effort of every subsequent compromise assessment to a minimum. Reviewed elements become the new baseline. Analysts process new findings only. This way we are able to provide a thorough analysis and minimal effort after the first baselining.
Continuous compromise assessment setups typically use enterprise license model with yearly host-based licenses per server and workstation.
Agentless Compromise Assessment
THOR’s flexibility has always impressed our customers. Its portable design allows using it selectively without the need for a permanently running agent. You can just copy it to a remote system, use portable media or a network share and run it from there.
Some customers developed short PowerShell scripts to copy and execute THOR on target systems. Others used their available software management solution to build, drop, run and remove a custom THOR package on thousands of end systems.
A new feature named THOR Remote allows you to perform a distributed scan from a single privileged Windows machine by providing a list of scan targets.
Accelerated Forensic Analysis
Faster Digital Forensics with THOR
Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly be affected. The manual analysis of many forensic images can be challenging.
THOR speeds up your forensic analysis with more than 17,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs.
THOR processes not just files but also registry hives, eventlogs, crash dumps, Windows error reports, the MFT, the disks free space and much more using so-called modules.
Scan multiple forensic images at the same time and review the reports to identify malicious activity much faster than before. It is easy to include custom IOCs and YARA rules to extend THOR’s ruleset with your case-related indicators and get even better results.
THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up forensic analysis in moments in which getting quick results is crucial.
THOR as a Plugin
The flexible and portable character of THOR allows deploying it in many different ways. Our customers have integrated THOR as an additional scanner in their malware analysis pipeline, use it in their EDR to scan collected samples and deploy it in live response sessions.
A very compelling integration is the one that extends the live response of Microsoft Defender ATP. While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious processes and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry, logs and other elements for traces of hacking activity. THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment.
VALHALLA YARA Rule Feed
Apart from our flexible scanner THOR, which can be integrated into many different detection pipelines, we offer parts of our ruleset in a subscribable feed named VALHALLA.
VALHALLA boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules. Our team curates more than 17,000 quality tested YARA rules in 8 different categories: APT, Hack Tools, Malware, Web Shells, Exploits, Threat Hunting, Anomalies and 3rd Party. Valhalla’s database grows by 1500 YARA rules every year.
With access to Valhalla, you can supercharge your detection by adding most of our highly successful THOR scanners’ signatures to your scan engines. All rules are performance-optimized and quality tested against Terabytes of goodware and other data.
Large Scale Incident Response
Collecting evidence on endpoints during incident response can be time-consuming and technically challenging. Our ASGARD platform provides a lightweight agent for Microsoft Windows, Linux and macOS end systems that allows you to collect all kinds of evidence like files and memory as well as a neat full-featured remote console for all mentioned platforms.
ASGARD integrates perfectly with MISP and allows all kinds if STIX imports for all types of triage tasks. It comes bundled with our popular scanner THOR Lite and can be easily upgraded to use the full-featured THOR with its huge threat-intel fed signature database and countless modules.
A single ASGARD instance allows the management of up to 25,000 endpoints. It adjusts the load generated by these endpoints in smart ways. Each ASGARD can be managed from a so called Master ASGARD in order to allows the control of 250,000 or more endpoints.
ASGARD offers live investigations via remote console, file and memory collection on 250,000+ endpoints with a lightweight endpoint agent, all at an astonishingly affordable price.