Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious process starts and network connections. THOR shines as a live forensic scanner that scans the local filesystem, registry, logs and other elements for traces of hacking activity.

While Microsoft Defender ATP features a forensic package collection that retrieves elements from a remote system, THOR scans these elements on the remote system, applying more than 17,000 hand-written YARA rules and thousands of filename, C2, hash, mutex and named pipe IOCs to them. This live forensic scan reduces the work of your forensic analysts to a minimum and generates results as fast as possible for you to react in a timely manner.

THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment.

Live Response Scripts

The Microsoft Defender Security Center allows us to upload PowerShell scripts into a so called “live response library”, which is available on the endpoint during “live response” sessions.

We can use this feature to facilitate the download and execution of THOR on the endpoint.

THOR Cloud and Microsoft Defender ATP

You can use a local ASGARD server to provide licensing and THOR scanner packages to your endpoints. 

But the most convenient way is to use a combination public THOR Seed PowerShell script and THOR Cloud. Customers get access to a preconfigured version of THOR Seed, which already contains the customer’s API Token.

After uploading this script into you Microsoft Defender ATP Live Response Library, you are ready to go. All necessary components are downloaded at runtime and get removed afterwards.