THOR with Microsoft Defender ATP
While Microsoft Defender ATP features a forensic package collection that retrieves elements from a remote system, THOR scans these elements on the remote system, applying more than 17,000 hand-written YARA rules and thousands of filename, C2, hash, mutex and named pipe IOCs to them. This live forensic scan reduces the work of your forensic analysts to a minimum and generates results as fast as possible for you to react in a timely manner.
THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment.
Live Response Scripts
The Microsoft Defender Security Center allows us to upload PowerShell scripts into a so called “live response library”, which is available on the endpoint during “live response” sessions.
We can use this feature to facilitate the download and execution of THOR on the endpoint.
THOR Cloud and Microsoft Defender ATP
You can use a local ASGARD server to provide licensing and THOR scanner packages to your endpoints.
But the most convenient way is to use a combination public THOR Seed PowerShell script and THOR Cloud. Customers get access to a preconfigured version of THOR Seed, which already contains the customer’s API Token.
After uploading this script into you Microsoft Defender ATP Live Response Library, you are ready to go. All necessary components are downloaded at runtime and get removed afterwards.