Use CasesTHOR is a very flexible tool that can be used in many different ways. The following sections will explain the most frequent use cases.
Environment Triage Sweep
The most common use case is the network-wide triage sweep. In practise you’ll receive “Indicators of Compromise” from a threat report or forensic analysis and would like to check all systems in your network for these indicators. (we explained in a previous blog post, why our IOC scanning is different and much more intense than that of other solutions)
The environment sweep can be scheduled with your system management software (e.g. SCCM), via Scheduled Tasks deployed via GPO or any other remote administration software that allows the execution of a program of a remote host.
The most frequent reasons for an environment sweep are:
- Compromised system(s) > evaluate the extent of the breach
- Threat report > scan the local network for indicators mentioned in the report
- Preventive scanning > as a frequent compromise assessment
We provide our ASGARD Management Center for that purpose, but you are free to choose your own solution.
You might want to include as many systems in that sweep as possible. It isn’t uncommon that adversaries use the oldest print server or embedded device for the storage of their toolsets. A good system inventory is the basis for a successful triage.
The results of an environment sweep are sent via SYSLOG to a central log management solution or SIEM. You can also scan a system group by putting THOR on a USB drive and merge the results with your syslog data later.
We provide a free Splunk App and Add-on for the analysis of the log data. Our own product named ASGARD Analysis Cockpit provides special base-lining features and case management features for SOC teams.
Appropriate license types: Enterprise License, Incident Response License Pack, Compromise Assessment License Pack
Single System Live Forensics
This use case describes the analysis of a single system. Especially SOC teams benefit from this use case as it allows them to improve their assessment significantly.
Many playbooks include a process step in which an analyst has to decide between a system compromise or a false positive. A THOR scan provides plenty of information that help analysts to evaluate the actual status of the suspicious system.
The logs can be transmitted to a log management system or SIEM. You can also write an HTML report or text log to a writable network share.
Remember: THOR can be run from a read-only network share. Just open a command line on the suspicious system as administrator and type “\\system\share\thor.exe”. You don’t have to copy the scanner to the system.
Appropriate license types: SOC Toolkit License Pack, Enterprise License
Image Scan Forensic Lab
This use case describes typical forensic lab tasks. With THOR you can:
- Mount a forensic disk image and scan the file system (recommended)
- Run a so called “deepdive” over any memory image file scanning it in 3MB overlapping chunks of data applying our and your custom YARA rules (Note: many of our YARA rules are performance optimized and won’t match on memory blocks)
THOR uses only a single CPU core but you can run multiple instances of THOR on a single forensic workstation.
In past engagements we were able to reduce the time that forensic analysts spent on disk images of compromised machines significantly.
Appropriate license types: Forensic Lab License Pack, Forensic Engagement License Pack
Drop Zone Mode
The drop zone mode is a rather new feature that allows you to monitor a given folder for new files. All files dropped to that folder will be scanned and then deleted. Customers use the text and syslog output to report back findings.
The drop zone mode helps you to integrate THOR in a bigger analysis environment. We recommend dropping the files in their original form with the correct filename and extension.
Appropriate license types: Forensic Lab License Pack