Use Cases

THOR is a very flexible tool that can be used in many different ways. The following sections will explain the most frequent use cases.

Environment Triage Sweep

The most common use case is the network-wide triage sweep. In practice you’ll receive “Indicators of Compromise” from a threat report or forensic analysis and would like to check all systems in your network for these indicators. (we explained in a previous blog post, why our IOC scanning is different and much more intense than that of other solutions)

The environment sweep can be scheduled with your system management software (e.g. SCCM), via Scheduled Tasks deployed via GPO or any other remote administration software that allows the execution of a program of a remote host.

The most frequent reasons for an environment sweep are:

  • Compromised systems > evaluate the extent of the breach
  • Threat report > scan the local network for indicators mentioned in a report
  • Preventive scanning > as a frequent compromise assessment

We provide our ASGARD Management Center for that purpose, but you are free to choose your own solution.

The results of an environment sweep are sent via SYSLOG to a central log management solution or SIEM. You can also scan a system group by putting THOR on a USB drive and merge the results with your syslog data later.

We provide a free Splunk App and Add-on for the analysis of the log data. Our own product named ASGARD Analysis Cockpit provides special base-lining features and case management features for SOC teams.

Purpose Complete Overview
Features
  • Scheduled Run
  • All Systems
  • Syslog to SIEM

Single System Live Forensics

This use case describes the analysis of a single system. Especially SOC teams benefit from this use case as it allows them to improve their assessment significantly.

Many playbooks include a process step in which an analyst has to decide between a system compromise or a false positive. A THOR scan provides plenty of information that help analysts to evaluate the actual status of the suspicious system.

The logs can be transmitted to a log management system or SIEM. You can also write an HTML report or text log to a writable network share.

Remember: THOR can be run from a read-only network share or with the help of THOR Cloud.

Purpose Intense System Analysis
Features
  • Manual Scan Run
  • Single suspiciously behaving system
  • HTML Report, Text Log

Image Scan Forensic Lab

This use case describes typical forensic lab tasks. With THOR you can:

  • Mount a forensic disk image and scan the file system (recommended)
  • Run a so called “deepdive” over any memory image file scanning it in 3MB overlapping chunks of data applying our and your custom YARA rules (Note: many of our YARA rules are performance optimized and won’t match on memory blocks)

THOR uses only a single CPU core but you can run multiple instances of THOR on a single forensic workstation.

In past engagements we were able to reduce the time that forensic analysts spent on disk images of compromised machines significantly.

Purpose Lab Analysis
Features
  • Scan mounted forensic images
  • No live data
  • HTML Report, Text Log

Sample Drop Zone Mode

The drop zone mode is a rather new feature that allows you to monitor a given folder for new files. All files dropped to that folder will be scanned and then deleted. Customers use the text and syslog output to report back findings.

The drop zone mode helps you to integrate THOR in a bigger analysis environment. We recommend dropping the files in their original form with the correct filename and extension.

Purpose Lab Integration
Features
  • Scan samples dropped into a certain folder
  • Syslog, Text Log, JSON Output

Remote Scan

Imagine that you’re in a firefighting scenario – a breach has been confirmed and management wants to have quick results on the extent of the compromise.

The new remote scanning feature called “THOR Remote” allows you to perform triage scans on hundreds of remote systems from a single admin workstation. You can think of it as an integrated PsExec. No scripting, no agents, no hustle.

Benefits

  • No agent
  • No scripting
  • Painless scans of many remote systems

Requirements

  • Available on Windows only
  • Accessible remote ports (135/tcp, 445/tcp)
  • Account with local admin rights

All you need is an admin user with the required privileges and open Windows ports (135/tcp, 445/tcp) on the remote systems.

THOR will then switch into a new mode of operation and present a command line interface showing scan information and a scrollable pane for each log file.

THOR writes the log files to a local folder on the admin workstation or sends them via SYSLOG to your SIEM system.

Purpose Fast Incident Response
Features
  • Scan Windows Remote Systems
  • Run from Admin Workstation
  • HTML Reports, Text Logs from multiple endpoints