THOR is a very flexible tool that can be used in many different ways. The following sections will explain the most frequent use cases.
Environment Triage Sweep
The most common use case is the network-wide triage sweep. In practice you’ll receive “Indicators of Compromise” from a threat report or forensic analysis and would like to check all systems in your network for these indicators. (we explained in a previous blog post, why our IOC scanning is different and much more intense than that of other solutions)
The environment sweep can be scheduled with your system management software (e.g. SCCM), via Scheduled Tasks deployed via GPO or any other remote administration software that allows the execution of a program of a remote host.
The most frequent reasons for an environment sweep are:
- Compromised systems > evaluate the extent of the breach
- Threat report > scan the local network for indicators mentioned in a report
- Preventive scanning > as a frequent compromise assessment
We provide our ASGARD Management Center for that purpose, but you are free to choose your own solution.
The results of an environment sweep are sent via SYSLOG to a central log management solution or SIEM. You can also scan a system group by putting THOR on a USB drive and merge the results with your syslog data later.
We provide a free Splunk App and Add-on for the analysis of the log data. Our own product named ASGARD Analysis Cockpit provides special base-lining features and case management features for SOC teams.
|Purpose||Intense System Analysis|
Single System Live Forensics
This use case describes the analysis of a single system. Especially SOC teams benefit from this use case as it allows them to improve their assessment significantly.
Many playbooks include a process step in which an analyst has to decide between a system compromise or a false positive. A THOR scan provides plenty of information that help analysts to evaluate the actual status of the suspicious system.
The logs can be transmitted to a log management system or SIEM. You can also write an HTML report or text log to a writable network share.
Remember: THOR can be run from a read-only network share or with the help of THOR Cloud.
Image Scan Forensic Lab
This use case describes typical forensic lab tasks. With THOR you can:
- Mount a forensic disk image and scan the file system (recommended)
- Run a so called “deepdive” over any memory image file scanning it in 3MB overlapping chunks of data applying our and your custom YARA rules (Note: many of our YARA rules are performance optimized and won’t match on memory blocks)
THOR uses only a single CPU core but you can run multiple instances of THOR on a single forensic workstation.
In past engagements we were able to reduce the time that forensic analysts spent on disk images of compromised machines significantly.
Sample Drop Zone Mode
The drop zone mode is a rather new feature that allows you to monitor a given folder for new files. All files dropped to that folder will be scanned and then deleted. Customers use the text and syslog output to report back findings.
The drop zone mode helps you to integrate THOR in a bigger analysis environment. We recommend dropping the files in their original form with the correct filename and extension.
|Purpose||Fast Incident Response|
Imagine that you’re in a firefighting scenario – a breach has been confirmed and management wants to have quick results on the extent of the compromise.
The new remote scanning feature called “THOR Remote” allows you to perform triage scans on hundreds of remote systems from a single admin workstation. You can think of it as an integrated PsExec. No scripting, no agents, no hustle.
- No agent
- No scripting
- Painless scans of many remote systems
- Available on Windows only
- Accessible remote ports (135/tcp, 445/tcp)
- Account with local admin rights
All you need is an admin user with the required privileges and open Windows ports (135/tcp, 445/tcp) on the remote systems.
THOR will then switch into a new mode of operation and present a command line interface showing scan information and a scrollable pane for each log file.
THOR writes the log files to a local folder on the admin workstation or sends them via SYSLOG to your SIEM system.