APT Scanner THOR (EN)

APT Scan THOR

Our APT Scanner THOR is the only flexible tool on the market that is able to evaluate the full extend of security incidents within your corporate networks in order to treat them appropriately.

In contrast to common Antivirus solutions THOR focuses on the detection of attacker activity. While well-known Antivirus solutions are configured to detect malware like trojans, worms and some types of exploit code, THOR performs a deep system analysis using more than 20 modules to reveal hidden attacker activity in log files, typical attacker tools, anomalies within the user accounts, sessions, error reports, dump files, network connections and many other check items.

Detect Hackers and Hacker Activity

What is THOR?

In contrast to other incident response solutions THOR needs no installation as an agent, it can be configured to use only a small amount of system’s resources and works fully compliant with German data privacy regulations (German Data Protection Act, European privacy policy).

The basic features of THOR

  • Scans for hacking tools and adversary activities (Triage Tool)
  • Portable – no installation needed
  • No special requirements. (no Runtime Environment, .NET Framework needed)
  • Adjustable to react on adversaries tactics, techniques and procedures
  • Several ways to export information
  • Throttling the scanning process possible

We frequently update our signature database and heuristic algorithms based on analyses from different sources.

These sources include:

  • Forensic Analyses of compromised systems in customer APTs
    (mainly German DAX and MDAX companies)
  • Investigation results of public authorities
  • Public Malware and APT reports from different sources in the private sector: Mandiant Reports (like the APT1 Report), Kaspersky Labs Report („MiniDuke“,  „Red October“), McAfee Reports („Operation ShadyRAT“), RSA, CrowdStrike („Shell_Crew“), Trendmicro usw. Full Overview: APT Reports
  • Big collection of hack tools, scanners, password dumpers, web shells and other leaked chinese underground tool sets

THOR v8 Command Line

From these reports and sources we derive numerous „Indicators of Compromise“ (IOC) based on Yara, hash values, file name characteristics, C2 server and other keywords like certain user names, registry values or service names. We the recently implemented support for STIX (Cybox) and Yara you can easily integrate your own specific signatures.

THOR supports various way to report findings. You may define a output log file in ASCII format, a HTML report or an export via Syslog. The Syslog export function supports the use of UDP, TCP and the CEF format used by the ArcSight SIEM system.

Triage Tool THOR

Triage Scanner THOR Overview

We also published a free IOC scanner called LOKI that offers a tiny but relevant subset of THOR’s features. This table gives an overview of the various modules and their availability in the different scanners.

Feature Description LOKI THOR
Custom File Hashes Detect malware or hack tools based on custom file hashes. MD5/SHA1/SHA256 included included
Custom Filename Characteristics Detect malware or hack tools based on filename characteristics (Regular Expression) included included
Custom Yara Rules Detect malware or hack tools based on Yara signatures (file and process memory scan) included included
Eventlog Analysis Detect attacker activity and traces of the hack tool usage in the local events written by the Windows event log service included included
Registry Analysis Detect typical keys used in APT groups to maintain persistence on the system included included
Profile Directories Check Checks identifying irregularities in the user profile directories included included
SHIM Cache Scan Detects malicious tools in the SHIM Cache registry section that logs binary executions on Windows systems included included
Shell Bags Scan Analysis of logged shell bags that show which locations of the file systems have been accessed by users included included
DNS Cache Analysis Checking DNS cache entries for suspicious or malicious domain names included included
Firewall Configuration Check Checking the local firewall for suspicious rule definitions included included
Active Sessions Check Checking the current active sessions for suspicious attributes – e.g. length of the user sessions, remote end point included included
Process Analysis Analysis of the current running processes for strange Hooks/File Handles/Mutex definitions, network connections, memory strings, working directories, cloaking attempts included included
Active Network Connections Analysis of all active network connections; users, process ids, end points, strange port numbers included included
Network Share Check Irregularities in the network share definition; user names, share names, permissions included included
Open Files Check Files opened by processes; locations, user, permissions included included
LSA Session Analysis Checking all active LSA sessions for duration or known and typical evil user names from known APT cases included included
Services Checks Analysis of all local services to detect uncommon configurations; service executable location, start type and user account combination, malware names in service image path etc. included included
Scheduled Tasks Analysis Checking the scheduled tasks for malicious entries included included
Run Key Contents Analysis Intensive check of the RUN key entries to determine uncommon code executed at startup included included
Startup Element Analysis (WMI) Analysis of the Startup Elements listed via WMI included included
File System Analysis Analysis of the Master File Table (MFT) and all files on the file system by a specialized scanner that can be equipped with signatures to identify, the attacker’s tool set, common backdoor modifications, hash or password dump files, cloaked executables and much more. included included
MFT Analysis Scanning the Master File Table for entries of already deleted files included included
Alternate Data Streams (ADS) Check This check tries to find alternate data streams on NTFS volumes in which attackers may hide their tools and stolen data. included included
Host File Analysis The analysis checks the hosts file for malicious and suspicious entries. included included
Windows Error Report (WER) Analysis This check extracts relevant information from Windows crash reports (Dr. Watson reports) to determine crashes that were caused by exploits targeting known CVE vulnerabilities in browsers, browser plugins and other software. included included
Decompressed EXE Scan Scan a compressed executable in an uncompressed format deflated into memory only. included included
Surface Scan (DeepDive) Analysis of the disks space to find tools that have already been deleted by the attackers. included included
TXT Export Plain text log file of all events reported by THOR. included included
HTML Export Structured HTML Report of all events reported by THOR. included included
Syslog Export Syslog export of the events generated by THOR. This export option is fully flexible. You can define different target ports, multiple target systems, use UDP or TCP and choose between different formats. included included
CEF Message Format Syslog sending messages in Arcsight CEF format to receive warnings and alerts in Arcsight SIEM systems. included included
Big Yara Signature Database THOR includes a huge Yara signature database with more than 2200 rules from different sources. These rules include selected antivirus rules and signatures for hack tools, web shells, networking tools and other software used by attackers on compromised systems. (AES256 encrypted) included included
Client APT Signature Database THOR includes a Yara signature database with more than 240 rules from APT investigations in our client environments. (AES256 encrypted) included included
Custom STIX signatures Provide your own indicators of compromise via STIX descriptions. The common observables used in STIX will be applied to various check modules. included included

Especially the „File System Analysis“ and the „Eventlog Analysis“ are time consuming processes with a lot of intensive checks.

Scoring System

During the „File Systeme Analysis“ every file passes numerous stages in which it receives certain scores according to the check results. THOR checks for certain file name characteristics, the file size, the PE header, extension and the actual file type based on magix header signatures and even decompresses the most common EXE compressor formats like UPX and AsPack. The results of more than 20 checks lead to a total score which is the basis for the different event levels: Notice, Warning and Alert.

We were able to detect previously unknown malware due to this heuristic and characteristics based evaluation

The following picture shows some examples with a reduced set of checks to illustrate the evaluation process.

APT Heuristic Scoring

Characteristics based Scoring System Examples

Reporting

Especially the reporting functions are built on practical experiences and are designed to meet the requirements of todays security monitoring infrastructure.

The following output are generated by THOR and can be configured individually via command line parameters:

  • Coloured command line output gives a quick impression on the severity of the findings.
    (red=Alert, yellow=Warning, blue=Notice, green=Information, violett=Error, grey=Debug)
  • Text Log: The format of the Text log is derived from the standard Syslog format, which can be searched via grep very easily and facilitates the process of integrating the Text logs with the logs sent via Syslog in a SIEM system of your choice.
  • HTML Report: The HTML report provides a quick overview in the header section, alerts and warnings in a special top section and all other events in chronological order below. (recommended output for the analysis of 20 or less systems)
  • Syslog Output: Sending the events in the Syslog format via UDP or TCP to any port on multiple target systems (ArcSight’s CEF Format is also supported)

The following pictures show the different output formats.

APT Scanning Command Line Output

THOR Command Line Output

APT Scanner Log Output

THOR Scanner Text Log Output

HTML Report

THOR Scanner HTML Report

APT Scanner Splunk App

THOR Splunk App

IOC Sharing

Indicators of Compromise (IOCs), which have been derived from forensic analyses in customer APT cases are integrated in an anonymized and encrypted form. The Enterprise License includes all these signatures creating an extraordinary benefit for all participating customers. If you decide to share some of you own IOCs with others you receive an attractive discount on the license price.

Custom Indicators via Yara and STIX

THOR uses Yara as its main signature format. They way how THOR integrates Yara is fully compatible with normal Yara signatures although THOR extends the standard matching in order to allow certain additional checks.

You are able to extend the integrated database with you own rules matching samples that are confidential. You can add them to the signature database simply by placing these rules in the standard signature folder. The documentation gives you guidance in cases in which you want to utilize the special extensions.

The STIX support is currently based on the defined „Observables“ in form of file names, hashes, c2 server IP or domain names. THOR includes these indicators of compromise by placing the STIX files in the „stix“ subfolder.

Yara APT Signatures

THOR Yara APT Signatures

MFT Analysis

THOR integrates a module for the analysis of the Master File Table of the scanned NTFS partitions. This analysis provides the detection of recently deleted hack tools via their traces in the MFT.

MFT Scan Malware

MFT Scan Malware

„Deep Dive“ – Surface Scan

A module called „Deep Dive“ performs raw data stream analysis of objects like memory dumps, page files (if accessible e.g. on a mounted volume) and whole partitions. „Deep Dive“ reads the input stream in overlapping 3 MB chunks and applies the whole Yara signature database to these chunks. This way THOR is able to detect even deleted attacker tools in the free space of the hard drive.

APT Malware Hard Disk Surface Scan

THOR „Deep Dive“ Hard Disk Surface Scan

Deep Dive is also capable of restoring malware files from the analysed chunks into a given directory. (e.g. network share)

Malware Restored from Free Space

Malware Restored from Free Space

Workshop und Trial

We recommend a one-day workshop to explain the different modes of operation. We demonstrate how attackers work and show how THOR is able to detect this activity, explain all the command line options and explain the most common use cases. We discuss ways in which THOR could be deployed in your environment and how to collect and analyse the log data in an appropriate way.

The workshop includes a 21-day TRIAL license, which enables you to get a quick impression on your network and identify hidden threats.

The price for the one-day workshop is 4,500.- Eur.

Blog Content

We published numerous posts on our Blog about THOR and its new features. You can find all the THOR related posts here.

Development

THOR is a joint product of a development partnership between BSK Consulting GmbH and HvS Consulting AG and completely „Made in Germany“. The source code is retained on encrypted storage in our data center near Munich, Germany. Developers access the servers via VPN and authenticate themselves by 2-Factor-Authentication.

Contact

Get certainty about the integrity of your systems and contact us today.

The contact form can be found here.

Our APT Scanner THOR on the website of HvS Consulting.