Our APT Scanner THOR is the only flexible tool on the market that is able to evaluate the full extend of security incidents within your corporate networks in order to treat them appropriately.
In contrast to common Antivirus solutions THOR focuses on the detection of attacker activity. While well-known Antivirus solutions are configured to detect malware like trojans, worms and some types of exploit code, THOR performs a deep system analysis using more than 20 modules to reveal hidden attacker activity in log files, typical attacker tools, anomalies within the user accounts, sessions, error reports, dump files, network connections and many other check items.
The basic features of THOR
- Scans for hacking tools and adversary activities (Triage Tool)
- Portable – no installation needed
- No special requirements. (no Runtime Environment, .NET Framework needed)
- Adjustable to react on adversaries tactics, techniques and procedures
- Several ways to export information
- Throttling the scanning process possible
We frequently update our signature database and heuristic algorithms based on analyses from different sources.
These sources include:
- Forensic Analyses of compromised systems in customer APTs
(mainly German DAX and MDAX companies)
- Investigation results of public authorities
- Public Malware and APT reports from different sources in the private sector: Mandiant Reports (like the APT1 Report), Kaspersky Labs Report („MiniDuke“, „Red October“), McAfee Reports („Operation ShadyRAT“), RSA, CrowdStrike („Shell_Crew“), Trendmicro usw. Full Overview: APT Reports
- Big collection of hack tools, scanners, password dumpers, web shells and other leaked chinese underground tool sets
From these reports and sources we derive numerous „Indicators of Compromise“ (IOC) based on Yara, hash values, file name characteristics, C2 server and other keywords like certain user names, registry values or service names. We the recently implemented support for STIX (Cybox) and Yara you can easily integrate your own specific signatures.
THOR supports various way to report findings. You may define a output log file in ASCII format, a HTML report or an export via Syslog. The Syslog export function supports the use of UDP, TCP and the CEF format used by the ArcSight SIEM system.
We also published a free IOC scanner called LOKI that offers a tiny but relevant subset of THOR’s features. This table gives an overview of the various modules and their availability in the different scanners.
|Custom File Hashes||Detect malware or hack tools based on custom file hashes. MD5/SHA1/SHA256|
|Custom Filename Characteristics||Detect malware or hack tools based on filename characteristics (Regular Expression)|
|Custom Yara Rules||Detect malware or hack tools based on Yara signatures (file and process memory scan)|
|Eventlog Analysis||Detect attacker activity and traces of the hack tool usage in Windows Eventlogs (including SysInternals Sysmon, Windows Defender, Applocker, PowerShell and others)|
|Registry Analysis||Detect typical keys used in APT groups to maintain persistence on the system|
|Autoruns Analysis||Processes all autoruns elements, plugins, registered drivers, WMI consumer, LSA providers and applies the IOC database|
|WMI Persistence||Parses OBJECTS.DATA files, lists registered elements and warns on suspicious ones|
|Profile Directories Check||Checks identifying irregularities in the user profile directories|
|SHIM Cache Scan||Detects malicious tools in the SHIM Cache registry section that logs binary executions on Windows systems|
|Shell Bags Scan||Analysis of logged shell bags that show which locations of the file systems have been accessed by users|
|DNS Cache Analysis||Checking DNS cache entries for suspicious or malicious domain names|
|Firewall Configuration Check||Checking the local firewall for suspicious rule definitions|
|Active Sessions Check||Checking the current active sessions for suspicious attributes – e.g. length of the user sessions, remote end point|
|Process Analysis||Analysis of the current running processes for strange Hooks/File Handles/Mutex definitions, network connections, memory strings, working directories, cloaking attempts|
|Rootkit Check||A few checks for rootkits using Named Pipes or communicate via Device IO controls|
|Active Network Connections||Analysis of all active network connections; users, process ids, end points, strange port numbers|
|Network Share Check||Irregularities in the network share definition; user names, share names, permissions|
|Open Files Check||Files opened by processes; locations, user, permissions|
|LSA Session Analysis||Checking all active LSA sessions for duration or known and typical evil user names from known APT cases|
|Services Checks||Analysis of all local services to detect uncommon configurations; service executable location, start type and user account combination, malware names in service image path etc.|
|Scheduled Tasks Analysis||Checking the scheduled tasks for malicious entries|
|Run Key Contents Analysis||Intensive check of the RUN key entries to determine uncommon code executed at startup|
|Startup Element Analysis (WMI)||Analysis of the Startup Elements listed via WMI|
|File System Analysis||Analysis of the file system with signatures to identify attacker’s tool sets, common backdoor modifications, hash or password dump files, cloaked executables and much more.|
|MFT Analysis||Scanning the Master File Table for entries of already deleted files|
|Mutex Check||Detects Mutexes from malicious programs like RATs or other malware|
|Pipes Check||Detects malicious named pipes often used by APT group malware|
|At Jobs Check||Detects suspicious at job list entires|
|Host File Analysis||The analysis checks the hosts file for malicious and suspicious entries.|
|Windows Error Report (WER) Analysis||This check extracts relevant information from Windows crash reports (Dr. Watson reports) to determine crashes that were caused by exploits targeting known CVE vulnerabilities in browsers, browser plugins and other software.|
|Vulnerability Check||A basic vulnerability check on the most common vulnerabilities that allow for lateral movement (Tomcat misconfiguration, HP Data Protector, missing patches)|
|System File Integrity Check||Checks the integrity of the most common system files by using YARA rules|
|Decompressed EXE Scan||Scan a compressed executable in an uncompressed format deflated into memory only.|
|Surface Scan (DeepDive)||Analysis of the disks space to find tools that have already been deleted by the attackers.|
|TXT Export||Plain text log file of all events reported by THOR.|
|HTML Export||Structured HTML Report of all events reported by THOR.|
|Syslog Export||Syslog export of the events generated by THOR. This export option is fully flexible. You can define different target ports, multiple target systems, use UDP or TCP and choose between different formats.|
|CEF Message Format||Syslog sending messages in Arcsight CEF format to receive warnings and alerts in Arcsight SIEM systems.|
|Big Yara Signature Database||THOR includes a huge Yara signature database with more than 2200 rules from different sources. These rules include selected antivirus rules and signatures for hack tools, web shells, networking tools and other software used by attackers on compromised systems. (AES256 encrypted)|
|Client APT Signature Database||THOR includes a Yara signature database with more than 240 rules from APT investigations in our client environments. (AES256 encrypted)|
|Custom STIX Signatures||Provide your own indicators of compromise via STIX descriptions. The common observables used in STIX will be applied to various check modules.|
|Drop Zone Mode||Define a folder in which to look for new for samples and scan (and optionally delete) dropped samples|
Especially the „File System Analysis“ and the „Eventlog Analysis“ are time consuming processes with a lot of intensive checks.
During the „File Systeme Analysis“ every file passes numerous stages in which it receives certain scores according to the check results. THOR checks for certain file name characteristics, the file size, the PE header, extension and the actual file type based on magix header signatures and even decompresses the most common EXE compressor formats like UPX and AsPack. The results of more than 20 checks lead to a total score which is the basis for the different event levels: Notice, Warning and Alert.
We were able to detect previously unknown malware due to this heuristic and characteristics based evaluation
The following picture shows some examples with a reduced set of checks to illustrate the evaluation process.
Especially the reporting functions are built on practical experiences and are designed to meet the requirements of todays security monitoring infrastructure.
The following output are generated by THOR and can be configured individually via command line parameters:
- Coloured command line output gives a quick impression on the severity of the findings.
(red=Alert, yellow=Warning, blue=Notice, green=Information, violett=Error, grey=Debug)
- Text Log: The format of the Text log is derived from the standard Syslog format, which can be searched via grep very easily and facilitates the process of integrating the Text logs with the logs sent via Syslog in a SIEM system of your choice.
- HTML Report: The HTML report provides a quick overview in the header section, alerts and warnings in a special top section and all other events in chronological order below. (recommended output for the analysis of 20 or less systems)
- Syslog Output: Sending the events in the Syslog format via UDP or TCP to any port on multiple target systems (ArcSight’s CEF Format is also supported)
The following pictures show the different output formats.
Indicators of Compromise (IOCs), which have been derived from forensic analyses in customer APT cases are integrated in an anonymized and encrypted form. The Enterprise License includes all these signatures creating an extraordinary benefit for all participating customers. If you decide to share some of you own IOCs with others you receive an attractive discount on the license price.
Custom Indicators via Yara and STIX
THOR uses Yara as its main signature format. They way how THOR integrates Yara is fully compatible with normal Yara signatures although THOR extends the standard matching in order to allow certain additional checks.
You are able to extend the integrated database with you own rules matching samples that are confidential. You can add them to the signature database simply by placing these rules in the standard signature folder. The documentation gives you guidance in cases in which you want to utilize the special extensions.
The STIX support is currently based on the defined „Observables“ in form of file names, hashes, c2 server IP or domain names. THOR includes these indicators of compromise by placing the STIX files in the „stix“ subfolder.
THOR integrates a module for the analysis of the Master File Table of the scanned NTFS partitions. This analysis provides the detection of recently deleted hack tools via their traces in the MFT.
„Deep Dive“ – Surface Scan
A module called „Deep Dive“ performs raw data stream analysis of objects like memory dumps, page files (if accessible e.g. on a mounted volume) and whole partitions. „Deep Dive“ reads the input stream in overlapping 3 MB chunks and applies the whole Yara signature database to these chunks. This way THOR is able to detect even deleted attacker tools in the free space of the hard drive.
Deep Dive is also capable of restoring malware files from the analysed chunks into a given directory. (e.g. network share)
Workshop und Trial
We recommend a one-day workshop to explain the different modes of operation. We demonstrate how attackers work and show how THOR is able to detect this activity, explain all the command line options and explain the most common use cases. We discuss ways in which THOR could be deployed in your environment and how to collect and analyse the log data in an appropriate way.
The workshop includes a 21-day TRIAL license, which enables you to get a quick impression on your network and identify hidden threats.
The price for the one-day workshop is 4,500.- Eur.
We published numerous posts on our Blog about THOR and its new features. You can find all the THOR related posts here.
THOR is a joint product of a development partnership between BSK Consulting GmbH and HvS Consulting AG and completely „Made in Germany“. The source code is retained on encrypted storage in our data center near Munich, Germany. Developers access the servers via VPN and authenticate themselves by 2-Factor-Authentication.
Get certainty about the integrity of your systems and contact us today.
The contact form can be found here.
Our APT Scanner THOR on the website of HvS Consulting.