THOR Manual
THOR Manual
THOR Manual
VERSION 10.5
1 What is THOR? ............................................................................................................ 7
2 Requirements ............................................................................................................. 8
3 Package ..................................................................................................................... 9
4 Preparations ............................................................................................................. 10
4.1 Add License File .................................................................................................... 10
4.2 Add Tools (optional) ............................................................................................... 10
4.3 Verify Signatures (optional) ..................................................................................... 10
5 Single Scan .............................................................................................................. 11
5.1 Quick Way ............................................................................................................. 11
5.2 Controlled Way ...................................................................................................... 11
6 Deployment .............................................................................................................. 12
6.1 Network Share (Windows)........................................................................................ 12
6.1.1 Place THOR on a Network Share ................................................................................. 12
6.1.2 Create a Scheduled Task via GPO ............................................................................... 13
6.1.3 Create a Scheduled Task via PsExec ........................................................................... 13
6.1.4 Start THOR on the Remote System via WMIC ............................................................... 13
6.2 ASGARD Management Center (Windows, Linux, macOS) ............................................... 14
6.3 Ansible (Linux) ...................................................................................................... 15
6.3.1 Distribute Run with Ansible ......................................................................................... 15
6.3.2 Ansible ...................................................................................................................... 15
6.3.3 Execute Thor using Ansible ........................................................................................ 15
6.3.4 Inventory File ............................................................................................................. 16
6.3.5 Ansible Playbook Template ........................................................................................ 16
6.3.6 Usage of Thor´s Ansible playbook............................................................................... 17
6.3.7 Adjust Thor’s Command Line Parameters .................................................................... 17
6.4 THOR Remote (New) ............................................................................................... 17
6.4.1 Usage ........................................................................................................................ 17
6.4.2 Licensing ................................................................................................................... 18
6.4.3 Output ....................................................................................................................... 18
6.4.4 Issues ....................................................................................................................... 19
6.5 Distribute to Offline Networks / Field Offices .............................................................. 19
6.6 System Load Considerations .................................................................................... 19
7 Scan ........................................................................................................................ 20
7.1 Most Relevant Parameters ....................................................................................... 20
7.2 Recommended Scan Options .................................................................................... 21
7.2.1 Logging to a Network Share ........................................................................................ 21
6.3.2 Ansible
The software Ansible (https://www.ansible.com/) is a solution to perform tasks distributed
over a network on different targets. An Open Source Version is available as well as a version
with commercial support for enterprises. Ansible uses SSH to connect to the target hosts
and performs a defined set of tasks on them called playbooks. Per default it uses keys for
authentication, but this can be setup differently. Please refer to the official documentation
for other methods of authentication. The tasks and the targets can be customized using host
groups. The host groups may be used to separate different Linux distributions. The other
steps may remain the same. Within the playbook any command line option may be
customized for the given scenario.
Ansible does parallelization of the tasks by itself. The default amount of parallel executions
is five and can be configured using the -f or --forks= parameter when starting the playbooks.
To learn more about Ansible inventory files and how to use them, please reference the
official documentation:
https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html
After the playbook finished running the scans, the output of each system can be found in the
thoransible-output directory located at the parent directory of thor. Therefor it is important
that the user starting ansible-playbook has the required rights to write in this directory.
6.4.1 Usage
A list of parameters used with the remote scanning function can be found in the help screen.
As you can see, a list of target hosts can be provided with the help of the new YAML config
files. See chapter 10 “Configuration Files” for more details.
A YAML file with a list of hosts looks like this:
remote:
- winatl001.dom.int
- winatl002.dom.int
- winnyk001.dom2.int
We recommend using a text editor that supports multi-line editing like Atom or Sublime.
https://atom.io/
https://stackoverflow.com/questions/39391688/multi-line-editing-on-atom
You can then use that file with:
thor64.exe -t targets.yml
6.4.2 Licensing
Valid licenses for all target systems are required. Place them in the program folder or any
sub folder within the program directory (e.g. ./licenses). In case of incident response
licenses, just place that single license in the program folder.
You don’t need a valid license for the system that runs THOR’s remote scanning feature (the
source system of the scans, e.g. admin workstation).
6.4.3 Output
The generated log files are collected and written to the folder ./remote-logs
The “THOR Remote” function has its own interface, which allows you to view the progress of
the scans, view and scroll through the log files of the different remote systems.
6.4.4 Issues
7.3.4 Only scan the last 7 days of the Windows Eventlog and log files on disk
thor.exe --lookback 7
7.4.5 Timestamps
Timestamp in all modules use the ANSIC standard, which looks like:
Mon Jan 2 15:04:05 2006
Mon Mar 19 09:04:05 2018
https://flaviocopes.com/go-date-time-format
7.4.6 SCAN ID
The former parameter “-i”, which has been used for so-called case IDs (CID) has been
repurposed to allow users to set a certain scan ID (SCANID) that appears in every log line.
The scan ID helps SIEM and analysis systems to correlate the scan lines from multiple scans
on a single host. Otherwise it would be very difficult to answer the following questions:
§ How many scans completed successfully on a certain end system?
§ Which scan on a certain end system terminated during the scan run?
If no parameter is set, THOR will automatically generate a random scan ID, which starts with
an “S-“ and contains the following characters: a-zA-Z0-9_-
Users can overwrite the scan ID with “-i myscanid” to assign the logs of multiple scan runs to
a single logical scan, e.g. if multiple partitions of a system get scanned in the lab in different
scan runs, but should be shown as a single scan in Analysis Cockpit or your SIEM of choice.
Examples:
S-Rooa61RfuuM
S-0vRKu-1_p7A
7.7 Debugging
Most unexpected behavior can be debugged by using the parameters ‘--debug’ and the even
more verbose ‘--trace’.
If you ever encounter a situation in which:
§ THOR doesn’t produce an alert on a known malicious element
§ THOR exits with an error
§ THOR takes a long time or unexpected short time on elements
Then try scanning that specific element with the ‘--debug’ and ‘--trace’ parameters set.
7.7.2.2 THOR didn’t scan the file due to a skipped deeper inspection
This can be caused by two reasons:
the magic header of that file is not in the list of interesting magic headers (see
./signatures/misc/file-type-signatures.cfg) AND file doesn’t have a relevant file
extension (.asp, .vbs, .ps, .ps1, .rar, .tmp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .dll, .exe,
.hta, .js, .lnk, .msc, .ocx, .pcd, .pif, .pot, .pdf, .reg, .scr, .sct, .sys, .url, .vb, .vbe, .vbs, .wsc,
.wsf, .wsh, .ct, .t, .input, .war, .jsp, .php, .asp, .aspx, .doc, .docx, .pdf, .xls, .xlsx, .ppt, .pptx,
.tmp, .log, .dump, .pwd, .w, .txt, .conf, .cfg, .conf, .config, .psd1, .psm1, .ps1xml, .clixml,
.psc1, .pssc, .pl, .www, .rdp, .jar, .docm, .ace, .job, .temp, .plg, .asm)
Solution: Use lab scanning mode (--fsonly) or add the magic header to file-type-
signatures.cfg (Warning: this file gets overwritten with an update)
Find more information about this feature on our website or the separate THOR Util manual.
https://www.nextron-systems.com/2018/06/20/thor-util-with-html-report-generation/
https://portal.nextron-systems.com/webshop/downloads
You typically mount a disk or partition image to a given drive letter ("S:") and want to write
the output files to a dedicated directory ("C:\thor-reports"). The parameter -j can be used to
reset the hostname used in the log files to a given identifier instead of using the current
workstation's name in all output files.
While the DeepDive detects suspicious files regardless of their master file table reference
the default file system scan that is executed afterwards may detect the same file twice.
The following example for the use of the DeepDive shows how to scan a mounted file system
image as drive "X:".
thor --fsonly --deepdive -rd D:\restore -p X:\
You can get the full name of a Windows Eventlog by right clicking the Eventlog in Windows
Event Viewer and selecting "Properties".
The -n parameter can also be used to restrict the Eventlog scanning to certain Eventlogs. The
following command will start a default THOR scan and instructs the Eventlog module to scan
only the “Security” and “System” Eventlog.
thor.exe -a Security -a System
Option Description
--nomft
Do not perform any MFT analysis whatsoever (only useful in
combination with --intense)
--maxmftsize MB The maximum MFT size in Megabytes to process (default: 200 MB)
resume: true
cpulimit: 40
intense: true
max_file_size: 7500000
syslog:
- foo.nextron
- bar.nextron:514:TCP
1
https://attack.mitre.org/techniques/T1099/
12.1.1 Modules
Module Default Quick Soft Intense Domain Linux /
Controller macOS
File System Scan Enabled Reduced Enabled Enabled - Enabled
Registry Scan (Full Walk) Enabled Enabled Enabled Enabled - Disabled
Run Key Analysis Enabled Enabled Enabled Enabled - Disabled
SHIM Cache Scan Enabled Enabled Enabled Enabled - Disabled
Mutex Check Enabled Enabled Disabled Enabled - Disabled
Named Pipes Check Enabled Enabled Disabled Enabled - Disabled
DNS Cache Check Enabled Enabled Enabled Enabled - Enabled
Hotfix Check Enabled Disabled Enabled Enabled - Disabled
Hosts File Check Enabled Enabled Enabled Enabled - Enabled
Firewall Config Check Enabled Disabled Disabled Enabled - Disabled
Network Share Check Enabled Disabled Disabled Enabled - Disabled
Logged In Check Enabled Disabled Disabled Enabled Disabled Disabled
Process Check Enabled Enabled Enabled Enabled - Enabled
Service Check Enabled Enabled Enabled Enabled - Disabled
Autoruns Check Enabled Enabled Enabled Enabled - Enabled
Rootkit Check Enabled Enabled Enabled Enabled - Disabled
LSA Sessions Analysis Enabled Enabled Disabled Enabled - Disabled
User Account Check Enabled Enabled Enabled Enabled Disabled Disabled
User Profile Check Enabled Disabled Enabled Enabled Disabled Disabled
Network Sessions Check Enabled Enabled Disabled Enabled Disabled Disabled
Network Open Files Check Enabled Enabled Disabled Enabled Disabled Disabled
Scheduled Tasks Analysis Enabled Enabled Enabled Enabled - Disabled
WMI Startup Check Enabled Enabled Enabled Enabled - Disabled
At Entries Check Enabled Enabled Enabled Enabled - Disabled
MFT Analysis Disabled Disabled Disabled Enabled - Disabled
Eventlog Analysis Enabled Disabled Enabled Enabled - Disabled
Table 4 - THOR Scan Modules
Bifrost
optional arguments:
-i ip IP address to bind to
In order to send suspicious file to that server, you have to set some command line flags
when running THOR, e.g.
thor64.exe --bifrostServer myserver
A more complex statement setting a minimum score and custom port would look like this:
thor64.exe --bifrostServer myserver --bifrost-port 8080 --bifrostLevel 80
THOR will then try to submit all samples with score equal or higher than 80 to a Bifrost
service running on myserver port 8080/tcp.
2
Applies to old keyword IOC defined in text file divided by new line (new method allows to define "keyword"
signatures as YARA rule and set your score in the meta data of the YARA rule)
The "checkString()" function receives the following string from the Eventlog scan module
(here: a Sysmon Eventlog entry):
Process Create:
UtcTime: 2018-01-10 10:22:25.277
ProcessGuid: {c1b49677-e961-5a55-0000-0010bbc80702}
ProcessId: 3912
Image: C:\Program Files\Nmap\bin\nmap.exe
CommandLine: nmap.exe
CurrentDirectory: C:\Windows\system32\
User: PROMETHEUS\user1
The "checkString()" function would create two messages: 1 "warning" for the keyword
signature and 1 "notice" of the filename IOC signatures.
The keyword IOC matches in the "checkKeyword()" sub-check and "checkString()" returns a
match, that generates a "Warning" level message that automatically receives a score of 75
(see chapter 14.3).
The filename IOCs would both match on the string in the "checkFilename()" sub-check and
both score would be summed up to a total score of 40 (70 + (-30) = 40), which would
generate a "Notice".
update2.nextron-systems.com
Sending Syslog to a target on a port that differs from the default port 514/udp looks like this:
-s 10.0.0.4:2514
When changing the protocol from UDP to TCP, all preceding fields have to be set:
-s 10.0.0.4:514:DEFAULT:TCP
--action_command string Run this command for each file that has a score greater than the score from
--action_level
---action_args strings Arguments to pass to the command specified via --action_command. The
placeholders %filename%, %filepath%, %file%, %ext%, %md5%, %score% and
%date% are replaced at execution time
--action_level int Only run the command from --action_command for files with at least this
score (default 40)
Parameter Description
--dbfile [string] Allows to define a location of the THOR database file. File names or path
names are allowed. If a path is given, the database file ‘thor.db’ will be
created in the directory. Environment variables are expanded
--resume Resumes a previous scan (if scan state information is still available and
the exact same command line arguments are used)
--resumeonly Only resume a scan if a scan state is available. Do not run a full scan if no
scan state can be found.
Warning: Deactivating Resource Control on systems with exhausted resources can put the
system’s stability at risk.
20.2 Eventlogs
Eventlog sources can be excluded as whole in “eventlog-excludes.cfg”. The file holds
one expression per line and applies them as regular expression on the name of the Eventlog.
(e.g. “Microsoft-Windows-Windows Defender/Operational“)
Element to exclude Possible solution
Windows PowerShell Windows PowerShell
Microsoft-Windows-Windows Windows Defender
Defender/Operational
20.3 Registry
Registry paths/keys can be excluded in “registry-excludes.cfg”. The file holds one
expression per line and applies them as regular expression on each registry key. (e.g.
“Software\WOW6432Node“). Don’t include the root of the key, e.g. HKLM.
Element to exclude Possible solution
HKEY_LOCAL_MACHINE\Software\ ⏎ Symantec Endpoint ⏎
This means that you can also store your own threat intel IOCs into files in that folder with the
correct tag in the file name and they will get initialized by THOR during startup.
THOR currently contains with two threat intel receivers:
§ get-misp-iocs.py
MISP Receiver - retrieves Hash, C2, File Name IOCs and Yara signatures from an
arbitrary MISP instance (local or CIRCL.lu community)
§ get-otx-iocs.py
OTX Receiver - retrieves Hash, C2 and File Name IOCs from AlienVault’s Open Threat
Exchange platform
THOR initializing the threat intel IOC files from MISP and OTX
22.1.1 Hashes
The file "custom-evil-hashes.txt" allows you to define hashes of malware or hack tools
that THOR should report at least as a "Warning". In order to ensure that, every matching
object will receive a score of 75.
You can add MD5, SHA1 or SHA256 hashes and add a comment, which is separated by a
semicolon.
For example, if you know that administrators in your organization use "PsExec.exe" in a
folder "Sysinternals" and any other location should be reported as suspicious you could
define the following statements:
\\PsExec\.exe;60
\\SysInternals\\PsExec\.exe;-60
This following example represents the 3rd generation filename IOC format introduced with
THOR version 8.30 and SPARK version 1.5, which is now the recommended form to define
such signatures.
It contains three fields:
§ Column 1: Regex
§ Column 2: Score
§ Column 3: False Positive Regex
The False Positive Regex statement is only evaluated if the Regex statement in column 1
matched.
\\PsExec\.exe;60;\\SysInternals\\
We use this new format internally to describe abnormal locations of system files like
([C-Zc-
z]:|\\\\).{1,40}\\svchost\.exe;65;(?i)(HKCR\\Applications|System32|system32|SYSTEM32|wins
xs|WinSxS|SysWOW64|SysWow64|syswow64|SYSNATIVE|Sysnative|dllcache|WINXP|WINDOWS|i386|%sys
tem32%)\\
You could also score down directories with many false positives reported as "Notices" or
"Warnings" like this:
22.2 Sigma
Sigma is a generic rule format for detections on log data. Sigma is for log data, as Snort is
for network packets and YARA is for files.
Perform a scan with the Sigma rules on logs of Linux systems (-a LogScan) only
thor64 -a Filesystem -p /var/log –sigma
22.3 STIX
THOR can read and apply IOCs provided in STIXv2 JSON files by placing them with the
“.json” file extension in the “./custom-signatures/stix” folder.
22.3.1 STIX v1
STIX version 1 is not supported.
The following table shows in which modules the Specific YARA rules are applied to content.
Keyword in File Name Applied in Module Examples
registry Registry incident-feb17-registry.yar
log Eventlog, Logscan general-log-strings.yar
process ProcessCheck (only on process memory) case-a23-process-rules.yar
keyword Mutex, Named Pipes, Eventlog, MFT, misp-3345-keyword-extract.yar
ProcessCheck (on all process handles),
ProcessHandles, ServiceCheck, AtJobs,
LogScan, AmCache, SHIMCache, Registry
Table 13 - Specific YARA Rule Application
You can restrict the Specific YARA rules to certain modules to avoid false positives. Please
check chapter 22.5.5 for details.
Also see the link section in chapter 23 for a YARA rule exporter script that extracts YARA
Keyword rules automatically from a MISP threat feed.
rule APT1_WEBC2_TABLE {
meta:
author = "AlienVault Labs"
strings:
$msg1 = "Fail To Execute The Command" wide ascii
$msg2 = "Execute The Command Successfully" wide ascii
$gif1 = /\w+\.gif/
$gif2 = "GIF89" wide ascii
condition:
3 of them
}
rule simple_demo_rule_1 {
meta:
description = "Demo Rule"
strings:
$a1 = "EICAR-STANDARD-ANTIVIRUS-TEST-FILE"
condition:
$a1
}
The following listing shows a more complex rule that includes a lot of keywords used in
typical rules included in the rule set.
The example above shows the most common keywords used in our THOR rule set. These
keywords are included in the YARA standard. The rule does not contain any THOR specific
expressions.
Yara provides a lot of functionality but lacks some mayor attributes that are required to
describe an indicator of compromise (IOC) defined in other standards as i.e. OpenIOC
entirely. Yara’s signature description aims to detect any kind of string or byte code within a
file but is not able to match on meta data attributes like file names, file path, extensions and
so on.
THOR adds functionality to overcome these limitations.
22.5.1 Score
THOR makes use of the possibility to extend the Meta information section by adding a new
parameter called "score".
This parameter is the essential value of the scoring system, which enables THOR to
increment a total score for an object and generate a message of the appropriate level
according to the final score.
Every time a signature matches the value of the score attribute is added to the total score of
an object.
rule demo_rule_score {
meta:
description = "Demo Rule"
score = 80
strings:
$a1 = "EICAR-STANDARD-ANTIVIRUS-TEST-FILE"
$a2 = "honkers" fullword
condition:
1 of them
}
rule demo_rule_enhanced_attribute_1 {
meta:
description = "Demo Rule - Eicar"
strings:
$a1 = "EICAR-STANDARD-ANTIVIRUS-TEST-FILE"
condition:
$a1 and filename matches /eicar.com/
}
A more complex rule using several of the THOR external variables would look like the one in
the following listing.
This rule matches to all files containing the EICAR string, having the name "eicar.com",
"eicar.dll" or "eicar.exe" and a file size smaller 100byte.
The following YARA rule show a typical combination used in one of the client specific rule
sets, which are integrated in THOR. The rule matches on ".idx" files that contain strings
used in the Java Version of the VNC remote access tool. Without the enhancements made
this wouldn’t be possible as there would be no way to apply the rule only to a special type of
extension.
rule HvS_Client_2_APT_Java_IDX_Content_hard {
meta:
description = "VNCViewer.jar Entry in Java IDX file"
strings:
$a1 = "vncviewer.jar"
$a2 = "vncviewer/VNCViewer.class"
condition:
1 of ($a*) and extension matches /\.idx/
}
rule Registry_DarkComet {
meta:
description = "DarkComet Registry Keys"
strings:
$a1 = "LEGACY_MY_DRIVERLINKNAME_TEST;NextInstance"
$a2 = "CurrentVersion\\Run;MicroUpdate"
condition:
1 of them
}
Since version 7.25.5 THOR is even able to apply these rules to non-DWORD registry values.
This means that e.g. a REG_BINARY value contains an executable as in the following
example, you can write a YARA rule to detect this binary value in Registry as shown below.
REG_BINARY = 4d 5a 00 00 00 01 .. ..
Corresponding YARA rule:
rule registry_binary_exe {
meta:
description = "Detects executables in Registry values"
strings:
$a1 = "Path;Value;4D5A00000001"
condition:
1 of them
}
The letters in the expression have to be all uppercase. Remember that you have to use the
keyword ‘registry’ in the file name that is placed in the "./custom-signatures/yara"
folder in order to initialize the YARA rule file as registry rule set. (e.g.
"registry_exe_in_value.yar")
22.5.3.1 Important:
Please notice that strings like HKEY_LOCAL_MACHINE, HKLM, HKCU,
HKEY_CURRENT_CONFIG are not used in the strings that your YARA rules are applied to.
They depend on the analyzed hive and should not be in the strings that you define in your
rules. The strings for the YARA matching look like:
rule Malware_in_memory {
meta:
author = "Florian Roth"
description = " Think Tank Campaign"
type = "memory"
strings:
$s1 = "evilstring-inmemory-only"
condition:
1 of them
}
rule Malware_in_fileobject {
meta:
description = "Think Tank Campaign"
type = "file"
strings:
$s1 = "evilstring-infile-only"
condition:
1 of them
}
You can also decide if a rule should not match in "DeepDive" module by setting the
"nodeepdive" attribute to "1".
rule Malware_avoid_DeepDive {
meta:
description = "Think Tank Campaign"
nodeepdive = 1
strings:
$s1 = "evilstring-not-deepdive"
condition:
1 of them
}
rule Malicious_Mutex_Evtx {
meta:
description = "Detects malicious mutex EVTX"
limit = "Mutex"
strings:
$s1 = "_evtx_"
condition:
1 of them
}
Notes:
§ the internal check in THOR against the module name is case-insensitive
§ this "limit" parameter only applies to specific YARA rules
(legacy reasons – will be normalized in a future THOR version)
rule FalsePositive_AVSig1 {
meta:
description = "Match on McAfee Signature Files"
falsepositive = 1
score = 50
strings:
$s1 = "%%%McAfee-Signature%%%"
condition:
1 of them
}
For example:
https://valhalla.nextron-systems.com/info/rule/HKTL_Empire_ShellCodeRDI_Dec19_1
If you don’t specify a public key, THOR uses a default key. The private key for this default key
is stored in “thor-util”, which can be used to decrypt output files encrypted with the default
key.
thor-util decrypt file.txt