Hackers are already in your environment – spot them with THOR and Splunk!

Security Matthias Maier

Hello Security Ninjas,

What_Thor_does
I recently came across a new method (at least for me) to detect and discover advanced persistent threats.

You probably already know about antivirus scanners, IDS Solutions, vulnerability scanners as well as sandbox execution systems like FireEye, the WildFire service from Palo Alto or ThreatGRID from Cisco. However, one of the latest tools, “THOR“, is different.

What is THOR?

THOR is an APT Scanner, a set of binaries that can be executed on demand on either Windows or Unix systems. THOR scans the system for hacking tools, APT indicators, remote access Trojans as well as many other indicators. It also integrates a number of Indicators of Compromise (IOC’s, Yara Signatures). In addition to crawling for the basic stuff, it collects information about currently logged-in users, user accounts on the machines, services that are running, network connections, dns cache, windows event logs, processes and memory, prefetch files and much more. Based on this collective information it then creates an overall score.

THOR_Scoring_System How does the scoring system work?

The scoring system works in a similar way to how you would classify information found during a manual investigation. For example if a temp.exe file in C:/Windows is flagged as an executable binary but in reality it’s a text file where data is just named as *.exe, it gets a +3 scoring. As more rules and indicators are triggered the score increases, allowing you to prioritize activities for the incident investigation teams.

How does the reporting and analytics work?

THOR Overview

With lots of data being collected during a scan from a number of different indicators, inevitably a significant amount of reporting is required. The key is that researchers can have access to the lowest level of detail possible. This is done by sending the data via syslog output directly to Splunk or by storing it in a text file that can then be monitored with a Splunk forwarder.

In addition, the THOR framework is just a non-installation binary that needs to be executed. So the deployment can be done easily with the Splunk Forwarder via Deployment Server. Through Inputs.conf you can also schedule how often it should scan systems for APT Indicators.

This concept of deployment shows nicely how the THOR development team can invest their research resources into their key business – security – and for deployment, execution and reporting they bet on Splunk.

Where is THOR already being used?

THOR with Splunk is already in use with many organizations which have been affected by a breach, whether public or not. Also many Computer Emergency Response Teams (CERT) are already using it to get a deeper understanding when investigating the situation surrounding incidents.

At the last SplunkLive Event in London Freddy Dezeure, Head of CERT-EU, presented its usage of Splunk to analyze machine data. During the presentation he also talked about the IOCs and YARA Rules created to scan systems to find malicious activities and validate that no other hosts are compromised. From a nice screenshot I saw, I recognized that they too are using THOR.

How can i get started?

You can request a free trial of THOR for 14 Days or you can use a free spin off version of THOR called “LOKI” which has a limited set of APT Indicators compared to THOR.

Splunk und das Triage Tool THOR from Splunker

Happy hunting for APT’s with Splunk in your enviornment,

Matthias

Follow @splunkde

Follow @splunk

Follow @thor_scanner

Follow @Matthias_BY

Related Articles

Monitoring Pulse Connect Secure With Splunk (CISA Emergency Directive 21-03)
Security
11 Minute Read

Monitoring Pulse Connect Secure With Splunk (CISA Emergency Directive 21-03)

Our Splunk security experts share a closer look at the Pulse Connect Secure attack, including a breakdown of what happened, how to detect it, and MITRE ATT&CK mappings.
Machine Learning in Security: Deep Learning Based DGA Detection with a Pre-trained Model
Security
8 Minute Read

Machine Learning in Security: Deep Learning Based DGA Detection with a Pre-trained Model

The Splunk Machine Learning for Security team introduces a new detection to detect Domain Generation Algorithms generated domains.
OCSF Goes Into High Gear with Amazon Security Lake Launch and New OCSF Release Candidate
Security
2 Minute Read

OCSF Goes Into High Gear with Amazon Security Lake Launch and New OCSF Release Candidate

Splunk's Paul Agbabian shares two new major OCSF developments – the general availability of Amazon Security Lake and Splunk Add-On for AWS v.7.0, and Release Candidate 3 launching for public review.