Hackers are already in your environment – spot them with THOR and Splunk!

By Matthias Maier

Hello Security Ninjas,

What_Thor_does I recently came across a new method (at least for me) to detect and discover advanced persistent threats.

You probably already know about antivirus scanners, IDS Solutions, vulnerability scanners as well as sandbox execution systems like FireEye, the WildFire service from Palo Alto or ThreatGRID from Cisco. However, one of the latest tools, “THOR“, is different.

What is THOR?

THOR is an APT Scanner, a set of binaries that can be executed on demand on either Windows or Unix systems. THOR scans the system for hacking tools, APT indicators, remote access Trojans as well as many other indicators. It also integrates a number of Indicators of Compromise (IOC’s, Yara Signatures). In addition to crawling for the basic stuff, it collects information about currently logged-in users, user accounts on the machines, services that are running, network connections, dns cache, windows event logs, processes and memory, prefetch files and much more. Based on this collective information it then creates an overall score.

How does the scoring system work?

The scoring system works in a similar way to how you would classify information found during a manual investigation. For example if a temp.exe file in C:/Windows is flagged as an executable binary but in reality it’s a text file where data is just named as *.exe, it gets a +3 scoring. As more rules and indicators are triggered the score increases, allowing you to prioritize activities for the incident investigation teams.

How does the reporting and analytics work?

With lots of data being collected during a scan from a number of different indicators, inevitably a significant amount of reporting is required. The key is that researchers can have access to the lowest level of detail possible. This is done by sending the data via syslog output directly to Splunk or by storing it in a text file that can then be monitored with a Splunk forwarder.

In addition, the THOR framework is just a non-installation binary that needs to be executed. So the deployment can be done easily with the Splunk Forwarder via Deployment Server. Through Inputs.conf you can also schedule how often it should scan systems for APT Indicators.

This concept of deployment shows nicely how the THOR development team can invest their research resources into their key business – security – and for deployment, execution and reporting they bet on Splunk.

Where is THOR already being used?

THOR with Splunk is already in use with many organizations which have been affected by a breach, whether public or not. Also many Computer Emergency Response Teams (CERT) are already using it to get a deeper understanding when investigating the situation surrounding incidents.

At the last SplunkLive Event in London Freddy Dezeure, Head of CERT-EU, presented its usage of Splunk to analyze machine data. During the presentation he also talked about the IOCs and YARA Rules created to scan systems to find malicious activities and validate that no other hosts are compromised. From a nice screenshot I saw, I recognized that they too are using THOR.

How can i get started?

You can request a free trial of THOR for 14 Days or you can use a free spin off version of THOR called “LOKI” which has a limited set of APT Indicators compared to THOR.

Splunk und das Triage Tool THOR from Splunker

Happy hunting for APT’s with Splunk in your enviornment,

Matthias

Matthias Maier is Product Marketing Director at Splunk, as well as a technical evangelist in EMEA, responsible for communicating Splunk's go-to market strategy in the region. He works closely with customers to help them understand how machine data reveals new insights across application delivery, business analytics, IT operations, Internet of Things, and security and compliance. Matthias has a particular interest and expertise in security, and is the author of the Splunk App for IP Reputation. Previously, Matthias worked at TIBCO LogLogic and McAfee as a senior technical consultant. He is also a regular speaker at conferences on a range of enterprise technology topics.

Security 3 Min Read

Level Up Your Cybersecurity with Risk-Based Alerting

In our first blog in the Splunk RBA series, we introduced Risk-Based Alerting (RBA) and covered the basic principles of RBA. In the rest of this series, we explain how you can plan and then implement RBA within your organization.

Security 11 Min Read

Breaking the Chain: Defending Against Certificate Services Abuse

Explore the common certificate abuses leveraged by current and relevant adversaries in the wild, the multiple methods they use to obtain certificates, how to gather relevant logs and ways to mitigate adversaries stealing certificates.

Security 4 Min Read

Splunk SOAR Playbooks: GCP Unusual Service Account Usage

In this new Splunk SOAR Playbook, we'll show how a Splunk Enterprise search can trigger automated enrichment, an analyst prompt, and rapid response actions to prevent damage caused by malicious account access.

About Splunk

The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.

Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.