I recently came across a new method (at least for me) to detect and discover advanced persistent threats.
You probably already know about antivirus scanners, IDS Solutions, vulnerability scanners as well as sandbox execution systems like FireEye, the WildFire service from Palo Alto or ThreatGRID from Cisco. However, one of the latest tools, “THOR“, is different.
What is THOR?
THOR is an APT Scanner, a set of binaries that can be executed on demand on either Windows or Unix systems. THOR scans the system for hacking tools, APT indicators, remote access Trojans as well as many other indicators. It also integrates a number of Indicators of Compromise (IOC’s, Yara Signatures). In addition to crawling for the basic stuff, it collects information about currently logged-in users, user accounts on the machines, services that are running, network connections, dns cache, windows event logs, processes and memory, prefetch files and much more. Based on this collective information it then creates an overall score.
How does the scoring system work?
The scoring system works in a similar way to how you would classify information found during a manual investigation. For example if a temp.exe file in C:/Windows is flagged as an executable binary but in reality it’s a text file where data is just named as *.exe, it gets a +3 scoring. As more rules and indicators are triggered the score increases, allowing you to prioritize activities for the incident investigation teams.
How does the reporting and analytics work?
With lots of data being collected during a scan from a number of different indicators, inevitably a significant amount of reporting is required. The key is that researchers can have access to the lowest level of detail possible. This is done by sending the data via syslog output directly to Splunk or by storing it in a text file that can then be monitored with a Splunk forwarder.
In addition, the THOR framework is just a non-installation binary that needs to be executed. So the deployment can be done easily with the Splunk Forwarder via Deployment Server. Through Inputs.conf you can also schedule how often it should scan systems for APT Indicators.
This concept of deployment shows nicely how the THOR development team can invest their research resources into their key business – security – and for deployment, execution and reporting they bet on Splunk.
Where is THOR already being used?
THOR with Splunk is already in use with many organizations which have been affected by a breach, whether public or not. Also many Computer Emergency Response Teams (CERT) are already using it to get a deeper understanding when investigating the situation surrounding incidents.
At the last SplunkLive Event in London Freddy Dezeure, Head of CERT-EU, presented its usage of Splunk to analyze machine data. During the presentation he also talked about the IOCs and YARA Rules created to scan systems to find malicious activities and validate that no other hosts are compromised. From a nice screenshot I saw, I recognized that they too are using THOR.
How can i get started?
You can request a free trial of THOR for 14 Days or you can use a free spin off version of THOR called “LOKI” which has a limited set of APT Indicators compared to THOR.
The Splunk Threat Research Team provides a deep dive analysis of the RedLine Stealer threat and shares valuable insights to help enable blue teamers to defend against and detect this malware variant.
We all know Splunk’s data platform is capable of delivering incredible analytics and insights at scale, but how do we tie that power with all of the security content and premium solutions for security that Splunk provides? I thought it would be a good idea to jot some thoughts down about some common high level security use cases becauseI get asked this question so much.
As ransomware campaigns continue, malicious actors introduce different modus operandi to target their victims. In this blog, we’ll be taking a look at the Clop ransomware. This crimeware was discovered in 2019 and is said to be used for an attack that demanded one of the highest ransom amounts in recorded history.
