MDATP 💙 THOR

Among others, Microsoft announced a partnership with THOR today.

THOR is developed by Nextron Systems a company by Florian Roth.

Florian is a very well-known security community member. Together with Thomas Patzke, he created the sigma project. Florian’s company ‘Nextron’ offers a yara-rule feed service and a compromise assessment tool called THOR. THOR is backed by 10,000 yara signatures, 400 sigma rules and many IOCs to identify compromised systems.

THOR now comes in a cloud edition that is easily usable from ‘live response‘ in MDATP.

Let’s have a quick look how it works:

First, upload the ‘thor-seed.ps1’ to the library of your MDATP live response instance:

Then run it by ‘run thor-seed.ps1’:

With that, ‘Thor.exe’ along with some config files and all the signatures is downloaded and unzipped on the appropriate client and then executed:

 It will then scan the local system against the downloaded (and encrypted) signatures and create a report.

As you can see in the live response output above, in the results section, the seed script will then tell you how you can download the scan reports as .txt or .html:

In the report, you will see all the matches THOR found with some additional information from the rules.

Conclusion

THOR CLOUD is a useful extension for forensic analysis after MDATP threw some alerts. It is very easy to use via ‘live response’ and can add value to the analysis of your compromised systems. Go, check it out here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.