Among others, Microsoft announced a partnership with THOR today.

THOR is developed by Nextron Systems a company by Florian Roth.

Florian is a very well-known security community member. Together with Thomas Patzke, he created the sigma project. Florian’s company ‘Nextron’ offers a yara-rule feed service and a compromise assessment tool called THOR. THOR is backed by 10,000 yara signatures, 400 sigma rules and many IOCs to identify compromised systems.

THOR now comes in a cloud edition that is easily usable from ‘live response‘ in MDATP.

Let’s have a quick look how it works:

First, upload the ‘thor-seed.ps1’ to the library of your MDATP live response instance:

Then run it by ‘run thor-seed.ps1’:

With that, ‘Thor.exe’ along with some config files and all the signatures is downloaded and unzipped on the appropriate client and then executed:

 It will then scan the local system against the downloaded (and encrypted) signatures and create a report.

As you can see in the live response output above, in the results section, the seed script will then tell you how you can download the scan reports as .txt or .html:

In the report, you will see all the matches THOR found with some additional information from the rules.

Conclusion

THOR CLOUD is a useful extension for forensic analysis after MDATP threw some alerts. It is very easy to use via ‘live response’ and can add value to the analysis of your compromised systems. Go, check it out here.