Top Categories

Spotlight

todayMarch 28, 2020

Case Study Mjolnir Security

Attack Type – Exploitation of novel / 0-day vulnerability

Scenario: Org2 is a specialist technology company based in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider that a copy of password stealing malware had been found on three of its domain controllers. This was a serious incident, and an investigation [...]

Top Voted
Sorry, there is nothing for the moment.

Compromise Assessment

Background
share close

THOR - Compromise Assessment


A good compromise assessment methodology requires the use of tools that will make the assessment more efficient.

For this, we present THOR  – the most sophisticated and flexible compromise assessment tool on the market.

Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly be affected. The manual analysis of many forensic images can be challenging.

THOR speeds up your forensic analysis with more than 10,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs.

THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up forensic analysis in moments in which getting quick results is crucial.


Use Cases

THOR flexibility is outstanding. It can be used stand-alone for triage, live forensics or image scans in a lab environment.

THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up DFIR investigations in moments in which getting quick results is crucial.


THOR’s Signature Set

THOR ships with VALHALLA’s big encrypted signature database of more than 10,000 YARA signatures and undisclosed IOC sets. These signatures includes more than 2000+ web shell rules, 500+ anomaly rules, 3000+ malware rules, 1500+ hack tool and tool output rules, 300+ malicious script and macro rules, 100+ exploit code rules and more than 100 rules for registry and log file matching.

Check VALHALLA’s statistics page to get some examples of THOR’s findings with low Antivirus detection rates.


Custom Indicators and YARA Rules

THOR uses YARA as its main signature format. The way how THOR integrates YARA is fully compatible with normal Yara signatures although THOR extends the standard matching in order to allow certain additional checks.

It is easy to extend the integrated database with your own rules and IOCs. You can add them to the signature database simply by placing these rules in the standard signature folder.

The documentation gives you guidance in cases in which you’d like to utilize the special extensions or encrypt your signatures before the deployment.



THOR as a Plugin

The flexible and portable character of THOR allows deploying it in many different ways. Our customers have integrated THOR as an additional scanner in their malware analysis pipeline, use it in their EDR to scan collected samples and deploy it in live response sessions.

A very compelling integration is the one that extends the live response of Microsoft Defender ATP. While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious processes and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry, logs and other elements for traces of hacking activity. THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment.