Hackers are already in your environment – spot them with THOR and Splunk!

Hello Security Ninjas,

What_Thor_doesI recently came across a new method (at least for me) to detect and discover advanced persistent threats.

You probably already know about antivirus scanners, IDS Solutions, vulnerability scanners as well as sandbox execution systems like FireEye, the WildFire service from Palo Alto or ThreatGRID from Cisco. However, one of the latest tools, “THOR“, is different.

What is THOR?

THOR is an APT Scanner, a set of binaries that can be executed on demand on either Windows or Unix systems. THOR scans the system for hacking tools, APT indicators, remote access Trojans as well as many other indicators. It also integrates a number of Indicators of Compromise (IOC’s, Yara Signatures). In addition to crawling for the basic stuff, it collects information about currently logged-in users, user accounts on the machines, services that are running, network connections, dns cache, windows event logs, processes and memory, prefetch files and much more. Based on this collective information it then creates an overall score.

THOR_Scoring_SystemHow does the scoring system work?

The scoring system works in a similar way to how you would classify information found during a manual investigation. For example if a temp.exe file in C:/Windows is flagged as an executable binary but in reality it’s a text file where data is just named as *.exe, it gets a +3 scoring. As more rules and indicators are triggered the score increases, allowing you to prioritize activities for the incident investigation teams.


How does the reporting and analytics work?

THOR Overview

With lots of data being collected during a scan from a number of different indicators, inevitably a significant amount of reporting is required. The key is that researchers can have access to the lowest level of detail possible. This is done by sending the data via syslog output directly to Splunk or by storing it in a text file that can then be monitored with a Splunk forwarder.


In addition, the THOR framework is just a non-installation binary that needs to be executed. So the deployment can be done easily with the Splunk Forwarder via Deployment Server. Through Inputs.conf you can also schedule how often it should scan systems for APT Indicators.


This concept of deployment shows nicely how the THOR development team can invest their research resources into their key business – security – and for deployment, execution and reporting they bet on Splunk.

Where is THOR already being used?

THOR with Splunk is already in use with many organizations which have been affected by a breach, whether public or not. Also many Computer Emergency Response Teams (CERT) are already using it to get a deeper understanding when investigating the situation surrounding incidents.

At the last SplunkLive Event in London Freddy Dezeure, Head of CERT-EU, presented its usage of Splunk to analyze machine data. During the presentation he also talked about the IOCs and YARA Rules created to scan systems to find malicious activities and validate that no other hosts are compromised. From a nice screenshot I saw, I recognized that they too are using THOR.

How can i get started?

You can request a free trial of THOR for 14 Days or you can use a free spin off version of THOR called “LOKI” which has a limited set of APT Indicators compared to THOR.


Happy hunting for APT’s with Splunk in your enviornment,