Endpoint Incident Response using - THOR Lite
THOR by Nextron Systems is a multi-platform IOC and YARA scanner. THOR have both enterprise and free version available in public use, THOR-lite is the free version.
THOR-Lite includes the files system and process scan modules as well as modules that extracts “autoruns” information on the different platforms.
What are the capabilities of THOR Lite?
- THOR Lite can scan different operating system ranging from Windows, Linux and MacOS
- THOR Lite has precompiled and encrypted open source signature set.
- THOR Lite can be updated to download tested versions with signature updates.
- Thor Lite after execution can present readable documentation of the results.
- Thor Lite has the option to add our custom IOCs and signatures
- Thor Lite has different output formats: text log, SYSLOG(udp/tcp/tcp+tls), JSON to file, JSON via Syslog
- Thor Lite can scan throttling to limit the CPU usage
From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only it automate everything, but it also helps the responder to reduce the time to solve the issue.