{"id":8358,"date":"2020-07-29T10:04:01","date_gmt":"2020-07-29T08:04:01","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=8358"},"modified":"2023-02-02T16:18:50","modified_gmt":"2023-02-02T15:18:50","slug":"sigma-scanning-with-thor","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/","title":{"rendered":"Sigma Scanning with THOR"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on” da_disable_devices=”off|off|off”][et_pb_row _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Our compromise assessment scanner THOR is able to apply Sigma rules during the local Eventlog analysis. This can help any customer that has no central SIEM system or performs a live forensic analysis on a system group that does not report to central monitoring.\u00a0<\/p>\n

By running THOR on these systems with activated Sigma feature, THOR becomes a kind of a distributed and portable SIEM.<\/p>\n

Since the Sigma scan module isn’t active by default, we thought it a good idea to explain how to activate an use it in the best possible way.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Open Source Rule Set<\/h1>\n

By default THOR uses the open-source Sigma rule set<\/a> with more than 500+ rules provided by the Sigma project on their Github page<\/a>.\u00a0<\/p>\n

Since our head of research is also one of the project maintainers, it was reasonable to combine the detection capabilities of Sigma with THOR’s scanning functionality on the endpoint.\u00a0<\/p>\n

We comply with Sigma’s DRL (Detection Rule License) by including the rule authors in the event data produced by these rules.\u00a0\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/07\/Screenshot-2020-07-29-at-09.25.26.png” title_text=”Screenshot 2020-07-29 at 09.25.26″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Custom Sigma Rules<\/h1>\n

You can easily add you own Sigma rules by placing them in the “.\/custom-signatures\/sigma” sub folder.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/07\/Screenshot-2020-07-29-at-09.34.43.png” title_text=”Screenshot 2020-07-29 at 09.34.43″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”2_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

THOR’s Sigma Config<\/h1>\n

The THOR default configuration<\/a>\u00a0for Sigma can be found in the Sigma repository.\u00a0<\/p>\n

This configuration shows you, which Windows Eventlogs and Linux\/Unix log files get analyzed by the Sigma module in THOR.<\/p>\n

 <\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/07\/Screenshot-2020-07-29-at-09.16.56.png” title_text=”Screenshot 2020-07-29 at 09.16.56″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n

Sigma Scanning<\/h1>\n

To activate the Sigma module simply use the “–sigma” flag (or “sigma: True” in a YML config file).<\/p>\n

You can start a THOR scan that analyzes the local Eventlog and activates the Sigma feature with:<\/p>\n

thor64.exe -a Eventlog --sigma<\/pre>\n
To run a Sigma scan on a single Eventlog e.g. Sysmon’s log, use the “-n” flag.<\/p>\n
thor64.exe -a Eventlog --sigma -n \"Microsoft-Windows-Sysmon\/Operational\"<\/pre>\n
To include the Sigma feature in a standard THOR scan and check only the last 3 days of the Windows Eventlogs to reduce the scan duration, use:<\/p>\n
thor64.exe --sigma -lookback 3<\/pre>\n
[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
Sigma Matches<\/h1>\n
Once a Sigma rule matches on a log entry, you’ll see it listed in one of the REASON’s that lead to the classification of an event.\u00a0<\/p>\n
The following example shows the detection of a China Chopper (Caidao) ASP web shell. That web shell has been detected by multiple Sigma rules.\u00a0<\/p>\n
    \n
  1. Webshell Detection With Command Line Keywords<\/span><\/a>\u00a0<\/li>\n
  2. Shells Spawned by Web Servers<\/span><\/a><\/li>\n
  3. Whoami Execution<\/span><\/a><\/li>\n<\/ol>\n
    [\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/07\/Screenshot-2020-07-29-at-09.02.26.png” title_text=”Screenshot 2020-07-29 at 09.02.26″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.16″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n
    Getting Started<\/h1>\n
    Since this feature isn’t available in THOR Lite, please contact us via the “Get Started” button in the upper right corner and get a free trial voucher. Most customers that use THOR with Sigma choose one of our THOR license packs<\/a>, especially the SOC Toolkit Pack, which was geared to the needs of today’s SOC teams.\u00a0<\/p>\n
    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    Our compromise assessment scanner THOR is able to apply Sigma rules during the local Eventlog analysis. This can help any customer that has no central SIEM system or performs a live forensic analysis on a system group that does not report to central monitoring.\u00a0 By running THOR on these systems with activated Sigma feature, THOR becomes a kind of a distributed and portable SIEM. Since the Sigma scan module isn’t active by default, we thought it a good idea to explain how to activate an use it in the best possible way.\u00a0Open Source Rule Set By default THOR uses the open-source Sigma rule set with more than 500+ rules provided by the Sigma project on their Github page.\u00a0 Since our head of research is also one of the project maintainers, it was reasonable to combine the detection capabilities of Sigma with THOR’s scanning functionality on the endpoint.\u00a0 We comply with Sigma’s DRL (Detection Rule License) by including the rule authors in the event data produced by these rules.\u00a0\u00a0Custom Sigma Rules You can easily add you own Sigma rules by placing them in the “.\/custom-signatures\/sigma” sub folder.THOR’s Sigma Config The THOR default configuration\u00a0for Sigma can be found in the Sigma repository.\u00a0 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46,1,549,32],"tags":[90,77,89,502,62,7,60,59,5],"class_list":["post-8358","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-nextron","category-sigma","category-thor","tag-analysis","tag-endpoint","tag-log","tag-rule","tag-rules","tag-scanner","tag-siem","tag-sigma","tag-thor"],"yoast_head":"\nSigma Scanning with THOR - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Sigma Scanning with THOR\",\"datePublished\":\"2020-07-29T08:04:01+00:00\",\"dateModified\":\"2023-02-02T15:18:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/\"},\"wordCount\":983,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"analysis\",\"endpoint\",\"log\",\"rule\",\"Rules\",\"scanner\",\"SIEM\",\"Sigma\",\"thor\"],\"articleSection\":[\"Newsletter\",\"Nextron\",\"Sigma\",\"THOR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/\",\"name\":\"Sigma Scanning with THOR - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2020-07-29T08:04:01+00:00\",\"dateModified\":\"2023-02-02T15:18:50+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sigma Scanning with THOR - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Sigma Scanning with THOR","datePublished":"2020-07-29T08:04:01+00:00","dateModified":"2023-02-02T15:18:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/"},"wordCount":983,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["analysis","endpoint","log","rule","Rules","scanner","SIEM","Sigma","thor"],"articleSection":["Newsletter","Nextron","Sigma","THOR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/","url":"https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/","name":"Sigma Scanning with THOR - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2020-07-29T08:04:01+00:00","dateModified":"2023-02-02T15:18:50+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2020\/07\/29\/sigma-scanning-with-thor\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/8358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=8358"}],"version-history":[{"count":15,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/8358\/revisions"}],"predecessor-version":[{"id":15917,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/8358\/revisions\/15917"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=8358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=8358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=8358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}