{"id":8475,"date":"2020-10-01T15:50:57","date_gmt":"2020-10-01T13:50:57","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=8475"},"modified":"2022-03-25T14:15:42","modified_gmt":"2022-03-25T13:15:42","slug":"theres-a-thunderstorm-coming","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2020\/10\/01\/theres-a-thunderstorm-coming\/","title":{"rendered":"There’s a Thunderstorm Coming"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_row _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/THOR-Service-1.png” title_text=”THOR-Service” _builder_version=”4.5.6″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”3_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_text _builder_version=”4.5.6″ _module_preset=”default” custom_padding=”30px|||||”]<\/p>\n

We are proud to announce a groundbreaking new scan mode named “Thunderstorm” that we’ve integrated into preview builds of the upcoming THOR version 10.6.<\/p>\n

This mode of operation turns THOR into a RESTful web service that is able to process thousands of samples per minute sent from any device within the network.<\/p>\n

Think of it as your ultra-fast on-premise scan service, wich is bundled with more than 13,000 hand-crafted YARA rules focusing on persistent threats and forensic artefacts.<\/p>\n

Collect files and submit them for analysis from any operating system and any hardware platform. The possibilities are limitless.<\/span><\/p>\n

With this blog post, we’d like to highlight some of these new possibilities.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_testimonial author=”Norse Poem” portrait_url=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/09\/god_of_thunder-1.png” quote_icon_color=”#009ec7″ quote_icon_background_color=”#ffffff” portrait_width=”92px” use_icon_font_size=”on” icon_font_size=”46px” _builder_version=”4.6.2″ _module_preset=”default” body_font=”||on||||||” body_text_color=”#000000″]<\/p>\n

Thunder rolls, lightning strikes & the hammer flies across the sky.
God of the weather,
chariot of the storm,
master of rain & torrents.
Son of the strength
of Mother Earth,
I ask you to grant me that strength for myself.<\/p>\n

[\/et_pb_testimonial][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_text _builder_version=”4.5.6″ _module_preset=”default”]<\/p>\n

What is THOR Thunderstorm?<\/h3>\n

A RESTful web service\u00a0that receives samples and returns a scan result. It is feature-rich and very fast.
\n[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/Screenshot-2020-08-20-at-23.46.18.png” title_text=”Screenshot 2020-08-20 at 23.46.18″ _builder_version=”4.5.6″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_text _builder_version=”4.5.6″ _module_preset=”default”]<\/p>\n

Use Cases<\/h1>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_text _builder_version=”4.5.6″ _module_preset=”default” custom_padding=”|1px||||”]<\/p>\n

Use Case 1 – Remote File Collection<\/h3>\n

During forensic investigations, automated file collection (ESI) from one or multiple remote systems can be combined with THOR Thunderstorm to improve the forensic anylsis.<\/p>\n

Alerts and warnings produced by THOR Thunderstorm highlight interesting elements in file data, registry hives, eventlog files and more.
\n[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/FileCollection_Thunderstorm.png” title_text=”FileCollection_Thunderstorm” _builder_version=”4.5.6″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_text _builder_version=”4.5.6″ _module_preset=”default”]<\/p>\n

Use Case 2 – ICS Networks<\/h3>\n

ICS networks are mission critical, requiring immediate and high-availability. The installation of an endpoint agent or running a portable scanner is often out of question.<\/p>\n

With THOR Thunderstorm, you just have to collect and submit the files.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/ics_targets.png” title_text=”ics_targets” _builder_version=”4.5.6″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_text _builder_version=”4.5.6″ _module_preset=”default”]<\/p>\n

Use Case 3 – Out of Reach Devices<\/h3>\n

Since file collection is a lot easier than endpoint scanning, all you need is way to export the remote system’s files or directly send them to THOR Thunderstorm.<\/p>\n

Imagine that you can collect and submit files from network devices, telephone systems or embedded devices.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/Screenshot-2020-08-20-at-17.31.02.png” title_text=”Screenshot 2020-08-20 at 17.31.02″ _builder_version=”4.5.6″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.6.2″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.6.2″ _module_preset=”default”][et_pb_text _builder_version=”4.6.2″ _module_preset=”default”]<\/p>\n

Use Case 4 – Out of Reach Operating Systems<\/h3>\n

File collection scripts for many old or usually unsupported operating systems allow you to upload samples for analysis.<\/p>\n

Select files based on size, age or type and schedule frequent upload tasks to analyze only new or modified files.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.6.2″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/09\/Thunderstorm_OS_Listing-1.png” title_text=”Thunderstorm_OS_Listing” _builder_version=”4.6.5″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_text _builder_version=”4.5.6″ _module_preset=”default”]<\/p>\n

Use Case 5 – S3 Bucket Scanning<\/h3>\n

We’ve been working with our partner\u00a0Adolus<\/a>\u00a0to showcase a tuned version<\/a> of AirBnb’s BinaryAlert<\/a> in which the standard YARA analyzer has been replaced by THOR Thunderstorm.<\/p>\n

By using it in a container that scales with the demand, you can process millions of files in a few minutes.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/Screenshot-2020-08-20-at-08.29.26.png” title_text=”Screenshot 2020-08-20 at 08.29.26″ _builder_version=”4.5.6″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.5.7″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.5.7″ _module_preset=”default”][et_pb_text _builder_version=”4.5.7″ _module_preset=”default”]<\/p>\n

Flexibility<\/h1>\n

Most operating system provide tools to walk the file system and submit files via HTTP. The following examples are intentionally short and compact to inspire you with their simplicity. Think of all devices that you could analyze this way. No agent, no portable scanner, just simple file submission via HTTP.
\n[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_4,3_4″ _builder_version=”4.5.7″ _module_preset=”default”][et_pb_column type=”1_4″ _builder_version=”4.5.7″ _module_preset=”default”][et_pb_text _builder_version=”4.5.7″ _module_preset=”default”]<\/p>\n

Windows 10 Batch<\/h3>\n

This example shows a simple batch file that walks recursively over a given folder an submits all files. You could extend it to the whole disk and reduce the submission to certain file extensions (e.g. exe, bat, ps1, js).
\n[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_4″ _builder_version=”4.5.7″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/Screenshot-2020-08-22-at-08.53.28.png” title_text=”Screenshot 2020-08-22 at 08.53.28″ _builder_version=”4.5.7″ _module_preset=”default”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/Screenshot-2020-08-22-at-08.32.36.png” title_text=”Screenshot 2020-08-22 at 08.32.36″ _builder_version=”4.5.7″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_4,3_4″ _builder_version=”4.5.7″ _module_preset=”default”][et_pb_column type=”1_4″ _builder_version=”4.5.7″ _module_preset=”default”][et_pb_text _builder_version=”4.5.7″ _module_preset=”default”]<\/p>\n

Linux Web Server<\/h3>\n

This examples shows how easy it is to get all files in a web server root checked by THOR Thunderstorm just by using bash, find and curl.<\/p>\n

 
\n[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_4″ _builder_version=”4.5.7″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/thunderstorm-linux-curl.gif” title_text=”thunderstorm-linux-curl” _builder_version=”4.5.7″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.6.3″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.6.3″ _module_preset=”default”][et_pb_text _builder_version=”4.6.3″ _module_preset=”default” custom_margin=”-1px|||||”]<\/p>\n

Thunderstorm Components<\/h1>\n

[\/et_pb_text][et_pb_text _builder_version=”4.6.3″ _module_preset=”default”]<\/p>\n

The following slide lists the different components that can be used with THOR Thunderstorm. We provide a server installer script, collectors, a Python API client and update scripts.\u00a0<\/p>\n

[\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/09\/Screenshot-2020-09-25-at-09.21.17.png” title_text=”Screenshot 2020-09-25 at 09.21.17″ _builder_version=”4.6.3″ _module_preset=”default”][\/et_pb_image][et_pb_text _builder_version=”4.6.3″ _module_preset=”default”]<\/p>\n

In addition to the Thunderstorm server we provide a set of simple sample collection tools called Thunderstorm Collectors<\/a>, a Python-based API library<\/a> with command line client and a set of helper scripts<\/a>.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.6.2″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.6.2″ _module_preset=”default”][et_pb_text _builder_version=”4.6.3″ _module_preset=”default”]<\/p>\n

Thunderstorm Collectors<\/h1>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.6.2″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.6.2″ _module_preset=”default”][et_pb_text _builder_version=”4.6.2″ _module_preset=”default”]<\/p>\n

The Thunderstorm Collector repository<\/a> contains a Go based collector, precompiled for many different operating<\/a> systems and architectures as well as collectors scripts (Batch, Bash, PowerShell).<\/p>\n

We have pre-build collectors for Windows, Linux, macOS, AIX, Solaris on x86, x64, Arm, PowerPC, MIPS, RISC-V, Plan9, S390x (IBM Z) architectures.<\/span><\/p>\n

These collectors allow you select files based on age, size and type for submission to a Thunderstorm server.<\/span><\/p>\n

It is easy to set up a task like:\u00a0<\/p>\n

“Select all files that have been created or modified within the last 24 hours and submit them to Thunderstorm for analysis. Run this task daily.”<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.6.2″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/09\/Screenshot-2020-09-25-at-09.27.54.png” title_text=”Screenshot 2020-09-25 at 09.27.54″ _builder_version=”4.6.3″ _module_preset=”default”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/09\/Screenshot-2020-09-29-at-16.09.53.png” title_text=”Screenshot 2020-09-29 at 16.09.53″ _builder_version=”4.6.5″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_3,1_3,1_3″ _builder_version=”4.6.3″ _module_preset=”default”][et_pb_column type=”1_3″ _builder_version=”4.6.3″ _module_preset=”default”][et_pb_blurb title=”Low CPU and RAM Usage” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Anti-virus-Security-16.png” _builder_version=”4.6.3″ _module_preset=”default”]<\/p>\n

A collection task requires 0.75-2% of the CPU and 20MB memory.\u00a0<\/p>\n

[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.6.3″ _module_preset=”default”][et_pb_blurb title=”Any OS, Any Arch” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/09\/Thunderstorm_OS_Listing-1.png” _builder_version=”4.6.5″ _module_preset=”default”]<\/p>\n

Our collectors run on any operating system and processor architecture<\/p>\n

[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.6.3″ _module_preset=”default”][et_pb_blurb title=”High Speed” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Speed_256.png” _builder_version=”4.6.3″ _module_preset=”default”]<\/p>\n

It allows ultra fast collection runs. (Our tests: Win 10, collect last 3 days, any type, full disk = 3 minutes run)<\/p>\n

[\/et_pb_blurb][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.6.3″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.6.3″ _module_preset=”default”][et_pb_text _builder_version=”4.6.3″ _module_preset=”default”]<\/p>\n

Thunderstorm API Client<\/h1>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.6.3″ _module_preset=”default”][et_pb_column type=”2_5″ _builder_version=”4.6.3″ _module_preset=”default”][et_pb_text _builder_version=”4.6.3″ _module_preset=”default”]<\/p>\n

We provide a\u00a0<\/span>Python module and Python based API client<\/a>\u00a0that supports multi-threaded submission to the THOR Thunderstorm service.<\/span><\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.6.3″ _module_preset=”default”][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/08\/Screenshot-2020-08-20-at-17.57.33.png” title_text=”Screenshot 2020-08-20 at 17.57.33″ _builder_version=”4.6.3″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_text _builder_version=”4.5.6″ _module_preset=”default”]<\/p>\n

Modes of Operation<\/h1>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_3,1_3,1_3″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_column type=”1_3″ _builder_version=”4.5.6″ _module_preset=”default”][et_pb_text _builder_version=”4.6.2″ _module_preset=”default”]<\/p>\n

Service Mode<\/h3>\n

The service can be started in two scan modes:<\/p>\n