{"id":9324,"date":"2021-02-03T12:34:34","date_gmt":"2021-02-03T11:34:34","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=9324"},"modified":"2022-03-25T14:15:41","modified_gmt":"2022-03-25T13:15:41","slug":"thor-seed-v0-18-improves-integration-with-microsoft-defender-atp","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/","title":{"rendered":"THOR Seed v0.18 Improves Integration with Microsoft Defender ATP"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_row _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_text _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;]<\/p>\n<p>A new version of THOR Seed improves the integration with Microsoft Defender ATP by handling the script termination caused by exceeded timeouts. Due to a runtime limit for all scripts in the Live Response library we had to configure previous versions of THOR Seed to perform a reduced scan that tried to finish within that runtime limit.<\/p>\n<p>This lead to two major issues:<\/p>\n<ul>\n<li>Only a reduced set of modules could be activate and a limited set of elements could be scanned<\/li>\n<li>Some script runs were terminated before completion<\/li>\n<\/ul>\n<p>THOR Seed version 0.18 is now able to handle this situation and provides guidance on how to proceed.\u00a0<\/p>\n<p>While resolving this issue we noticed that only the script run gets terminated but not the sub process, which is the actual THOR scan. So, the execution of &#8220;thor-seed.ps&#8221; gets interrupted but the sub process &#8220;thor64.exe&#8221; keeps on running in the background.\u00a0<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=&#8221;2_5,3_5&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_column type=&#8221;2_5&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_text _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;]<\/p>\n<p>After a terminated script run, you can now simply &#8220;run thor-seed.ps1&#8221; a second time and get the info that the THOR process in the background is still running.\u00a0<\/p>\n<p>It includes the location of the log file and shows the last 3 lines of that file so that you can review the scan progress.\u00a0<\/p>\n<p>[\/et_pb_text][\/et_pb_column][et_pb_column type=&#8221;3_5&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/02\/Screenshot-2021-02-01-at-17.55.55.png&#8221; title_text=&#8221;Screenshot 2021-02-01 at 17.55.55&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=&#8221;2_5,3_5&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_column type=&#8221;2_5&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_text _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;]<\/p>\n<p>After the scan has been completed, THOR Seed shows a message that it cannot start a new scan until the log files and HTML reports have been reviewed and removed from the system.\u00a0<\/p>\n<p>It includes all necessary commands for you to just copy, paste and execute them.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][et_pb_column type=&#8221;3_5&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/02\/Screenshot-2021-02-02-at-18.38.23.png&#8221; title_text=&#8221;Screenshot 2021-02-02 at 18.38.23&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=&#8221;2_5,3_5&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_column type=&#8221;2_5&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_text _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;]<\/p>\n<p>A new guide explains all the steps and describes the integration in more detail.\u00a0<\/p>\n<p>The release version can be found <a href=\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/02\/THOR_Cloud_MicrosoftDefender_ATP_Setup_Guide_v1.0_Feb21.pdf\">here<\/a>.<\/p>\n<p>Please contact us for a current version of that document in case you encounter any issues due to outdated information.\u00a0<\/p>\n<p>[\/et_pb_text][\/et_pb_column][et_pb_column type=&#8221;3_5&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/02\/Screenshot-2021-02-03-at-11.09.53.png&#8221; title_text=&#8221;Screenshot 2021-02-03 at 11.09.53&#8243; _builder_version=&#8221;4.8.1&#8243; _module_preset=&#8221;default&#8221;][\/et_pb_image][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new version of THOR Seed improves the integration with Microsoft Defender ATP by handling the script termination caused by exceeded timeouts. Due to a runtime limit for all scripts in the Live Response library we had to configure previous versions of THOR Seed to perform a reduced scan that tried to finish within that runtime limit. This lead to two major issues: Only a reduced set of modules could be activate and a limited set of elements could be scanned Some script runs were terminated before completion THOR Seed version 0.18 is now able to handle this situation and provides guidance on how to proceed.\u00a0 While resolving this issue we noticed that only the script run gets terminated but not the sub process, which is the actual THOR scan. So, the execution of &#8220;thor-seed.ps&#8221; gets interrupted but the sub process &#8220;thor64.exe&#8221; keeps on running in the background.\u00a0After a terminated script run, you can now simply &#8220;run thor-seed.ps1&#8221; a second time and get the info that the THOR process in the background is still running.\u00a0 It includes the location of the log file and shows the last 3 lines of that file so that you can review the scan progress.\u00a0After [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46,32,556],"tags":[233,547,599,597,598,120,59,5,205],"class_list":["post-9324","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-thor","category-thor-cloud","tag-forensic","tag-ioc-scanning","tag-live-forensics","tag-microsoft-defender-atp","tag-microsoft-defender-security-center","tag-scans","tag-sigma","tag-thor","tag-triage"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>THOR Seed v0.18 Improves Integration with Microsoft Defender ATP - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"THOR Seed v0.18 Improves Integration with Microsoft Defender ATP\",\"datePublished\":\"2021-02-03T11:34:34+00:00\",\"dateModified\":\"2022-03-25T13:15:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/\"},\"wordCount\":577,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"Forensic\",\"IOC Scanning\",\"live forensics\",\"microsoft defender atp\",\"Microsoft Defender Security Center\",\"scans\",\"Sigma\",\"thor\",\"triage\"],\"articleSection\":[\"Newsletter\",\"THOR\",\"THOR Cloud\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/\",\"name\":\"THOR Seed v0.18 Improves Integration with Microsoft Defender ATP - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2021-02-03T11:34:34+00:00\",\"dateModified\":\"2022-03-25T13:15:41+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"THOR Seed v0.18 Improves Integration with Microsoft Defender ATP - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"THOR Seed v0.18 Improves Integration with Microsoft Defender ATP","datePublished":"2021-02-03T11:34:34+00:00","dateModified":"2022-03-25T13:15:41+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/"},"wordCount":577,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["Forensic","IOC Scanning","live forensics","microsoft defender atp","Microsoft Defender Security Center","scans","Sigma","thor","triage"],"articleSection":["Newsletter","THOR","THOR Cloud"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/","url":"https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/","name":"THOR Seed v0.18 Improves Integration with Microsoft Defender ATP - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2021-02-03T11:34:34+00:00","dateModified":"2022-03-25T13:15:41+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2021\/02\/03\/thor-seed-v0-18-improves-integration-with-microsoft-defender-atp\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/9324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=9324"}],"version-history":[{"count":5,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/9324\/revisions"}],"predecessor-version":[{"id":9334,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/9324\/revisions\/9334"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=9324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=9324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=9324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}