diff --git a/images/image1.png b/images/image1.png deleted file mode 100644 index 1a49e84..0000000 Binary files a/images/image1.png and /dev/null differ diff --git a/images/image10.png b/images/image10.png deleted file mode 100644 index 3760dab..0000000 Binary files a/images/image10.png and /dev/null differ diff --git a/images/image11.png b/images/image11.png deleted file mode 100644 index b147a8b..0000000 Binary files a/images/image11.png and /dev/null differ diff --git a/images/image2.png b/images/image2.png deleted file mode 100644 index cceab5f..0000000 Binary files a/images/image2.png and /dev/null differ diff --git a/images/image9.png b/images/image9.png deleted file mode 100644 index 972e454..0000000 Binary files a/images/image9.png and /dev/null differ diff --git a/images/initiate-live-response-session.png b/images/initiate-live-response-session.png new file mode 100644 index 0000000..85f162c Binary files /dev/null and b/images/initiate-live-response-session.png differ diff --git a/images/live-response-upload-script.png b/images/live-response-upload-script.png new file mode 100644 index 0000000..df74e96 Binary files /dev/null and b/images/live-response-upload-script.png differ diff --git a/images/image12.png b/images/run-thor-seed.png similarity index 100% rename from images/image12.png rename to images/run-thor-seed.png diff --git a/images/thor-cloud-launcher-download.png b/images/thor-cloud-launcher-download.png new file mode 100644 index 0000000..750a7e3 Binary files /dev/null and b/images/thor-cloud-launcher-download.png differ diff --git a/images/image18.png b/images/thor-html-report.png similarity index 100% rename from images/image18.png rename to images/thor-html-report.png diff --git a/images/image14.png b/images/thor-seed-console-output.png similarity index 100% rename from images/image14.png rename to images/thor-seed-console-output.png diff --git a/images/image5.png b/images/thor-seed-download-portal.png similarity index 100% rename from images/image5.png rename to images/thor-seed-download-portal.png diff --git a/images/image3.png b/images/thor-seed-download.png similarity index 100% rename from images/image3.png rename to images/thor-seed-download.png diff --git a/images/image15.png b/images/thor-seed-finished.png similarity index 100% rename from images/image15.png rename to images/thor-seed-finished.png diff --git a/images/image8.png b/images/thor-seed-fp-filters.png similarity index 100% rename from images/image8.png rename to images/thor-seed-fp-filters.png diff --git a/images/image4.png b/images/thor-seed-portal.png similarity index 100% rename from images/image4.png rename to images/thor-seed-portal.png diff --git a/images/image6.png b/images/thor-seed-preset-config.png similarity index 100% rename from images/image6.png rename to images/thor-seed-preset-config.png diff --git a/images/image7.png b/images/thor-seed-preset.png similarity index 100% rename from images/image7.png rename to images/thor-seed-preset.png diff --git a/images/image16.png b/images/thor-seed-retrive-results-1.png similarity index 100% rename from images/image16.png rename to images/thor-seed-retrive-results-1.png diff --git a/images/image17.png b/images/thor-seed-retrive-results-2.png similarity index 100% rename from images/image17.png rename to images/thor-seed-retrive-results-2.png diff --git a/images/image13.png b/images/thor-seed-timeout.png similarity index 100% rename from images/image13.png rename to images/thor-seed-timeout.png diff --git a/images/upload-thor-cloud-launcher.png b/images/upload-thor-cloud-launcher.png new file mode 100644 index 0000000..8975b3e Binary files /dev/null and b/images/upload-thor-cloud-launcher.png differ diff --git a/images/upload-thor-seed.png b/images/upload-thor-seed.png new file mode 100644 index 0000000..dfbeb1f Binary files /dev/null and b/images/upload-thor-seed.png differ diff --git a/index.rst b/index.rst index 4bb8c75..f970668 100644 --- a/index.rst +++ b/index.rst @@ -8,7 +8,7 @@ THOR with Microsoft Defender for Endpoint usage/requirements usage/thor-seed - usage/start-a-thor-scan + usage/thor-cloud usage/faqs usage/links-and-references diff --git a/usage/faqs.rst b/usage/faqs.rst index 5cfabe7..caa4fd8 100644 --- a/usage/faqs.rst +++ b/usage/faqs.rst @@ -1,8 +1,11 @@ FAQs ==== -Why does my scan suddenly terminate? ------------------------------------- +THOR Seed +--------- + +Scan is terminating +^^^^^^^^^^^^^^^^^^^ Live response applies a rather disadvantages timeout for PowerShell scripts run within a Live Response session, which is 30 minutes by @@ -38,8 +41,8 @@ retrieve your files and clean up the reports of the previous scan. THOR Seed after finished scan -Why can't I see a progress indicator? --------------------------------------- +No Progress Indicator +^^^^^^^^^^^^^^^^^^^^^ The scripting environment doesn't give us the opportunity to report back any status information before the script terminates. All output written @@ -49,8 +52,8 @@ although it appears earlier. Unfortunately, it is not possible to return information before the scan terminates. -I cannot start a new THOR scan due to old log files? ----------------------------------------------------- +Old log files prevent new scan +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Simply run a cleanup before starting a new scan. @@ -59,8 +62,8 @@ Simply run a cleanup before starting a new scan. C:\> run thor-seed.ps1 -parameters "-Cleanup" -I can't start a scan and get the error "THOR already running", why? -------------------------------------------------------------------- +THOR alreay running error +^^^^^^^^^^^^^^^^^^^^^^^^^ It is possible that you've interrupted a previous script run with CTRL+C and got back to the shell. In Live Response, sub processes started by @@ -75,22 +78,5 @@ the thor64.exe process that still runs in the background. It will show you information on the log file and print commands that you can use to download the log file and HTML report once THOR finished its work. -Does each scan use up one of my licenses? ------------------------------------------- - -Once you generate a license for a system, this license has a certain -lifetime (e.g. 48 hours). You can start as many scans within that -lifetime without using a new license from your quota. - -THOR doesn't stop if the scan takes longer than the license lifetime. - -If you start a new scan on a system that has be scanned in the past and -the old license is expired, a new license will be generated and count -against the quota. - -Can I use my own IOCs and YARA signatures with THOR Seed? ----------------------------------------------------------- - -Not yet but we'll add an option to the THOR Seed PowerShell script to -download and use a ZIP archive with custom IOCs and YARA signatures from -a user defined location. +THOR Cloud +---------- \ No newline at end of file diff --git a/usage/requirements.rst b/usage/requirements.rst index a66c773..d4d672f 100644 --- a/usage/requirements.rst +++ b/usage/requirements.rst @@ -92,13 +92,18 @@ On Investigated Workstations .. list-table:: Table 3 - Remote Hosts :header-rows: 1 - * - Remote Host + * - Variant + - Remote Host - Port - * - cloud.nextron-systems.com + * - THOR Seed + - cloud.nextron-systems.com + - 443/tcp + * - THOR Cloud + - thor-cloud.nextron-services.com - 443/tcp .. hint:: - this FQDN resolves to multiple IP addresses. See https://www.nextron-systems.com/hosts/. + Abov FQDNs resolve to multiple IP addresses. See https://www.nextron-systems.com/hosts/. Web Proxies ^^^^^^^^^^^ diff --git a/usage/start-a-thor-scan.rst b/usage/start-a-thor-scan.rst deleted file mode 100644 index a48cb96..0000000 --- a/usage/start-a-thor-scan.rst +++ /dev/null @@ -1,157 +0,0 @@ -Start a THOR Scan -================= - -Start a Live Response Session ------------------------------ - -You find different locations in Microsoft Defender Security Center that -allow you to initiate a Live Response session. - -.. figure:: ../images/image9.png - :alt: Initiate Live Response Session - - Initiate Live Response Session - -Upload THOR Seed ----------------- - -Use the button in the upper right corner of the window to upload -"thor-seed.ps1" into the Live Response script library. - -.. figure:: ../images/image10.png - :alt: Upload Button - - Upload Button - -Make sure to check "Overwrite file" to replace an older version of THOR -Seed in your library. - -.. figure:: ../images/image11.png - :alt: Upload THOR Seed - - Upload THOR Seed - -Run THOR Seed -------------- - -After uploading THOR Seed to the Live Response script library, you can -start the script with the "run" command. - -.. figure:: ../images/image12.png - :alt: Run thor-seed.ps1 in Live Response session - - Run thor-seed.ps1 in Live Response session - -Interrupted THOR Seed Sessions ------------------------------- - -Microsoft Defender Security Center allows scripts a run time of a -maximum of 30 minutes and then terminates the script. However, the sub -process "thor64.exe" is still running. - -.. figure:: ../images/image13.png - :alt: Interrupted scan due to exceeded timeout - - Interrupted scan due to exceeded timeout - -Check the Scan Status -^^^^^^^^^^^^^^^^^^^^^ - -In THOR Seed versions before v0.18, it was difficult to get the scan -status of THOR in the background or find the log files that THOR -produces during the scan and the HTML report that is generated at the -end of the scan. - -Users can check of THOR is still running with - -.. code-block:: doscon - - C:\> processes -name thor64.exe - - -Since THOR Seed version 0.18 you just run thor-seed.ps1 again and will -see the information that THOR is still running, where to find the -current log file and the last 3 log lines of that file. - -.. figure:: ../images/image14.png - :alt: THOR Seed start while THOR is still running - - THOR Seed start while THOR is still running - -You can run the script as often as you like to get an information on the -current status of the scan. A normal scan takes between 20 and 180 -minutes to complete. - -Detect a Finished Scan -^^^^^^^^^^^^^^^^^^^^^^ - -The moment that you run “thor-seed.ps1” while “thor64.exe” has finished -its job in the background, you get a listing of all generated log files -and HTML reports in the output directory and commands to download them -and remove them from the end system. - -It shows a list of three actions to proceed: - -1. Retrieve the available log files and HTML reports - - .. code-block:: doscon - - C:\> get file "C:\ProgramData\Microsoft\Windows Defender Advanced… - -2. Use the following command to clean-up the output directory - - .. code-block:: doscon - - C:\> run thor-seed.ps1 -parameters "-Cleanup" - -3. Start a new THOR scan with - - .. code-block:: doscon - - C:\> run thor-seed.ps1 - -.. figure:: ../images/image15.png - :alt: THOR Seed run shows previously finished scan - - THOR Seed run shows previously finished scan - -Retrieve the Results --------------------- - -The output of THOR Seed already contains the right commands to download -a report after the scan has finished. - -.. figure:: ../images/image16.png - :alt: THOR Seed output on a system with finished scan - - THOR Seed output on a system with finished scan - -Simply copy and paste the full "getfile" command line to retrieve the -HTML report. - -.. code-block:: doscon - - C:\> getfile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\client-atp-01_thor_2021-02-02_1817.html" - -.. figure:: ../images/image17.png - :alt: HTML Report Download in Browser - - HTML Report Download in Browser - -.. figure:: ../images/image18.png - :alt: THOR HTML Report - - THOR HTML Report - -Cleanup -------- - -In order to run another THOR scan, you have to remove all previous log -files and HTML reports using the following command: - -.. code-block:: doscon - - C:\> run thor-seed.ps1 -parameters "-Cleanup" - -After removing the text logs and HTML reports you can start a new scan -on this end system. diff --git a/usage/thor-cloud.rst b/usage/thor-cloud.rst new file mode 100644 index 0000000..7dbed24 --- /dev/null +++ b/usage/thor-cloud.rst @@ -0,0 +1,64 @@ +THOR Cloud +========== + +This section focuses on our online platform ``THOR Cloud``. + +THOR Cloud eliminates the need for on-premise systems for +licensing and scanner package downloads. With THOR Cloud, +all you need is a small yet powerful tool known as the THOR +Cloud launcher. Simply bring it to your endpoint or allow +end users to download and execute it themselves. + +Download THOR Cloud Launcher Script +----------------------------------- + +Once you logged into your THOR Cloud account, create a new Campaign +or use an existing one. In the Campaign details, download the Launcher +in the top right corner. You need to download the Script for your Operating +System, as the Live Response feature only allows the execution of scripts. + +.. figure:: ../images/thor-cloud-launcher-download.png + :alt: Download the THOR Cloud Launcher Script + + Download the THOR Cloud Launcher Script + +Start a Live Response Session +----------------------------- + +You find different locations in Microsoft Defender Security Center that +allow you to initiate a Live Response session. + +.. figure:: ../images/initiate-live-response-session.png + :alt: Initiate Live Response Session + + Initiate Live Response Session + +Upload THOR Cloud Launcher +-------------------------- + +Use the button in the upper right corner of the window to upload +the THOR Cloud Launcher script into the Live Response script library. + +.. figure:: ../images/live-response-upload-script.png + :alt: Upload Button + + Upload Button + +Make sure to check "Overwrite file" to replace an older version of THOR +Seed in your library. + +.. figure:: ../images/upload-thor-cloud-launcher.png + :alt: Upload THOR Seed + + Upload THOR Seed + +Run THOR Cloud Launcher +----------------------- + +After uploading THOR Seed to the Live Response script library, you can +start the script with the "run" command. + +.. figure:: ../images/run-thor-seed.png + :alt: Run thor-seed.ps1 in Live Response session + + Run thor-seed.ps1 in Live Response session \ No newline at end of file diff --git a/usage/thor-seed.rst b/usage/thor-seed.rst index 24cac03..a10e858 100644 --- a/usage/thor-seed.rst +++ b/usage/thor-seed.rst @@ -1,6 +1,14 @@ -Retrieve and Configure THOR Seed -================================ +THOR Seed +========= + +This section focuses on our powershell script ``thor-seed.ps1``. +THOR Seed is a script which can be configured to retrieve THOR +and a valid license from different sources, and execute a THOR scan. + +If you want to use the "Live Response" feature of Microsoft Defender +for Endpoint on any other Operating System than Windows, you can use +THOR Cloud or additionally create your own scripts. Download THOR Seed using Voucher Trials --------------------------------------- @@ -12,7 +20,7 @@ the life time of each license and quota statistics. You have to read and accept the EULA and check the box to enable the download links. -.. figure:: ../images/image3.png +.. figure:: ../images/thor-seed-download.png :alt: THOR Cloud Voucher Trial THOR Cloud Voucher Trial @@ -23,7 +31,7 @@ Download THOR Seed in Customer Portal Every applicable contract in our customer portal shows a certain "Cloud" button in the ``Actions`` column, which leads you to a THOR Seed download page. -.. figure:: ../images/image4.png +.. figure:: ../images/thor-seed-portal.png :alt: "Cloud" Button that leads to the THOR Seed download page Button that leads to the THOR Seed download page @@ -33,7 +41,7 @@ including the total quota, used licenses and the lifetime of each license. (see the FAQ section at the end of this document for more details on the terms) -.. figure:: ../images/image5.png +.. figure:: ../images/thor-seed-download-portal.png :alt: THOR Seed Download Page THOR Seed Download Page @@ -60,7 +68,7 @@ Modify the Default Configuration In the section “PRESET CONFIGS” you can modify or choose different scan options. -.. figure:: ../images/image6.png +.. figure:: ../images/thor-seed-preset-config.png :alt: Configuration Presets Configuration Presets @@ -68,7 +76,7 @@ options. THOR Seed already includes good presets that can just be "selected" further below in the section. -.. figure:: ../images/image7.png +.. figure:: ../images/thor-seed-preset.png :alt: Preset Selection Preset Selection @@ -87,7 +95,7 @@ THOR Seed also includes a section in which you could include false positive statements (separated by new line) and defined as regular expressions. -.. figure:: ../images/image8.png +.. figure:: ../images/thor-seed-fp-filters.png :alt: False Positive filters False Positive filters @@ -96,3 +104,158 @@ It's important to use escaping as it is used in regular expressions to escape e.g., back slashes, periods, dollar and asterisk characters. The expression is applied to a full log line. The `THOR manual `_ has more information on these filters and a list of examples. + +Start a Live Response Session +----------------------------- + +You find different locations in Microsoft Defender Security Center that +allow you to initiate a Live Response session. + +.. figure:: ../images/initiate-live-response-session.png + :alt: Initiate Live Response Session + + Initiate Live Response Session + +Upload THOR Seed +---------------- + +Use the button in the upper right corner of the window to upload +"thor-seed.ps1" into the Live Response script library. + +.. figure:: ../images/live-response-upload-script.png + :alt: Upload Button + + Upload Button + +Make sure to check "Overwrite file" to replace an older version of THOR +Seed in your library. + +.. figure:: ../images/upload-thor-seed.png + :alt: Upload THOR Seed + + Upload THOR Seed + +Run THOR Seed +------------- + +After uploading THOR Seed to the Live Response script library, you can +start the script with the "run" command. + +.. figure:: ../images/run-thor-seed.png + :alt: Run thor-seed.ps1 in Live Response session + + Run thor-seed.ps1 in Live Response session + +Interrupted THOR Seed Sessions +------------------------------ + +Microsoft Defender Security Center allows scripts a run time of a +maximum of 30 minutes and then terminates the script. However, the sub +process "thor64.exe" is still running. + +.. figure:: ../images/thor-seed-timeout.png + :alt: Interrupted scan due to exceeded timeout + + Interrupted scan due to exceeded timeout + +Check the Scan Status +^^^^^^^^^^^^^^^^^^^^^ + +In THOR Seed versions before v0.18, it was difficult to get the scan +status of THOR in the background or find the log files that THOR +produces during the scan and the HTML report that is generated at the +end of the scan. + +Users can check of THOR is still running with + +.. code-block:: doscon + + C:\> processes -name thor64.exe + + +Since THOR Seed version 0.18 you just run thor-seed.ps1 again and will +see the information that THOR is still running, where to find the +current log file and the last 3 log lines of that file. + +.. figure:: ../images/thor-seed-console-output.png + :alt: THOR Seed start while THOR is still running + + THOR Seed start while THOR is still running + +You can run the script as often as you like to get an information on the +current status of the scan. A normal scan takes between 20 and 180 +minutes to complete. + +Detect a Finished Scan +^^^^^^^^^^^^^^^^^^^^^^ + +The moment that you run “thor-seed.ps1” while “thor64.exe” has finished +its job in the background, you get a listing of all generated log files +and HTML reports in the output directory and commands to download them +and remove them from the end system. + +It shows a list of three actions to proceed: + +1. Retrieve the available log files and HTML reports + + .. code-block:: doscon + + C:\> get file "C:\ProgramData\Microsoft\Windows Defender Advanced… + +2. Use the following command to clean-up the output directory + + .. code-block:: doscon + + C:\> run thor-seed.ps1 -parameters "-Cleanup" + +3. Start a new THOR scan with + + .. code-block:: doscon + + C:\> run thor-seed.ps1 + +.. figure:: ../images/thor-seed-finished.png + :alt: THOR Seed run shows previously finished scan + + THOR Seed run shows previously finished scan + +Retrieve the Results +-------------------- + +The output of THOR Seed already contains the right commands to download +a report after the scan has finished. + +.. figure:: ../images/thor-seed-retrive-results-1.png + :alt: THOR Seed output on a system with finished scan + + THOR Seed output on a system with finished scan + +Simply copy and paste the full "getfile" command line to retrieve the +HTML report. + +.. code-block:: doscon + + C:\> getfile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\client-atp-01_thor_2021-02-02_1817.html" + +.. figure:: ../images/thor-seed-retrive-results-2.png + :alt: + + HTML Report Download in Browser + +.. figure:: ../images/thor-html-report.png + :alt: THOR HTML Report + + THOR HTML Report + +Cleanup +------- + +In order to run another THOR scan, you have to remove all previous log +files and HTML reports using the following command: + +.. code-block:: doscon + + C:\> run thor-seed.ps1 -parameters "-Cleanup" + +After removing the text logs and HTML reports you can start a new scan +on this end system. \ No newline at end of file