This article provides methods to identify a process that terminates THOR or the ASGARD Agent.
It should be used as a last resort after resource issues have been ruled out and EDR exceptions have been created and double checked.
Linux
In Linux, processes that terminate a scan or the ASGARD agent can be identified using auditd.
Installation instructions are usually found in the OS documentation.
-
Set up a search filter with this command (64bit version):
auditctl -a always,exit -F arch=b64 -S kill -F a1!=0 -k process_kill -
Once a scan has been run using ASGARD, search the auditd log with this command:
ausearch -k process_kill --start today
Search for exe='…', which is the process who is sending the kill signal, and ocomm='…', which is receiving the signal. In our case, this should be THOR or the ASGARD Agent.
The signal value can be found in syscall='…'. 9 stands for SIGKILL, 15 stands for SIGTERM
macOS
DTrace is a tool that can be used, but we don’t have instructions yet.
Windows
To identify a process terminating a scan in Windows, we can use Sysinternals Sysmon with a custom filter configuration. A config file that will filter for process access to thor64.exe could be:
<Sysmon schemaversion="4.90">
<EventFiltering>
<ProcessAccess onmatch="include">
<TargetImage condition="end with">thor64.exe</TargetImage>
</ProcessAccess>
</EventFiltering>
</Sysmon>
-
Download Microsoft Sysinternals Sysmon
-
Install Sysmon using a configuration file.
Run from a command prompt with admin rights:sysmon -accepteula -i path/to/config.xml -
After the next scan termination happened, open the Windows Event Viewer and navigate to:
Application and Services Logs > Microsoft > Windows > Sysmon > Operational -
Look for Event with Event ID 10 where TargetImage ends with thor64.exe
Any GrantedAccess value where the last hexadecimal digit is an odd number (1, 3, 5, 7, 9, B, D, or F) includes the PROCESS_TERMINATE permission.
SourceImage will be the executable that terminated THOR.
Example event where python.exe terminated thor64.exe