THOR 10 Fusion Released

by Jul 2, 2019

THOR 10 Fusion has arrived. 

It replaces our successful scanners THOR 8 and SPARK and combines the best of both worlds. It is a completely new code base that features all modules of our 4 year old compromise assessment flagship THOR 8 and the speed and extra features of our triage scanner SPARK.

You can find an overview of the major changes in this article.

Download

All customers with an active contract (rental license) and license pack users can download THOR 10 from the “downloads” section in the customer portal.

You can find the new manual as PDF in that section and the ‘./docs’ folder of the downloaded program package. 

 

Updates

Please note that signatures updates will be much more frequent due to the decoupling of program and signature files. Make sure to use thor-util version 1.8 or higher. 

We plan to release new signature packs every 1-3 days and new program binaries about once a month. 

The old scanners will receive updates until mid-2019. However, these updates will be less frequent. 

 

ASGARD

After upgrading to ASGARD version 1.10 you’ll immediately see the new scanner in all menus. 

THOR 10 will be the new default for newly scheduled scan jobs. Old scan jobs will not be touched.

Updates of program binaries and signatures can now be managed separately from the “Updates” section. 

 

Changes to Consider

All the old command line options stayed the same as in THOR 8. However, we’d like to bring some addition features and changes to your attention. 

  • The THOR 10 program package now also contains a 64-bit executable (thor-x64.exe), which should produce much better process memory detection results. (ASGARD automatically selects the right binary)
  • Custom settings are now configured via ./conf/thor.yml and not ./conf/thor.cfg.
  • The active modules per scan mode and the log contents have been reworked. You can’t make a comparison with previous THOR 8 scan data. The log format (default) stayed the same, so that old field extractions should still work. 
  • The log contents are more detailed and more consistent (e.g. timestamp format).
  • THOR has more output options (SYSLOG formats and JSON log file output, see manual).
  • Scan durations will change. The scanner is faster but has more active features like “archive YARA scanning” (better detection for Office document macro droppers).
  • Sigma scanning is available, but has to be activated with “–sigma”. It uses all rules from the public rule repository.

See the already mentioned article for more changes. 

 

Get THOR

Check our license packs for many DFIR and SOC scenarios or request a trial of our new scanner.

Questions

If you have any questions, please contact via the support link in the customer portal. 

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner