THOR v10.2 Changes

by Oct 22, 2019

New Module “Events”

This module checks registered Events in the system environment as they are used by advanced malware and rootkits. 

We have checked for malicious Events before, in the Rootkit module, but these checks were hardcoded. We’ve spun out that section and can now provide regular updates in a separate signature file. 

The “Events” module extends our set of rootkit related modules that already include the “Mutex” and “Named Pipe” modules.

THOR DB with Timing Statistics

THOR v10.2 features an unencrypted table in THOR DB that shows timing information for the scanned elements. This could help you identifying elements that lengthen scans significantly and determine a time range in which certain elements have been scanned. 

Reduced Output

A new switch “–reduced” allows to limit events to “Warning” and “Alert” types only. 

Other Changes

  • Upgrade to YARA 3.11
  • Improved module messages (better description)
  • Bugfix: Golden ticket detection module reported far too many Kerberos tickets with too long lifetime, message: “Kerberos ticket with very long life time detected – likely a Golden Ticket”. The issue has been fixed. Please make sure that you haven’t filtered / base-lined that event type. 
  • Added ExecFlag to SHIMCache output
  • Apply YARA rules on WMI Event Filters
  • Passing new external YARA variables ‘timezone’ and ‘language’ to registry rule set
  • More robust custom YARA signature initialisation (syntax check and tests before compilation)

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Subscribe to our Newsletter

Monthly news, tips and insights.

Follow Us

Upgrade Your Cyber Defense with THOR

Detect hacker activity with the advanced APT scanner THOR. Utilize signature-based detection, YARA rules, anomaly detection, and fileless attack analysis to identify and respond to sophisticated intrusions.

GDPR Cookie Consent with Real Cookie Banner