ASGARD Analysis Cockpit is our on-premise soft-appliance that helps you analyze large amounts of THOR log data. The new version 3, which has just been released, adds many new usability features and views. This blog post lists some of the changes. Analysis Cockpit 3...
New Detection Rules for Exchange Exploitation Activity
Last week, we've released a blog post on how to detect HAFNIUM activity with the use of THOR Lite. Since our first set of rules, we've added several important new rules from fellow researchers and moved even more rules from our commercial set into the open source rule...
Which extra value provides THOR in Exchange ProxyLogon related assessments?
Since we've decided to migrate many of the HAFNIUM / Exchange vulnerability related signatures into the open source signature database of our free scanner THOR Lite, both users of the free and the commercial version started asking questions of coverage and if a scan...
THOR Seed v0.18 Improves Integration with Microsoft Defender ATP
A new version of THOR Seed improves the integration with Microsoft Defender ATP by handling the script termination caused by exceeded timeouts. Due to a runtime limit for all scripts in the Live Response library we had to configure previous versions of THOR Seed to...
THOR Process Memory Matches with Surrounding Strings
Following THOR's approach of showing suspicious elements, it is not feasible to completely avoid false positives. Therefore we always try to provide as much information as possible for an analyst to assess such a suspicious element as quickly as possible. Users liked...
VALHALLA API 1.1 Changes
We've made some changes to VALHALLA and released version 1.1 and valhallAPI version 0.5 to reflect these changes.The new modified date shows when this rule has last been modified. See this example.The modified date will also appear in the JSON feed and metadata of...
New Features: Progress Bar and HTML Report Filter Functions
We would like to inform you about three new comfort features that will be available in the upcoming THOR versions including THOR Lite. Improved HTML ReportsThe new HTML reports allow analysts to filter elements that turn out to be false positives and remove them from...
Performance Refactoring in THOR v10.5.9 and THOR TechPreview v10.6.2
We are glad to announce significant performance improvements in the latest versions of THOR. We've refactored several processing units to bulk scan elements that have previously been checked each at a time. These changes affect the modules "Eventlog", "Registry",...
THOR 10 Legacy for Windows XP and Windows 2003
We've been working on a legacy version of our scanner THOR 10 for a while and started our closed BETA, which is available to all current customers on special request. The THOR legacy version does not include the following modules/features: Module: Eventlog scanning...
THOR Forensic Lab License Features
THOR version 10.6, which is currently available as TechPreview, introduces several new features that facilitates the use of THOR in a digital forensics lab. Since not all of the features provided with the "Forensic Lab" license type are well-known, we would like to...
There’s a Thunderstorm Coming
We are proud to announce a groundbreaking new scan mode named "Thunderstorm" that we've integrated into preview builds of the upcoming THOR version 10.6. This mode of operation turns THOR into a RESTful web service that is able to process thousands of samples per...
THOR v10.6 TechPreview
We are proud do announce the version 10.6 of THOR, which is the first one that gets released as a TechPreview. We've discussed the split-up into THOR and THOR TechPreview in a previous post. The following post describes the most important new feature of the THOR...