More and more often, adversaries target and exploit Internet-facing appliances or devices with exotic or restricted operating systems. Users ask if there is a way to run a compromise assessment scan on these systems with the YARA rules used in THOR. Following up on...
Virustotal Lookups in THOR v10.7
We're glad to announce a new feature that allows users to enrich events generated by THOR with information from Virustotal. The feature is available in the full THOR v10.7 TechPreview and THOR Lite. It can be used in any scan mode: live endpoint scanning, lab...
Extended ProxyNotShell Detection Covering OWASSRF
In a report published on the 20th of December CrowdStrike published a report of a new technique exploiting the Microsoft Exchange vulnerability called ProxyNotShell. The called the new technique OWASSRF as it uses Outlook Web Access, CVE-2022-41080 and CVE-2022-41082...
Mjolnir Security: Blue Team Incident Response Training
Our partner Mjolnir Security offers a training named “Blue Team Incident Response Training” from 19th of September to 23rd of September. It’s 3,5 hours a day, starting 4:00 pm and finishing 7:30 pm Eastern time. Each session will be recorded, so you'll also be able to...
Reasons Why to Use THOR instead of THOR Lite
We have received reports from customers that were approached by service providers that offered compromise assessments with our scanner THOR. Subsequently, it appeared, however, that these providers used THOR Lite in their engagements and, when asked about this, argued...
TryHackMe Training Room for THOR Lite
Since THOR and THOR Lite are tools written for digital forensic experts, they can be difficult to use. There is often a steep learning curve in the beginning. We'd like to help new users pass these first steps in a playful way by providing a TryHackMe challenge in...
Silent Scanning – Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server
The following video shows a compromise assessment with our free THOR Lite scanner on a Microsoft Exchange 2019 server detecting ProxyShell and ProxyToken exploitation. We've done no post-editing in this video. You can jump to all findings using the video chapters....
Use YARA math Module Extension in THOR TechPreview and THOR Lite
Not long ago, we've created a pull request for the official YARA repository on Github, that would introduce new functions in the `math` module to improve the flexibility in cases in which a sample is heavily scrambled or obfuscated. These cases require further...
THOR Lite Usage in Mjolnir Security’s Introduction to Incident Response Training
Our partner Mjolnir Security offers a training named "Introduction to Incident Response" from 3th of May to 13th of May. It's 3 hours a day, from 5pm to 8pm Eastern time, but will be recorded for you to watch it whenever you like. On day 6 you'll learn to write YARA...
New Detection Rules for Exchange Exploitation Activity
Last week, we've released a blog post on how to detect HAFNIUM activity with the use of THOR Lite. Since our first set of rules, we've added several important new rules from fellow researchers and moved even more rules from our commercial set into the open source rule...
Which extra value provides THOR in Exchange ProxyLogon related assessments?
Since we've decided to migrate many of the HAFNIUM / Exchange vulnerability related signatures into the open source signature database of our free scanner THOR Lite, both users of the free and the commercial version started asking questions of coverage and if a scan...
Scan for HAFNIUM Exploitation Evidence with THOR Lite
Since we've heard from partners and friends about many non-profit organisations affected by the Exchange server vulnerability, we've decided to transfer many detection rules from our commercial scanner into the free community version. If you haven't heard of THOR or...