We are thrilled to unveil THOR 10.7.8, the latest version of our advanced persistent threat (APT) scanner, which brings a host of powerful features to enhance threat detection and analysis. In this blog post, we will highlight some of the notable additions that make...
How to scan Docker containers using THOR – Part 2
The first part of this blog series covers how THOR can be used to scan a Docker image. In the second part of this series, we will talk about how you can use THOR to scan running Docker containers. Now, consider this new use case: You want to check if your running...
How to scan Docker images using THOR – Part 1
In this blog article, we will talk about how you can use THOR to scan Docker images. Consider the following use case: Before using an upstream Docker image, you want to precheck it for known IOCs and backdoors. THOR can help you with this!Prerequisites Docker image...
Using THOR Lite to scan for indicators of Lazarus activity related to the 3CX compromise
On March 29, 2023 CrowdStrike detected malicious activity, originating from a legitimate, signed binary called 3CXDesktopApp. The binary is part of a softphone system developed by 3CX.The observed malicious activity consisted of beaconing to infrastructure controlled...
THOR Log Conversion to CSV
We are excited to announce that the upcoming version 1.11 our tool, THOR Util, now has the capability to convert log output files from both the default and JSON format into CSV files. This new feature will make it easier for users to analyze their log data and extract...
How to scan ESXi systems using THOR
More and more often, adversaries target and exploit Internet-facing appliances or devices with exotic or restricted operating systems. Users ask if there is a way to run a compromise assessment scan on these systems with the YARA rules used in THOR. Following up on...
Virustotal Lookups in THOR v10.7
We're glad to announce a new feature that allows users to enrich events generated by THOR with information from Virustotal. The feature is available in the full THOR v10.7 TechPreview and THOR Lite. It can be used in any scan mode: live endpoint scanning, lab...
Extended ProxyNotShell Detection Covering OWASSRF
In a report published on the 20th of December CrowdStrike published a report of a new technique exploiting the Microsoft Exchange vulnerability called ProxyNotShell. The called the new technique OWASSRF as it uses Outlook Web Access, CVE-2022-41080 and CVE-2022-41082...
Follina CVE-2022-30190 Detection with THOR and Aurora
The Follina 0day vulnerability (CVE-2022-30190) in Microsoft Windows is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.Kevin's post contains links to tweets of...
Product Surveys – Tell us what you think
We'd like to know your opinion on our products and therefore ask you to participate in our product surveys. Each of them takes between 2 and 5 minutes of your time, depending on how much you'd like to tell us.THOR Customer Satisfaction Survey You find the survey...
Log4Shell Detection with Nextron Rules
The Log4Shell vulnerability (CVE-2021-44228) in log4j is actively exploited in-the-wild and highly critical. This blog posts lists some important web resources and the signatures that detect exploitation attempts.LunaSec reported first on the vulnerability.Use this...
Reasons Why to Use THOR instead of THOR Lite
We have received reports from customers that were approached by service providers that offered compromise assessments with our scanner THOR. Subsequently, it appeared, however, that these providers used THOR Lite in their engagements and, when asked about this, argued...