We are proud to announce the release of THOR Lite. It is a trimmed-down version of THOR v10 with a reduced feature set and the open source signature base used in LOKI and the now obsolete scanner SPARK Core. It uses the completely rewritten code base of THOR v10...
--- Update 14.02.2023 The information in this blog post is outdated. For more information on how to scan appliances remotely using SSH see this newer blog post. ----- In this blog post I'd like to outline an idea on how to perform an automated compromise assessment on...
Why Integrate THOR into Microsoft Defender ATP While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious process starts and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry,...
People often tell us that EDR product X already does IOC scanning and that they don’t have to check for these indicators a second time using our scanners. Especially when it comes to network wide sweeps for traces of activity due to an ongoing incident I recommend...
Refactored Handle Detection We have completely refactored THOR's malicious Handle detection. We now allow the use of regular expressions and combined all types in a single signature file named "malicious-handles.dat". Users can provide custom indicators by placing a...
We've made a short video demo to showcase the new THOR 10 feature called "THOR Remote", which allows you to perform compromise assessment scans on multiple remote systems - no agent or scripting required.
New Module "Events" This module checks registered Events in the system environment as they are used by advanced malware and rootkits. We have checked for malicious Events before, in the Rootkit module, but these checks were hardcoded. We've spun out that section and...
THOR v10.1 features a mode of operation that is especially helpful in incident response or compromise assessment scenarios - remote scanning. Imagine that you're in a firefighting scenario - a breach has been confirmed and management wants to have quick results on...
THOR 10 Fusion has arrived. It replaces our successful scanners THOR 8 and SPARK and combines the best of both worlds. It is a completely new code base that features all modules of our 4 year old compromise assessment flagship THOR 8 and the speed and extra features...
In anticipation of our new scanner THOR 10 Fusion, we would like to show you some of the exciting new features and upcoming changes. Modes and Feature Cleanup We've reviewed and reworked all scan modes in order to clarify the overview of active modules and features...
We are proud to announce the upcoming release of THOR 10 code named "Fusion". It will replace our scanners THOR 8 and SPARK before the end of this year. Both of the current scanners will still receive updates until the end of this year. THOR 10 "Fusion" combines the...
With the upcoming version 8.53 of THOR, we're testing a new feature called "Difference" or "Diff" mode (--diff). The idea behind "Diff" mode is that a scan could be much faster, if it would only consider elements that have been created or changed since the last scan...