Blog

Filter: THOR - Clear Filter

Sigma Scanning with THOR

Our compromise assessment scanner THOR is able to apply Sigma rules during the local Eventlog analysis. This can help any customer that has no central SIEM system or performs a live forensic analysis on a system group that does not report to central monitoring.  By...

read more

Upcoming Changes in THOR v10.5

PE Sieve Integration With the integration of @hasharezade's PE Sieve project THOR is able to detect and report a variety of process implants like replaced or injected portable executables (process hollowing), injected shellcodes, hooks and in-memory patches....

read more

THOR 8 and SPARK End-of-Support

With this blog post we would like to inform you that our End-of-Life (EOL) products THOR 8 and SPARK will reach their End-if-Service-Life (EoSL) on 31th of October 2020. From this day onwards, product and signature updates will not be available anymore. Please...

read more
THOR Lite – Free YARA and IOC Scanner

THOR Lite – Free YARA and IOC Scanner

We are proud to announce the release of THOR Lite. It is a trimmed-down version of THOR v10 with a reduced feature set and the open source signature base used in LOKI and the now obsolete scanner SPARK Core. It uses the completely rewritten code base of THOR v10...

read more

THOR Integration into Microsoft Defender ATP

Why Integrate THOR into Microsoft Defender ATP While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious process starts and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry,...

read more

Not All IOC Scanning Is The Same

People often tell us that EDR product X already does IOC scanning and that they don’t have to check for these indicators a second time using our scanners. Especially when it comes to network wide sweeps for traces of activity due to an ongoing incident I recommend...

read more

Changes in Upcoming THOR Version 10.3

Refactored Handle Detection We have completely refactored THOR's malicious Handle detection. We now allow the use of regular expressions and combined all types in a single signature file named "malicious-handles.dat".  Users can provide custom indicators by placing a...

read more

THOR v10.2 Changes

New Module "Events" This module checks registered Events in the system environment as they are used by advanced malware and rootkits.  We have checked for malicious Events before, in the Rootkit module, but these checks were hardcoded. We've spun out that section and...

read more

New Feature in THOR v10.1 – Remote Scanning

THOR v10.1 features a mode of operation that is especially helpful in incident response or compromise assessment scenarios - remote scanning.  Imagine that you're in a firefighting scenario - a breach has been confirmed and management wants to have quick results on...

read more
GDPR Cookie Consent with Real Cookie Banner