Scanner Comparison

LOKI THOR Lite THOR
Description LOKI is an open-source IOC and YARA scanner written in Python. THOR Lite is a free version of our THOR scanner shipped with LOKI’s open source signature based and a limited module and feature set. THOR is our full-featured scanner with numerous modules and additional checks.
Type Free / Open Source Free / Registration Required Enterprise Product
Main Use Case Triage Triage Triage
Preventive Scanning
Incident Response
Live Forensics
Platform Windows (precompiled)
Linux / macOS (source)
Windows
Linux
macOS
Windows
Linux
macOS
AIX
Size (Binaries) 8 MB 38 MB 38 MB
Language Python Go Go
Modules
(see module comparison)
3 5 27
Bundled Signatures Open Source
(~4,000 YARA rules)
Open Source
(~4,000 YARA rules)
THOR`s Signature Set
(~25,000 YARA and 2,000 Sigma rules)
Support and Testing GitHub README & Issues
Travis-CI
Manual
Internal CI
Manual
Support Portal
Internal CI
Special Extras Levenshtein check
PESieve check
Double Pulsar check
JSON output
SYSLOG (tcp, udp, ssl)
Scan Throttling
Full Feature Set
Warning Limited Coverage Limited Coverage

Modules

Feature Description LOKI THOR Lite THOR
Custom File Hashes Detect malware or hack tools based on custom file hashes. MD5/SHA1/SHA256
Custom Filename Characteristics Detect malware or hack tools based on filename characteristics (Regular Expression)
Custom Yara Rules Detect malware or hack tools based on YARA signatures (file and process memory scan)
Eventlog Analysis Detect attacker activity and traces of the hack tool usage in Windows Eventlogs (including SysInternals Sysmon, Windows Defender, Applocker, PowerShell and others)
Registry Analysis Detect typical keys used in APT groups to maintain persistence on the system
Autoruns Analysis Processes all autoruns elements, plugins, registered drivers, WMI consumer, LSA providers and applies the IOC database
WMI Persistence Parses OBJECTS.DATA files, lists registered elements and warns on suspicious ones
Profile Directories Check Checks identifying irregularities in the user profile directories
SHIM Cache Scan Detects malicious tools in the SHIM Cache registry section that logs binary executions on Windows systems
Shell Bags Scan Analysis of logged shell bags that show which locations of the file systems have been accessed by users
DNS Cache Analysis Checking DNS cache entries for suspicious or malicious domain names
Firewall Configuration Check Checking the local firewall for suspicious rule definitions
Active Sessions Check Checking the current active sessions for suspicious attributes – e.g. length of the user sessions, remote end point
Process Analysis Analysis of the current running processes for strange Hooks/File Handles/Mutex definitions, network connections, memory strings, working directories, cloaking attempts
Rootkit Checks Checks for rootkits using Named Pipes or communicate via Device IO controls
Active Network Connections Analysis of all active network connections; users, process ids, end points, strange port numbers
Network Share Check Irregularities in the network share definition; user names, share names, permissions
Open Files Check Files opened by processes; locations, user, permissions
LSA Session Analysis Checking all active LSA sessions for duration or known and typical evil user names from known APT cases
Services Checks Analysis of all local services to detect uncommon configurations; service executable location, start type and user account combination, malware names in service image path etc.
Scheduled Tasks Analysis Checking the scheduled tasks for malicious entries
Run Key Contents Analysis Intensive check of the RUN key entries to determine uncommon code executed at startup
Startup Element Analysis (WMI) Analysis of the Startup Elements listed via WMI
File System Analysis Analysis of the file system with signatures to identify attacker’s tool sets, common backdoor modifications, hash or password dump files, cloaked executables and much more.
MFT Analysis Scanning the Master File Table for entries of already deleted
files
Mutex Check Detects Mutexes from malicious programs like RATs or other malware by advanced threat groups
Pipes Check Detects malicious named pipes often used by malware of advanced threat groups
Events Check Detects malicious registered events often used by malware of advanced threat groups
At Jobs Check Detects suspicious at job list entries
Host File Analysis The analysis checks the hosts file for malicious and suspicious entries.
Windows Error Report (WER) Analysis This check extracts relevant information from Windows crash reports (Dr. Watson reports) to determine crashes that were caused by exploits targeting known CVE vulnerabilities in browsers, browser plugins and other software.
Vulnerability Check A basic vulnerability check on the most common vulnerabilities that allow for lateral movement (Tomcat misconfiguration, HP Data Protector, missing patches)
System File Integrity Check Checks the integrity of the most common system files by using YARA rules
Decompressed EXE Scan Scan decompressed executables in-memory
Archive Scan Scan decompressed archives in-memory
Surface Scan (DeepDive) Analysis of the disks space to find tools that have already been deleted by the attackers.
Text Export Plain text log file of all events reported by THOR.
HTML Report Structured HTML Report of all events reported by THOR.
Syslog Export Syslog export of the events generated by THOR. This export option is fully flexible. You can define different target ports, multiple target systems, use UDP or TCP and choose between different formats.
CEF Message Format Syslog sending messages in Arcsight CEF format to receive warnings and alerts in Arcsight SIEM systems.
JSON Output Format Send JSON via UDP/TCP to a remote system or write a local file in JSON format
Throttling Throttle scans to avoid high CPU usage on productive systems
Big Yara Signature Database THOR includes a huge YARA signature database with more than 25,000 rules from different sources. These rules include selected antivirus rules and signatures for hack tools, web shells, networking tools and other software used by attackers on compromised systems. (AES256 encrypted)
Client APT Signature Database THOR includes a YARA signature database with more than 240 rules from APT investigations in our client environments. (AES256 encrypted)
Drop Zone Mode Define a folder in which to look for new for samples and scan (and optionally delete) dropped samples
THOR Remote Remotely scan a system or set of systems from a single privileged Windows workstation
THOR ETW Watcher The live system watcher thread that uses ETW to detect Coabalt Strike beacon activity and other threats
Eventlog Sigma Rule Scan Apply Sigma rules in the Eventlog Scan (Security, System, Application, Sysmon, PowerShell, Task Scheduler, WMI Activity)
STIX v2 Provide your own indicators of compromise via STIX v2 documents. The common observables used in STIX will be applied in various checks and modules.

 

GDPR Cookie Consent with Real Cookie Banner