Scanner Comparison

THOR is our full-featured scanner for the Windows platform with numerous modules and additional checks.

SPARK is his little brother, fast, multi-platform, with far less supported modules.

SPARK Core is a new free version of SPARK shipped with LOKI’s open source signature based and a limited module and feature set. Modules and features can be unlocked.

LOKI is an open-source IOC and YARA scanner written in Python.

Feature Comparison

Feature Description LOKI SPARK Core SPARK THOR
Custom File Hashes Detect malware or hack tools based on custom file hashes. MD5/SHA1/SHA256
Custom Filename Characteristics Detect malware or hack tools based on filename characteristics (Regular Expression)
Custom Yara Rules Detect malware or hack tools based on YARA signatures (file and process memory scan)
Eventlog Analysis Detect attacker activity and traces of the hack tool usage in Windows Eventlogs (including SysInternals Sysmon, Windows Defender, Applocker, PowerShell and others)
Registry Analysis Detect typical keys used in APT groups to maintain persistence on the system
Autoruns Analysis Processes all autoruns elements, plugins, registered drivers, WMI consumer, LSA providers and applies the IOC database
WMI Persistence Parses OBJECTS.DATA files, lists registered elements and warns on suspicious ones
Profile Directories Check Checks identifying irregularities in the user profile directories
SHIM Cache Scan Detects malicious tools in the SHIM Cache registry section that logs binary executions on Windows systems
Shell Bags Scan Analysis of logged shell bags that show which locations of the file systems have been accessed by users
DNS Cache Analysis Checking DNS cache entries for suspicious or malicious domain names
Firewall Configuration Check Checking the local firewall for suspicious rule definitions
Active Sessions Check Checking the current active sessions for suspicious attributes – e.g. length of the user sessions, remote end point
Process Analysis Analysis of the current running processes for strange Hooks/File Handles/Mutex definitions, network connections, memory strings, working directories, cloaking attempts
Rootkit Check A few checks for rootkits using Named Pipes or communicate via Device IO controls
Active Network Connections Analysis of all active network connections; users, process ids, end points, strange port numbers
Network Share Check Irregularities in the network share definition; user names, share names, permissions
Open Files Check Files opened by processes; locations, user, permissions
LSA Session Analysis Checking all active LSA sessions for duration or known and typical evil user names from known APT cases
Services Checks Analysis of all local services to detect uncommon configurations; service executable location, start type and user account combination, malware names in service image path etc.
Scheduled Tasks Analysis Checking the scheduled tasks for malicious entries
Run Key Contents Analysis Intensive check of the RUN key entries to determine uncommon code executed at startup  
Startup Element Analysis (WMI) Analysis of the Startup Elements listed via WMI
File System Analysis Analysis of the file system with signatures to identify attacker’s tool sets, common backdoor modifications, hash or password dump files, cloaked executables and much more.
MFT Analysis Scanning the Master File Table for entries of already deleted
files
Mutex Check Detects Mutexes from malicious programs like RATs or other malware
Pipes Check Detects malicious named pipes often used by APT group malware
At Jobs Check Detects suspicious at job list entries
Host File Analysis The analysis checks the hosts file for malicious and suspicious entries.
Windows Error Report (WER) Analysis This check extracts relevant information from Windows crash reports (Dr. Watson reports) to determine crashes that were caused by exploits targeting known CVE vulnerabilities in browsers, browser plugins and other software.
Vulnerability Check A basic vulnerability check on the most common vulnerabilities that allow for lateral movement (Tomcat misconfiguration, HP Data Protector, missing patches)
System File Integrity Check Checks the integrity of the most common system files by using YARA rules
Decompressed EXE Scan Scan a compressed executable in an uncompressed format deflated into memory only.
Surface Scan (DeepDive) Analysis of the disks space to find tools that have already been deleted by the attackers.
TXT Export Plain text log file of all events reported by THOR.
HTML Export Structured HTML Report of all events reported by THOR.
Syslog Export Syslog export of the events generated by THOR. This export option is fully flexible. You can define different target ports, multiple target systems, use UDP or TCP and choose between different formats.
CEF Message Format Syslog sending messages in Arcsight CEF format to receive warnings and alerts in Arcsight SIEM systems.
JSON Output Format Send JSON via UDP/TCP to a remote system or write a local file in JSON format
Big Yara Signature Database THOR includes a huge YARA signature database with more than 2200 rules from different sources. These rules include selected antivirus rules and signatures for hack tools, web shells, networking tools and other software used by attackers on compromised systems. (AES256 encrypted)
Client APT Signature Database THOR includes a YARA signature database with more than 240 rules from APT investigations in our client environments. (AES256 encrypted)
Custom STIX Signatures Provide your own indicators of compromise via STIX v1 descriptions. The common observables used in STIX will be applied to various check modules.
Drop Zone Mode Define a folder in which to look for new for samples and scan (and optionally delete) dropped samples