We're glad to announce a new feature that allows users to enrich events generated by THOR with information from Virustotal. The feature is available in the full THOR v10.7 TechPreview and THOR Lite. It can be used in any scan mode: live endpoint scanning, lab...
Analyze VMware ESX Systems with THOR Thunderstorm
Since the release of THOR Thunderstorm in the summer of 2020, our customers used it to analyse a variety of systems that are usually considered as "out of scope". In some cases the EULA prevents the installation of Antivirus scanners or EDR agents. In other cases the...
Which extra value provides THOR in Exchange ProxyLogon related assessments?
Since we've decided to migrate many of the HAFNIUM / Exchange vulnerability related signatures into the open source signature database of our free scanner THOR Lite, both users of the free and the commercial version started asking questions of coverage and if a scan...
Scan for HAFNIUM Exploitation Evidence with THOR Lite
Since we've heard from partners and friends about many non-profit organisations affected by the Exchange server vulnerability, we've decided to transfer many detection rules from our commercial scanner into the free community version. If you haven't heard of THOR or...
New VALHALLA Web Features
The newest update of our popular YARA rule feed named VALHALLA adds new features to its web interface. The most awaited new feature is a keyword search that allows you to query the database for certain keywords, rule names, reports, MITRE ATT&CK ids or tags. The...
New VALHALLA Features That You Might Have Missed
Rule Info Pages The new rule info pages allow you to get more information on a certain rule. You can find all the meta data, as well as past rule matches and previous antivirus verdicts. A second tab contains statistics. You can also report false positives that...
Not All IOC Scanning Is The Same
People often tell us that EDR product X already does IOC scanning and that they don’t have to check for these indicators a second time using our scanners. Especially when it comes to network wide sweeps for traces of activity due to an ongoing incident I recommend...
THOR 10 Fusion – Major Changes
In anticipation of our new scanner THOR 10 Fusion, we would like to show you some of the exciting new features and upcoming changes. Modes and Feature Cleanup We've reviewed and reworked all scan modes in order to clarify the overview of active modules and features...
50 Shades of YARA
A long time ago I've noticed that there is no single best YARA rule for a given sample, but different best solutions depending on the user's requirements and use case. I noticed that I often create 2 to 3 YARA rules for a single sample that I process, while each of...
Short Tutorial: How to Create a YARA Rule for a Compromised Certificate
Working in incident response or malware analysis, you may have come across compromised and sometimes revoked certificates used to sign malware of different types. Often threat groups use stolen certificates to sign their malware. I'd like to show you an easy way to...
New Feature: THOR-util and SPARK-Core-util Signature Encryption
The new THOR-util version 1.2.4 supports the encryption of your custom signatures so that you can deploy your own IOC files and YARA rules in an encrypted form. We use a public key in the utilities to encrypt the files for our scanners so that admins, Antivirus...
Valhalla YARA and Sigma Rule Feed
VALHALLA boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA and Sigma rules. Our team curates more than quality tested YARA rules in 8 different categories: APT, Hack Tools, Malware, Web Shells, Exploits,...