What is SPARK?

(EOL since 01. July 2019, End of Support is 31. October 2020)

SPARK is a portable scanner for attacker tools and activity on suspicious or compromised server systems. It covers a big set of basic checks and in deep analysis of local log files and file system. SPARK aims to be a sensitive auditor noticing files and behaviour traces a common Antivirus may have missed. An integrated “Scoring System” enables SPARK to rate a elements based on numerous characteristics to give hints on unknown malware.

SPARK can be easily expanded to handle individual, client-specific attack patterns (e.g. the detection of specific malware files or certain log entries on the basis of a forensic analysis).

It is a portable and agent-less “APT Scanner” that has numerous detection mechanisms for hacking activity.

The key features are:

  • Scans for hack tools and attacker activity traces
  • Portable – no installation required (agent-less)
  • Runs on many platforms without any prerequisites
  • Adaptable to the specific tools and activity of new APT cases
  • Scoring System – providing a way to detect previously unknown software
  • Several Export Formats (Syslog, TXT)
  • Throttling of the scan process to reduce the system load to a minimum

Fast & Lightweight

Meet our new Golang based scanner with improved performance, small memory footprint and excellent stability


We offer pre-compiled program and signature packs for Windows (32/64 bit), Linux (32/64 bit) and macOS (64 bit)


Use it standalone, with ASGARD or your own solution. Run it from network shares via UNC path. Add you own indicators (STIX, CSV) or YARA rules in clear text or encrypted form. Process the text log or let it report via SYSLOG, JSON or CEF to your central SIEM. The options are countless. 

Not All IOC Scanning Is The Same

People often tell us that EDR product X already does IOC scanning and that they don’t have to check for these indicators a second time using our scanners. Especially when it comes to network wide sweeps for traces of activity due to an ongoing incident I recommend...

Upcoming : THOR 10 “Fusion”

We are proud to announce the upcoming release of THOR 10 code named "Fusion". It will replace our scanners THOR 8 and SPARK before the end of this year. Both of the current scanners will still receive updates until the end of this year. THOR 10 "Fusion" combines the...

STIXv2 Support in SPARK

SPARK Version 1.17.0 adds extensive STIXv2 support.This allows you to easily extend SPARK's signature bases with IOCs from any sandbox, analysis or threat intel platforms that support STIXv2 export by placing the exported [cci]*.json[/cci] files in the...

Important Update Process Changes

As we have announced in May, the old "thor-upgrade.exe" is already out-of-support and the old update servers accessed by "thor-upgrade.exe" will be decommissioned at the end of October. The new all-round utility "thor-util.exe" now supports all of the features...

Feature: SPARK Sample Quarantine via Bifrost

The new SPARK v1.14.16 supports the sample quarantine protocol named Bifrost.With Bifrost you're able to send suspicious samples that THOR or SPARK  detect on endpoints directly to a central server for analysis.A Bifrost server is shipped in form of a Python script...

New Feature: THOR-util and SPARK-Core-util Signature Encryption

The new THOR-util version 1.2.4 supports the encryption of your custom signatures so that you can deploy your own IOC files and YARA rules in an encrypted form. We use a public key in the utilities to encrypt the files for our scanners so that admins, Antivirus...


THOR's Signature Set

SPARK ships with THOR’s big encrypted signature database of more than 9000 YARA signatures and undisclosed IOC sets. These signatures includes more than 2000+ web shell rules, 500+ anomaly rules, 3000+ malware rules, 1500+ hack tool and tool output rules, 300+ malicious script and macro rules, 100+ exploit code rules and more than 100 rules for registry and log file matching.

SHIM Cache Module

The SHIM Cache  module analyses contents of the AppCompatCache on Windows systems, applies all filename IOCs, anomaly regex rules or just prints out all entries for your review. This module allows you to detect malicious or suspicious entries of programs that have been removed by adversaries long ago. 

Registry Module

The Registry module applies the filename IOCs and THOR’s YARA rules for Registry detection to the loaded Registry and Registry Hives.  

CEF Output

SPARK supports the Common Event Format (CEF) as output format for optimal ArcSight integration


The DeepDive feature allows you to scan image files in overlapping chunks, e.g. a memory image or pagefile.sys. You can apply your custom YARA rules and even scan whole partitions to detect deleted content in the disk’s free space.

Eventlog Module

(coming soon) The Eventlog analysis parses local Windows Eventlogs, checks for IOCs (e.g. filename IOCs) in the entries and applies Sigma rules to each log entry.