What is SPARK?

SPARK is a portable scanner for attacker tools and activity on suspicious or compromised server systems. It covers a big set of basic checks and in deep analysis of local log files and file system. SPARK aims to be a sensitive auditor noticing files and behaviour traces a common Antivirus may have missed. An integrated “Scoring System” enables SPARK to rate a elements based on numerous characteristics to give hints on unknown malware.

SPARK can be easily expanded to handle individual, client-specific attack patterns (e.g. the detection of specific malware files or certain log entries on the basis of a forensic analysis).

It is a portable and agent-less “APT Scanner” that has numerous detection mechanisms for hacking activity.

The key features are:

  • Scans for hack tools and attacker activity traces
  • Portable – no installation required (agent-less)
  • Runs on many platforms without any prerequisites
  • Adaptable to the specific tools and activity of new APT cases
  • Scoring System – providing a way to detect previously unknown software
  • Several Export Formats (Syslog, TXT)
  • Throttling of the scan process to reduce the system load to a minimum


SPARK is a lightweight tool that can be deployed in many different ways. It does not require installation and leaves only a few temporary files on the target system. A best practice deployment provides a SPARK program folder on a read-only network share and makes it accessible from all systems within the network.

Systems in DMZ networks can be scanned manually by transferring a SPARK program package to the system and run it from the command line. The locally written log files are fully compatible with the Syslog messages sent to remote SIEM systems and can be mixed without any problem. We often recommend triggering the scan via “Scheduled Task” distributed to the systems via GPO or PsExec. The servers access the file share at a given time, pull SPARK into memory and start the scan process. You can either mount the network share and run SPARK from there or access it directly via its UNC path (e.g. \\server\share\thor-spark-win-x64.exe).