What is SPARK?
(EOL since 01. July 2019, End of Support is 31. October 2020)
SPARK is a portable scanner for attacker tools and activity on suspicious or compromised server systems. It covers a big set of basic checks and in deep analysis of local log files and file system. SPARK aims to be a sensitive auditor noticing files and behaviour traces a common Antivirus may have missed. An integrated “Scoring System” enables SPARK to rate a elements based on numerous characteristics to give hints on unknown malware.
SPARK can be easily expanded to handle individual, client-specific attack patterns (e.g. the detection of specific malware files or certain log entries on the basis of a forensic analysis).
It is a portable and agent-less “APT Scanner” that has numerous detection mechanisms for hacking activity.
The key features are:
- Scans for hack tools and attacker activity traces
- Portable – no installation required (agent-less)
- Runs on many platforms without any prerequisites
- Adaptable to the specific tools and activity of new APT cases
- Scoring System – providing a way to detect previously unknown software
- Several Export Formats (Syslog, TXT)
- Throttling of the scan process to reduce the system load to a minimum
Fast & Lightweight
Meet our new Golang based scanner with improved performance, small memory footprint and excellent stability
We offer pre-compiled program and signature packs for Windows (32/64 bit), Linux (32/64 bit) and macOS (64 bit)
Use it standalone, with ASGARD or your own solution. Run it from network shares via UNC path. Add you own indicators (STIX, CSV) or YARA rules in clear text or encrypted form. Process the text log or let it report via SYSLOG, JSON or CEF to your central SIEM. The options are countless.
THOR's Signature Set
SPARK ships with THOR’s big encrypted signature database of more than 9000 YARA signatures and undisclosed IOC sets. These signatures includes more than 2000+ web shell rules, 500+ anomaly rules, 3000+ malware rules, 1500+ hack tool and tool output rules, 300+ malicious script and macro rules, 100+ exploit code rules and more than 100 rules for registry and log file matching.
SHIM Cache Module
The SHIM Cache module analyses contents of the AppCompatCache on Windows systems, applies all filename IOCs, anomaly regex rules or just prints out all entries for your review. This module allows you to detect malicious or suspicious entries of programs that have been removed by adversaries long ago.
The Registry module applies the filename IOCs and THOR’s YARA rules for Registry detection to the loaded Registry and Registry Hives.
SPARK supports the Common Event Format (CEF) as output format for optimal ArcSight integration
The DeepDive feature allows you to scan image files in overlapping chunks, e.g. a memory image or pagefile.sys. You can apply your custom YARA rules and even scan whole partitions to detect deleted content in the disk’s free space.
(coming soon) The Eventlog analysis parses local Windows Eventlogs, checks for IOCs (e.g. filename IOCs) in the entries and applies Sigma rules to each log entry.