Free IOC and YARA Scanner

TryHackMe Training Room for THOR Lite

Since THOR and THOR Lite are tools written for digital forensic experts, they can be difficult to use. There is often a steep learning curve in the beginning.

We’d like to help new users pass these first steps in a playful way by providing a TryHackMe challenge in which you analyse a compromised system using THOR Lite.

You’ll learn how to download and run it, interpret the results, write your own signatures and include your own IOCs for a custom threat. 

Technical requirements

You’ll work with a prepared virtual machine that you’re required to download during the training.

  • VMware or VirtualBox
  • 13 GB download and 23 GB of disk space


The room is meant for first time THOR or THOR Lite users.

Target Audience: DFIR professionals, administrators, security analysts
Duration: ~3 hours (without the download of the VM)

TryHackMe Training Room for THOR Lite

Free | TryHackMe account needed

Detailed learning content

  • THOR Lite Util
  • THOR Lite Flags
  • Your first scan
  • Reading the HTML Report and using VirusTotal
  • Adding a custom IOC
  • Write your own YARA rule
  • Adding another Filename IOC
  • Full scan
  • False Positive Filter

Please help us and send your feedback

Check out our other Trainings:

GDPR Cookie Consent with Real Cookie Banner