APT Scanner THOR

Our APT Scanner THOR is the only flexible tool on the market that is able to evaluate the full extend of security incidents within your corporate networks in order to treat them appropriately.

In contrast to common Antivirus solutions THOR focuses on the detection of attacker activity. While well-known Antivirus solutions are configured to detect malware like trojans, worms and some types of exploit code, THOR performs a deep system analysis using more than 25 modules to reveal hidden attacker activity in log files, typical attacker tools, anomalies within the user accounts, sessions, error reports, dump files, network connections and many other check items.

In contrast to other incident response solutions THOR needs no installation, it can be configured to use only a small amount of system’s resources and works fully compliant with German data privacy regulations (German Data Protection Act, European privacy policy).

The basic features of THOR

  • Scans for hacking tools and adversary activities (Triage Tool)
  • Portable – no installation needed
  • No special requirements. (no Runtime Environment, .NET Framework needed)
  • Adjustable to react on adversaries tactics, techniques and procedures
  • Several ways to export information
  • Throttling the scanning process possible

THOR is a very flexible tool that can be used stand-alone for triage, live forensics or image scans in a lab environment. 

It also features a drop zone mode that monitors a certain directory for dropped files and generates a SYSLOG / JSON response for each file. 

THOR v10.1 features a mode called “THOR Remote”, which allows you to scan remote systems using valid credentials or Windows integrated authentication (Kerberos).

Therefore THOR user base ranges from CERT teams and incident responders to digital forensic investigators (DFIR) and security operation center (SOC) teams.

We frequently update our signature database and heuristic algorithms based on analyses from different sources.

These sources include:

  • Forensic analyses of compromised systems in customer APTs
  • Investigation results of public authorities
  • Public Malware and APT reports from different sources in the private sector
  • Big collection of hack tools, scanners, password dumpers, web shells and other leaked chinese underground tool sets

From these reports and sources we derive numerous „Indicators of Compromise“ (IOC) based on YARA, hash values, file name characteristics, C2 server and other keywords like certain user names, registry values or service names. We recently implemented support for STIX (Cybox) and YARA so you can easily integrate your own specific signatures.

THOR supports various way to report findings. You may define a output log file in ASCII format, a HTML report or an export via Syslog. The Syslog export function supports the use of UDP, TCP and the CEF format used by the ArcSight SIEM system.


Especially the reporting functions are built on practical experiences and are designed to meet the requirements of todays security monitoring infrastructure.

The following output are generated by THOR and can be configured individually via command line parameters:

  • Coloured command line output gives a quick impression on the severity of the findings.
    (red=Alert, yellow=Warning, blue=Notice, green=Information, violett=Error, grey=Debug)
  • Text Log: The format of the Text log is derived from the standard Syslog format, which can be searched via grep very easily and facilitates the process of integrating the Text logs with the logs sent via Syslog in a SIEM system of your choice.
  • HTML Report: The HTML report provides a quick overview in the header section, alerts and warnings in a special top section and all other events in chronological order below. (recommended output for the analysis of 20 or less systems)
  • Syslog Output: Sending the events in the Syslog format via UDP or TCP to any port on multiple target systems (ArcSight’s CEF Format is also supported)

IOC Sharing

Indicators of Compromise (IOCs), which have been derived from forensic analyses in customer APT cases are integrated in an anonymized and encrypted form. The Enterprise License includes all these signatures creating an extraordinary benefit for all participating customers. If you decide to share some of you own IOCs with others you receive an attractive discount on the license price.

Custom Indicators via IOC CSV Files and YARA

THOR uses YARA as its main signature format. They way how THOR integrates YARA is fully compatible with normal Yara signatures although THOR extends the standard matching in order to allow certain additional checks.

You are able to extend the integrated database with you own rules matching samples that are confidential. You can add them to the signature database simply by placing these rules in the standard signature folder. The documentation gives you guidance in cases in which you want to utilize the special extensions.

MFT Analysis

THOR integrates a module for the analysis of the Master File Table of the scanned NTFS partitions. This analysis provides the detection of recently deleted hack tools via their traces in the MFT.

„Deep Dive“ – Surface Scan

A module called „Deep Dive“ performs raw data stream analysis of objects like memory dumps, page files (if accessible e.g. on a mounted volume) and whole partitions. „Deep Dive“ reads the input stream in overlapping 3 MB chunks and applies the whole Yara signature database to these chunks. This way THOR is able to detect even deleted attacker tools in the free space of the hard drive.

With the ATT&CK Navigator and our JSON file, you can check THOR’s coverage of the respective attack methods.

Live Demo (2min)

Web Session (20min)