Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly affected. The manual analysis of many forensic images can be challenging.
THOR speeds up your forensic analysis with more than 30,000 handcrafted YARA signatures, 3,000 Sigma rules, numerous anomaly detection rules and thousands of IOCs.
THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up forensic analysis in moments in which getting quick results is crucial.
30,000+
handcrafted YARA signatures
3,000+
handcrafted Sigma rules
31
detection modules
4x faster
THOR speeds up your forensic analysis
Focus is Hacking Activity
THOR focuses on everything the Antivirus misses. With its huge signature set of thousands of YARA and Sigma rules, IOCs, rootkit and anomaly checks, THOR covers all kinds of threats. THOR does not only detect the backdoors and tools attackers use but also outputs, temporary files, system configuration changes and other traces of malicious activity.
Flexible Deployment
THOR doesn’t have to be installed. You can just copy it to a remote system, run it from a network share or use it on USB drives that you carry to the affected systems. However, you can deploy it for continuous compromise assessments using the ASGARD agents.
Impressive Detection Rate
THOR’s impressive detection rate is well-known in the industry and fits the needs of threat hunters around the globe. Thousands of generic signatures detect anomalies, obfuscation techniques and suspicious properties to rapidly accelerate compromise assessments.
Multiple Output Options
THOR supports various ways to report findings. It writes a text log or sends SYSLOG messages to a remote system (TCP, UDP, CEF, JSON, optional TLS). An HTML report is generated at the end of the scan. You can use the free Splunk App or ASGARD Analysis Cockpit to analyze THOR’s reports of thousands of systems.
Custom IOCs and YARA Rules
You can easily add your own indicators and signatures from threat feeds, your own investigations or threat reports.
System Stability has High Priority
THOR monitors the systems’ resources during the scan. If the available free main memory drops below a certain threshold, THOR stops the scan and exits with a warning. It automatically applies throttling if it detects low hardware resources and disables features that could affect the systems’ stability.
Detection Examples
Use Cases
THOR’s flexibility is outstanding. It can be used stand-alone for triage, live forensics or image scans in a lab environment.
THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up DFIR investigations in moments in which getting quick results is crucial.
THOR’s Signature Set
THOR ships with more than 30,000 YARA signatures (VALHALLA’s big encrypted signature database and undisclosed IOC sets). These signatures includes web shell rules, anomaly rules, malware rules, hack tool and tool output rules, malicious script and macro rules, exploit code rules and rules for registry and log file matching.
Check VALHALLA’s statistics page to get some examples of THOR’s findings with low Antivirus detection rates.
Custom Indicators and YARA Rules
THOR uses YARA as its main signature format. The way how THOR integrates YARA is fully compatible with normal Yara signatures although THOR extends the standard matching in order to allow certain additional checks.
It is easy to extend the integrated database with your own rules and IOCs. You can add them to the signature database simply by placing these rules in the standard signature folder.
The documentation gives you guidance in cases in which you’d like to utilize the special extensions or encrypt your signatures before the deployment.
Multi-Platform
THOR runs on all current and many older versions of Windows, Linux and macOS.
However, with THOR Thunderstorm you can run THOR scans on just any operating system. You can scan live systems, disk images or specific forensic evidence like EVTX files, memory dumps or Registry hives.
The Eventlog analysis parses local Windows Eventlogs, checks for IOCs (e.g. filename IOCs) in the entries and applies Sigma rules to each log entry.
A feature named THOR Remote allows you to scan multiple Windows endsystems from a single privileged workstation. Think of it as a PsExec combined with the power of THOR.
The Registry module applies the filename IOCs and THOR’s YARA rules for Registry detection to the loaded Registry and Registry Hives.
The SHIM Cache module analyses contents of the AppCompatCache on Windows systems, applies all filename IOCs, anomaly regex rules or just prints out all entries for your review. This module allows you to detect malicious or suspicious entries of programs that have been removed by adversaries long ago.
Implants used by advanced threat actors are more challenging to detect using conventional methods and require more sophisticated inspection techniques. THOR has a comprehensive set of malicious Mutex, Named Pipe and Event values and enriches each match with relevant metadata to facilitate the further analysis.
Integration Examples
THOR is very flexible and can be combined in many ways to build the optimal solution or integrate seamlessly into your existing infrastructure and workstream.
MITRE ATT&CK Coverage
With the ATT&CK Navigator and our JSON file, you can check THOR’s coverage of the respective attack methods.
Live Demo (2 min)
A live demo of THOR 10 APT Scanner used in many DFIR use cases like compromise assessments, lab scanning or triage.