TryHackMe Room for THOR Lite

Since THOR and THOR Lite are tools written for digital forensic experts, they can be difficult to use. There is often a steep learning curve in the beginning.

We’d like to help new users pass these first steps in a playful way by providing a TryHackMe challenge in which you analyse a compromised system using THOR Lite.

You’ll learn how to download and run it, interpret the results, write your own signatures and include your own IOCs for a custom threat. 

Technical requirements

You’ll work with a prepared virtual machine that you’re required to download during the training.

  • VMware or VirtualBox
  • 13 GB download and 23 GB of disk space


The room is meant for first time THOR or THOR Lite users.

Target Audience: DFIR professionals, administrators, security analysts
Duration: ~3 hours (without the download of the VM)

TryHackMe Room for THOR Lite

Free | TryHackMe account needed

Detailed learning content

  • THOR Lite Util
  • THOR Lite Flags
  • Your first scan
  • Reading the HTML Report and using VirusTotal
  • Adding a custom IOC
  • Write your own YARA rule
  • Adding another Filename IOC
  • Full scan
  • False Positive Filter

Please help us and send your feedback

GDPR Cookie Consent with Real Cookie Banner