Our compromise assessment scanner THOR is able to apply Sigma rules during the local Eventlog analysis. This can help any customer that has no central SIEM system or performs a live forensic analysis on a system group that does not report to central monitoring. By...
The following slides contain information on changes and new feature in several of our products. VALHALLA Product Update and New Features DOWNLOAD Slide DeckTHOR Cloud Technical Implementation, RoadmapDOWNLOAD Slide Deck
PE Sieve Integration With the integration of @hasharezade's PE Sieve project THOR is able to detect and report a variety of process implants like replaced or injected portable executables (process hollowing), injected shellcodes, hooks and in-memory patches....
With this blog post we would like to inform you that our End-of-Life (EOL) products THOR 8 and SPARK will reach their End-if-Service-Life (EoSL) on 31th of October 2020. From this day onwards, product and signature updates will not be available anymore. Please...
We are proud to announce the release of THOR Lite. It is a trimmed-down version of THOR v10 with a reduced feature set and the open source signature base used in LOKI and the now obsolete scanner SPARK Core. It uses the completely rewritten code base of THOR v10...
Update 14.02.2023 The information in this blog post is outdated. For more information on how to scan appliances remotely using SSH see this newer blog post. In this blog post I'd like to outline an idea on how to perform an automated compromise assessment on Citrix...
Why Integrate THOR into Microsoft Defender ATP While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious process starts and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry,...
People often tell us that EDR product X already does IOC scanning and that they don’t have to check for these indicators a second time using our scanners. Especially when it comes to network wide sweeps for traces of activity due to an ongoing incident I recommend...
Refactored Handle Detection We have completely refactored THOR's malicious Handle detection. We now allow the use of regular expressions and combined all types in a single signature file named "malicious-handles.dat". Users can provide custom indicators by placing a...
We've made a short video demo to showcase the new THOR 10 feature called "THOR Remote", which allows you to perform compromise assessment scans on multiple remote systems - no agent or scripting required.
New Module "Events" This module checks registered Events in the system environment as they are used by advanced malware and rootkits. We have checked for malicious Events before, in the Rootkit module, but these checks were hardcoded. We've spun out that section and...
THOR v10.1 features a mode of operation that is especially helpful in incident response or compromise assessment scenarios - remote scanning. Imagine that you're in a firefighting scenario - a breach has been confirmed and management wants to have quick results on...