Microsoft as well as Volexity pubslihed reports on activity of an actor named HAFNIUM by Microsoft exploiting at least four zero-day vulnerabilities in Microsoft Exchange services. In this blog post we would like to outline the coverage provided by THOR regarding...
A new version of THOR Seed improves the integration with Microsoft Defender ATP by handling the script termination caused by exceeded timeouts. Due to a runtime limit for all scripts in the Live Response library we had to configure previous versions of THOR Seed to...
Following THOR's approach of showing suspicious elements, it is not feasible to completely avoid false positives. Therefore we always try to provide as much information as possible for an analyst to assess such a suspicious element as quickly as possible. Users liked...
We've made some changes to VALHALLA and released version 1.1 and valhallAPI version 0.5 to reflect these changes.The new modified date shows when this rule has last been modified. See this example.The modified date will also appear in the JSON feed and metadata of...
We would like to inform you about three new comfort features that will be available in the upcoming THOR versions including THOR Lite. Improved HTML ReportsThe new HTML reports allow analysts to filter elements that turn out to be false positives and remove them from...
We are glad to announce significant performance improvements in the latest versions of THOR. We've refactored several processing units to bulk scan elements that have previously been checked each at a time. These changes affect the modules "Eventlog", "Registry",...
We've been working on a legacy version of our scanner THOR 10 for a while and started our closed BETA, which is available to all current customers on special request. The THOR legacy version does not include the following modules/features: Module: Eventlog scanning...
THOR version 10.6, which is currently available as TechPreview, introduces several new features that facilitates the use of THOR in a digital forensics lab. Since not all of the features provided with the "Forensic Lab" license type are well-known, we would like to...
We are proud to announce a groundbreaking new scan mode named "Thunderstorm" that we've integrated into preview builds of the upcoming THOR version 10.6. This mode of operation turns THOR into a RESTful web service that is able to process thousands of samples per...
We are proud do announce the version 10.6 of THOR, which is the first one that gets released as a TechPreview. We've discussed the split-up into THOR and THOR TechPreview in a previous post. The following post describes the most important new feature of the THOR...
Since its early days, THOR has always been focused on stability and detection rate. With the early module and feature set, we never had to make a compromise. However, during the last 1-2 years, we had to make some decisions on the integration of new features and...
One of our customers has successfully deployed THOR using CrowdStrike's Falcon Real Time Response. Falcon's Real Time Response provides a remote shell that is very similar to Microsoft Defenders ATP's Live Response, which we've already combined with THOR Cloud...