Overview
THOR is the most sophisticated and flexible compromise assessment tool on the market.
Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly affected. The manual analysis of many forensic images can be challenging.
THOR speeds up your forensic analysis with more than 17,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs.
THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up forensic analysis in moments in which getting quick results is crucial.
Key Features
Focus is Hacking Activity
Flexible Deployment
Impressive Detection Rate
Multiple Output Options
Custom IOCs and YARA Rules
System Stability has High Priority
Detection Examples
Detection Examples
Credential Dumper
Credential dumpers have long been considered as so-called dual-use tools. Only recently antivirus engines started to consequently report them but not all antivirus vendors followed that practice.
Tiny Web Shell
Many antivirus engines have problems detecting web shells. This may be due to the fact that their contents can be altered easily and in many ways. THOR has many web shell rules and threat hunting rules that detect special characteristics typically found in web shells.
Renamed PsExec
Administrators usually don’t rename well-known tools – whereas attackers do it frequently. THOR detects many renamed tools that can used for reconnaissance, lateral movement or data exfiltration.
Hacktool Output
Attackers don’t just drop tools on an end system. They also use them. The execution of these tools leaves traces in caches and on disk. THOR detects many output files generated by hack tools and indicates their use even if the executable has been removed by the adversary.
LSASS Memory Dump
While working on compromised systems, attackers leave traces of their work, even if no hack tool oder malware is involved. THOR detects temporary files like the process memory dump of the LSASS process, which contains credentials and can be used attackers to extract these credentials on a remote system.
System File Anomaly
System files have specific characteristics. THOR features many detection rules that looks for suspicious combinations in these characteristics. Suspicious executable packers, PE copyright information, file sizes and PE signature issuers are just some exam
THOR’s Signature Set
THOR ships with VALHALLA’s big encrypted signature database of more than 17,000 YARA signatures and undisclosed IOC sets. These signatures includes web shell rules, anomaly rules, malware rules, hack tool and tool output rules, malicious script and macro rules, exploit code rules and rules for registry and log file matching.
