THOR Lite - Free YARA and IOC Scanner

[upnorth]

Meet our new fast and flexible multi-platform IOC and YARA scanner THOR in a reduced free version named THOR Lite. THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms.

While our enterprise scanner THOR uses VALHALLA‘s big YARA rule base, the free THOR Lite version ships with the Open Source signature base, which is also part of our free Python scanner LOKI.

• Free scanner for Windows, Linux and macOS
• Precompiled and encrypted open source signature set
• Update utility to download tested versions with signature updates
• Documentation
• Option add your custom IOCs and signatures
• Different output formats: text log, SYSLOG (udp/tcp/tcp+tls), JSON to file, JSON via Syslog
• Scan throttling to limit the CPU usage

Spoiler

THOR Lite: Free Multi-Platform IOC and YARA Scanner - Nextron Systems

Free IOC and YARA Scanner - Meet our fast and flexible multi-platform IOC and YARA scanner THOR in a community version named THOR Lite.

www.nextron-systems.com

To receive the download and license, subscribe to the news letter here :

THOR Lite: Free Multi-Platform IOC and YARA Scanner - Nextron Systems

Free IOC and YARA Scanner - Meet our fast and flexible multi-platform IOC and YARA scanner THOR in a community version named THOR Lite.

www.nextron-systems.com

Extract the files and license in a new created folder. Read the " THOR_Manual " pdf file for more information located in the docs folder.

Not to be confused with the Danish company Heimdal Securitys Thor products.

Disclaimer
You use THOR lite on your own risk.

 

[upnorth]

 

[Zero Knowledge]

I have found the thor virustotal results for the apt scanner to be very accurate on unknown malware. Interested to see this tool in action.

 

[upnorth]

I have found the thor virustotal results for the apt scanner to be very accurate on unknown malware. Interested to see this tool in action.

Correct, and also a reason why I got curious enough at start with LOKI, but please be aware that the VT results is detected with their Valhalla rule sets and that's used in the enterprise version of Thor.

More information on their scanners here :

Compare our Scanners - Nextron Systems

www.nextron-systems.com

 

[Zero Knowledge]

Correct, and also a reason why I got curious enough at start with LOKI, but please be aware that the VT results is detected with their Valhalla rule sets and that's used in the enterprise version of Thor.

More information on their scanners here :

Compare our Scanners - Nextron Systems

www.nextron-systems.com

Yes that's why I'm curious also but sad we won't get the best rule set available. I would like to test their enterprise version because it has confirmed my suspicions about probable malware before. I knew the files were dirty but no one else on virustotal detected them. I think yara rules are the wave of the future in av detection engines, they seem to be able to identify unkown malware quicker.

 

[upnorth]

Even Kaspersky propagate/advertise Yara with their tool named Klara, so yes I would agree it holds merit and is hopefully something we will see more. Anything that actually helps better, gets my vote.

 

[Zero Knowledge]

I think the future of protection will be a mix of everything until artificial intelligence becomes god like.

 

[upnorth]

This is one of the features Thor Lite don't have.

The new remote scanning feature called “THOR Remote” allows you to perform triage scans on hundreds of remote systems from a single admin workstation. You can think of it as an integrated PsExec. No scripting, no agents, no hustle.

 

[upnorth]

THOR Scanner extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment. THOR is a forensic scanner that integrates into Microsoft Defender ATP to scan the local filesystem, registry, logs and other elements for traces of hacking activity using 10,000 hand-written YARA rules and thousands of filename, C2, hash, mutex and named pipe IOCs to them. This live forensic scan reduces the work of your forensic analysts to a minimum and generates results as fast as possible for you to react in a timely manner. Learn more about the integration.

New partnerships with innovative leaders helps you fight advanced threats!

New partners including Splunk Enterprise, ServiceNow Security Operations, Vectra, CyberMDX, Cymulate, SkyBox, and THOR are utilizing the rich telemetry and..

techcommunity.microsoft.com

 

[upnorth]

Since we’ve heard from partners and friends about many non-profit organisations affected by the Exchange server vulnerability, we’ve decided to transfer many detection rules from our commercial scanner into the free community version.

Scan for HAFNIUM Exploitation Evidence with THOR Lite - Nextron Systems

www.nextron-systems.com

Spoiler

 

[upnorth]

 

[upnorth]

Scanning an Exchange Server for ProxyShell and ProxyToken vulnerabilities with THOR Lite

Almost 2,000 Exchange Servers Hacked using ProxyShell Exploit

Almost 2,000 Microsoft Exchange email servers have been hacked over the past two days and infected with backdoors after owners did not install patches for a collection of vulnerabilities known as ProxyShell. The attacks, detected by security firm Huntress Labs, come after proof-of-concept...

malwaretips.com

 

[upnorth]

Update your THOR Lite with: thor-lite-util.exe update