Simple Bash IOC Scanner. All Rights Reserved. THOR detects temporary files like the process memory dump of the LSASS process, which contains credentials and can be used attackers to extract these credentials on a remote system. THOR supports various ways to report findings. One tool that has caught my interest is the Loki APT scanner created by BSK Consulting, a cool scanner that combines filenames, IP addresses, domains, hashes, Yara rules, Regin file system checks, process anomaly checks, SWF decompressed scan, SAM dump checks, etc. LOKI is a free and open IOC scanner that uses YARA as signature format. THOR APT Scanner - Nextron Systems THOR is the most sophisticated and flexible compromise assessment tool on the market. This module allows you to detect malicious or suspicious entries of programs that have been removed by adversaries long ago. 9332 lines (9245 sloc) 337 KB. THOR Lite – Free YARA and IOC Scanner Mar 20, 2020 | Nextron, SPARK, SPARK Core, THOR, THOR Lite We are proud to announce the release of THOR Lite. File Name IOC Regex match on full file path/name 2. It is easy to extend the integrated database with your own rules and IOCs. It will usually do a full … C2 Back Connect Check. THOR has many web shell rules and treat hunting rules that detect special characteristics typically found in web shells. With the ATT&CK Navigator and our JSON file, you can check THOR’s coverage of the respective attack methods. THOR speeds up your forensic analysis with more than 12,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs. Loki is a free and simple IOC (Indicators of Compromise) scanner, a complete rewrite of main analysis modules of the APT Scanner THOR. It writes a text log or sends SYSLOG messages to a remote system (TCP, UDP, CEF, JSON, optional TLS). With its huge signature set of thousands of YARA and Sigma rules, IOCs, rootkit and anomaly checks, THOR covers all kinds of threats. to find indicators of compromise on your system. System files have specific characteristics. Nextron Systems GmbH © 2021. Regex match on full file path/name. These indicators can be derived from published incident reports, forensic analyses or malware sample collections in your Lab. Contribute to techris45/Fenrir development by creating an account on GitHub. This can help any customer that has no central SIEM system or performs a live forensic analysis on a system group that does not report to central monitoring. It is a trimmed-down version of THOR v10 with a reduced feature set and the open source signature base used in LOKI and the now obsolete scanner SPARK Core. Think of it as a PsExec combined with the power of THOR. LOKI Open-Source IOC Scanner. FENRIR is the 3rd tool after THOR and LOKI. Check VALHALLA’s statistics page to get some examples of THOR’s findings with low Antivirus detection rates. The section IOC management gives you the opportunity to easily integrate custom signatures into your scans. misp-to-autofocus - script for pulling events from a MISP database and converting them to Autofocus queries. In typical usage, you should redirect STDOUT to a file for review. Scanner for Simple Indicators of Compromise Detection is based on four detection methods: The Windows binary is compiled with PyInstaller 2.1 and should run as x86 application on both x86 and x64 based systems. THOR ships with VALHALLA’s big encrypted signature database of more than 12,000 YARA signatures and undisclosed IOC sets. Yara signature match on file data and process memory. Thousands of generic signatures detect anomalies, obfuscation techniques and suspicious properties to rapidly accelerate compromise assessments. Scanner for Simple Indicators of Compromise. Starting with ASGARD 1.10., it is possible to define scan parameters for THOR 10 and store them in different templates for later use in single scans and grouped scans. THOR is a portable compromise assessment scanner that features simple IOC and YARA scanning with numerous handy features and export formats LOKI is a free and simple IOC scanner, a complete rewrite of main analysis modules of our full featured APT Scanner THOR. THOR Lite is a limited version of our scanner THOR and offered for free. McAfee Active Response - McAfee Active Response integration with MISP. You can find a full comparison here. Detection is based on four detection methods: File Name IOC Raw Blame. Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files. Attackers don’t just drop tools on an end system. IOC stands for „Indicators of Compromise“. Contribute to NextronSystems/thor-lite development by creating an account on GitHub. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. The problem with both predecessors is that both have certain requirements on the Linux platform. The Registry module applies the filename IOCs and THOR’s YARA rules for Registry detection to the loaded Registry and Registry Hives. The manual analysis of many forensic images can be challenging. Loki is a free and simple IOC (Indicators of Compromise) scanner, a complete rewrite of main analysis modules of the APT Scanner THOR. You may upload your own signatures in any of THOR’s IOC formats (e.g. All we ask for is a Newsletter subscription. However, you can deploy it for continuous compromise assessments using the ASGARD agents. Meet our new fast and flexible multi-platform IOC and YARA scanner THOR in a reduced free version named THOR Lite. openioc_scan is an open-source IOC scanner for memory forensics and implemented as a plugin of Volatility Framework. Simple Bash IOC Scanner. Hash check Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files 4. Indicator of Compromise (IOC) is a piece of information that can be used to search for or identify potentially compromised systems. Contribute to techris45/Fenrir development by creating an account on GitHub. Phone: +49 6074 – 728 42 36 These signatures includes more than 2000+ web shell rules, 500+ anomaly rules, 3000+ malware rules, 1500+ hack tool and tool output rules, 300+ malicious script and macro rules, 100+ exploit code rules and more than 100 rules for registry and log file matching. It can be used stand-alone for triage, live forensics or image scans in a lab environment. IOC stands for „Indicators of Compromise“. The Registry module applies the filename IOCs and THOR’s YARA rules for Registry detection to the loaded Registry and Registry Hives. LOKI is a free and open IOC scanner that uses YARA as signature format. Florian Roth, is the CTO of Nextron Systems GmbH and has officially worked in the information security industry since 2003. While our enterprise scanner THOR uses VALHALLA‘s big YARA rule base, the free THOR Lite version ships with the Open Source signature base, which is also part of our free Python scanner LOKI. THOR doesn’t have to be installed. Scanner for Simple Indicators of Compromise. Indicator of Compromise (IOC) is a piece of information that can be used to search for or identify potentially compromised systems. Loki - Simple IOC Scanner. All Rights Reserved. Meet our new Go based scanner with improved performance. Managing Scan Templates¶. THOR is the most sophisticated and flexible compromise assessment tool on the market. THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up forensic analysis in moments in which getting quick results is crucial. This rulset is a subset of all hack tool rules included in our. The problem with both predecessors is that both have certain requirements on the Linux platform. Detection is based on four detection methods: 1. This module allows you to detect malicious or suspicious entries of programs that have been removed by adversaries long ago. THOR uses YARA as its main signature format. THOR is our full featured APT Scanner with many modules and export types for corporate customers. Fenrir – Fenrir is a simple IOC scanner. Yara Rule Check. filename IOCs) in the entries and applies Sigma rules to each log entry. THOR APT Scanner. However, since some realtime engines check every file that THOR Lite has “touched” during its scan, an Antivirus exclusion can increase the scan speed by ~30% and avoid any interference (blocked access to some files etc.). THOR is our full-featured, portable and flexible compromise assessment scanner for Windows, macOS and Linux systems. Focus of Signature-Base. You can easily add your own indicators and signatures from threat feeds, your own investigations or threat reports. Credential dumpers have long been considered as so-called dual-use tools. File Name IOC Regex match on full file path/name 2. The manual analysis of many forensic images can be challenging. The Eventlog analysis parses local Windows Eventlogs, checks for IOCs (e.g. High quality YARA rules and IOCs with minimal false positives LOKI offers a simple way to scan your systems for known IOCs. Scan templates are the most convenient way to make use of THOR’s rich set of scan options. IOC Management¶ ASGARD provides two ways to import custom IOCs, YARA or Sigma rules: Upload in a format that THOR understands (see THOR Manual) Sync with a MISP instance; All IOCs, rules and MISP events can be used in scans on every connected endpoint. THOR monitors the systems’ resources during the scan. You can just copy it to a remote system, run it from a network share or use it on USB drives that you carry to the affected systems. Signature-Base. Hitman Pro. IOC Management¶ ASGARD provides two ways to import custom IOCs, YARA or Sigma rules: Upload in a format that THOR understands (see THOR Manual) Sync with a MISP instance; All IOCs, rules and MISP events can be used in scans on every connected endpoint. You could run a scan … LOKI requires Python and YARA installed on Linux to run. THOR detects many output files generated by hack tools and indicates their use even if the executable has been removed by the adversary. THOR detects many renamed tools that can used for reconnaissance, lateral movement or data exfiltration. Hitman Pro is an on-demand malware scanner and removal tool. Detection is based on four detection methods: 1. Nextron Systems GmbH THOR ships with VALHALLA’s big encrypted signature database of more than 12,000 YARA signatures and undisclosed IOC sets. You can use the free Splunk App or ASGARD Analysis Cockpit to analyze THOR’s reports of thousands of systems. THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up DFIR investigations in moments in which getting quick results is crucial. Users who have contributed to this file. However, since some realtime engines check every file that THOR Lite has “touched” during its scan, an Antivirus exclusion can increase the scan speed by ~30% and avoid any interference (blocked access to some files etc.). Implants used by advanced threat actors are more challenging to detect using conventional methods and require more sophisticated inspection techniques. THOR APT Scanner - Web Shells Extract: This rulset is a subset of all hack tool rules included in our: APT Scanner THOR - the full featured APT scanner: Florian Roth: BSK Consulting GmbH: revision: 20160115: License: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) These signatures includes more than 2000+ web shell rules, 500+ anomaly rules, 3000+ malware rules, 1500+ hack tool and tool output rules, 300+ malicious script and macro rules, 100+ exploit code rules and more than 100 rules for registry and log file matching. Scanner for Simple Indicators of Compromise. The problem with both predecessors is that both have certain requirements on the Linux platform. The way how THOR integrates YARA is fully compatible with normal Yara signatures although THOR extends the standard matching in order to allow certain additional checks. Contribute to NextronSystems/thor-lite development by creating an account on GitHub. Microsoft Defender ATP; THOR Thunderstorm THOR as a Web Service. how to use loki scanner indicators of compromise scanner Loki - Simple IOC and Incident Response Scanner loki scanner loki security tool loki tutorial thor ioc scanner thor scans what is ioc scanner Loki is a free and simple IOC (Indicators of Compromise) scanner, a complete rewrite of main analysis modules of the APT Scanner THOR. Nextron Systems GmbH These indicators can be derived from published incident reports, forensic analyses or malware sample collections in your Lab. The problem with both predecessors is that both have certain requirements on the Linux platform. 5.6. Free scanner for Windows, Linux and macOS, Precompiled and encrypted open source signature set, Update utility to download tested versions with signature updates, Option add your custom IOCs and signatures, Different output formats: text log, SYSLOG (udp/tcp/tcp+tls), JSON to file, JSON via Syslog, THOR Lite isn’t open source but precompiled for all major platforms, It supports more output types: SYSLOG via udp/tcp, JSON via udp/tcp, SYSLOG format to file, JSON to file, It allows throttling by settings a maximum CPU usage, We want to provide the community with a flexible YARA and IOC scanner, which is a worthy successor to LOKI, You start using our free scanner, see how it works and may be able to afford one of our enterprise-grade scanners, All that we ask for is your email address in order to inform you about new developments. FENRIR is the 3rd tool after THOR and LOKI. An HTML report is generated at the end of the scan. LOKI Open-Source IOC Scanner - Nextron Systems LOKI is a free and simple IOC scanner, a complete rewrite of main analysis modules of our full featured APT Scanner THOR. Use Cases; License Packs; Videos; THOR Cloud On-Demand Live Forensic Scans. Scanner for Simple Indicators of Compromise. How not to mention Loki or Thor IOC scanner created by the awesome Nextron Systems, Their indicators can be derived from published incident reports, forensic analyses or … 4.5.1. THOR focuses on everything the Antivirus misses. You could run a scan … IOC stands for „Indicators of Compromise“. Scanning a Subset Only. Fax: +49 3212 – 147 84 25. THOR is our full featured APT Scanner with many modules and export types for corporate customers. Scanners. The problem with both predecessors is that both have certain requirements on the Linux platform. The problem with both predecessors is that both have certain requirements on the Linux platform. Loki is a free and simple IOC (Indicators of Compromise) scanner, a complete rewrite of main analysis modules of the APT Scanner THOR.Detection is based on four detection methods:File Name I… THOR Lite has many other modules and features that the full THOR version provides. Detection is based on four detection methods: 1. While working on compromised systems, attackers leave traces of their work, even if no hack tool oder malware is involved. File Name IOC Regex match on full file path/name 2. LOKI is a free and simple IOC scanner, a complete rewrite of main analysis modules of our full-featured APT Scanner THOR. Fast IOC and YARA Scanner. Fast IOC and YARA Scanner. Loki is a free and simple IOC (Indicators of Compromise) scanner, a complete rewrite of main analysis modules of the APT Scanner THOR. MISP-Extractor extracts information from MISP via the API and automate some tasks. They also use them. You can add them to the signature database simply by placing these rules in the standard signature folder. In this mode, the tool will scan files, processes, and ports for known indicators. It does not include all checks performed by LOKI yet, but integrates other features and open source projects, like the “go-autoruns” module, written by Claudio Guarnieri. Bruchstrasse 8, 63128 Dietzenbach, Germany, Email: info@nextron-systems.com THOR features many detection rules that looks for suspicious combinations in these characteristics. THOR runs on all current and many older versions of Windows, Linux, macOS and AIX. 1 contributor. The tool writes diagnostic messages to the STDERR stream and results to the STDOUT stream. Loki - Simple IOC Scanner. LOKI is a free and simple IOC scanner, a complete rewrite of main analysis modules of our full featured APT Scanner THOR. IOC stands for " Indicators of Compromise “. THOR is our full featured APT Scanner with many modules and export types for corporate customers. /*. Many antivirus engines have problems detecting web shells. The execution of these tools leaves traces in caches and on disk. (coming soon) The Eventlog analysis parses local Windows Eventlogs, checks for IOCs (e.g. LOKI is a free and open IOC scanner that uses YARA as signature format. THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms. The IoC Scanner can be run directly on a Citrix ADC Appliance. Loki - Simple IOC Scanner. THOR supports the Common Event Format (CEF) as output format for optimal ArcSight integration. Our compromise assessment scanner THOR is able to apply Sigma rules during the local Eventlog analysis. Loki - Simple IOC Scanner includes a MISP receiver. Suspicious executable packers, PE copyright information, file sizes and PE signature issuers are just some examples of what THOR detects in system files. The SHIM Cache  module analyses contents of the AppCompatCache on Windows systems, applies all filename IOCs, anomaly regex rules or just prints out all entries for your review. Administrators usually don’t rename well-known tools – whereas attackers do it frequently. We build THOR for a certain Linux version in order to match the correct libc that is required by the YARA module. If the available free main memory drops below a certain threshold, THOR stops the scan and exits with a warning. IOC stands for „Indicators of Compromise“. 5.7. Regex match on full file path/name. Detection is based on four detection methods: File Name IOC. THOR Lite includes the file system and process scan module as well as module that extracts “autoruns” information on the different platforms. files for keyword IOCs, YARA Files and SIGMA files). Download; LOKI Open-Source IOC Scanner; Compare our Scanners; Management & Analysis. This may be due to the fact that their contents can be altered easily and in many ways. These indicators can be derived from published incident reports, forensic analyses or malware sample collections in your Lab. Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly affected. The SHIM Cache  module analyses contents of the AppCompatCache on Windows systems, applies all filename IOCs, anomaly regex rules or just prints out all entries for your review. ASGARD Management Center. Florian is the creator of APT Scanner THOR – Scanner for Attacker Activity and Hack Tools and developer of the Nextron’s most comprehensive handcrafted Yara rule feed service – Valhalla. Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly affected. THOR does not only detect the backdoors and tools attackers use but also outputs, temporary files, system configuration changes and other traces of malicious activity. It automatically applies throttling if it detects low hardware resources and disables features that could affect the systems’ stability. THOR flexibility is outstanding. Scanning a Subset Only. filename IOCs) in the entries and applies Sigma rules to each log entry. Bruchstrasse 8, 63128 Dietzenbach, Germany, Email: info@nextron-systems.com Phone: +49 6074 – 728 42 36 Meet our new fast and flexible multi-platform IOC and YARA scanner THOR in a reduced free version named THOR Lite. Loki is a free and simple IOC (Indicators of Compromise) scanner, a complete rewrite of main analysis modules of the APT Scanner THOR. Refer to the THOR manual for a complete list and file formats. Yara signature match on file data and process memory. Hash check. Detection is based on four detection methods: File Name IOC LOKI is a free and open IOC scanner that uses YARA as signature format. Fax: +49 3212 – 147 84 25, We offer pre-compiled program and signature packs for Windows (32/64 bit), Linux (32/64 bit) and macOS (64 bit). From the Loki github page, Loki currently includes the following IOC … LOKI is a free and simple IOC scanner. Signature-Base is the YARA signature and IOC database for our scanners LOKI and THOR Lite. He created the Sigma project […] THOR APT Scanner - Web Shells Extract. LOKI is a free and open IOC scanner that uses YARA as signature format. Nextron Systems GmbH © 2021. Detection is based on four detection methods: File Name IOC License Packs; THOR Lite Free IOC and YARA Scanner. THOR has a comprehensive set of malicious Mutex, Named Pipe and Event values and enriches each match with relevant metadata to facilitate the further analysis. These indicators can be derived from published incident reports, forensic analyses or malware sample collections in your Lab. openioc_scan is an open-source IOC scanner for memory forensics and implemented as a plugin of Volatility Framework. THOR is our full featured APT Scanner with many modules and export types for corporate customers. APT Scanner THOR - the full featured APT scanner. A feature named THOR Remote allows you to scan multiple Windows endsystems from a single privileged workstation. Created by the creators of THOR and LOKI; Fileintel – Pull intelligence per file hash; HELK – Threat Hunting platform; Hindsight – Internet history forensics for Google Chrome/Chromium; Hostintel – Pull intelligence per host Yara Rule Check. The documentation gives you guidance in cases in which you’d like to utilize the special extensions or encrypt your signatures before the deployment. THOR is our full featured APT Scanner with many modules and export types for corporate customers. LOKI is a free and open IOC scanner that uses YARA as signature format. Yara Rule Check Yara signature match on file data and process memory 3. Detection is based on four detection methods: File Name IOC. THOR’s impressive detection rate is well-known in the industry and fits the needs of threat hunters around the globe. Hash check. Only recently antivirus engines started to consequently report them but not all antivirus vendors followed that practice.