Compromise Assessment

share close

THOR - Compromise Assessment

A good compromise assessment methodology requires the use of tools that will make the assessment more efficient.

For this, we present THOR  – the most sophisticated and flexible compromise assessment tool on the market.

Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly be affected. The manual analysis of many forensic images can be challenging.

THOR speeds up your forensic analysis with more than 10,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs.

THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up forensic analysis in moments in which getting quick results is crucial.

Use Cases

THOR flexibility is outstanding. It can be used stand-alone for triage, live forensics or image scans in a lab environment.

THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up DFIR investigations in moments in which getting quick results is crucial.

THOR’s Signature Set

THOR ships with VALHALLA’s big encrypted signature database of more than 10,000 YARA signatures and undisclosed IOC sets. These signatures includes more than 2000+ web shell rules, 500+ anomaly rules, 3000+ malware rules, 1500+ hack tool and tool output rules, 300+ malicious script and macro rules, 100+ exploit code rules and more than 100 rules for registry and log file matching.

Check VALHALLA’s statistics page to get some examples of THOR’s findings with low Antivirus detection rates.

Custom Indicators and YARA Rules

THOR uses YARA as its main signature format. The way how THOR integrates YARA is fully compatible with normal Yara signatures although THOR extends the standard matching in order to allow certain additional checks.

It is easy to extend the integrated database with your own rules and IOCs. You can add them to the signature database simply by placing these rules in the standard signature folder.

The documentation gives you guidance in cases in which you’d like to utilize the special extensions or encrypt your signatures before the deployment.

THOR as a Plugin

The flexible and portable character of THOR allows deploying it in many different ways. Our customers have integrated THOR as an additional scanner in their malware analysis pipeline, use it in their EDR to scan collected samples and deploy it in live response sessions.

A very compelling integration is the one that extends the live response of Microsoft Defender ATP. While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious processes and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry, logs and other elements for traces of hacking activity. THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment.