Scanner Comparison
| LOKI | THOR Lite | THOR | |
|---|---|---|---|
| Description | LOKI is an open-source IOC and YARA scanner written in Python. | THOR Lite is a free version of our THOR scanner shipped with LOKI’s open source signature based and a limited module and feature set. | THOR is our full-featured scanner with numerous modules and additional checks. |
| Type | Free / Open Source | Free / Registration Required | Enterprise Product |
| Main Use Case | Triage | Triage | Triage Preventive Scanning Incident Response Live Forensics |
| Platform | Windows (precompiled) Linux / macOS (source) |
Windows Linux macOS |
Windows Linux macOS |
| Size (Binaries) | 8 MB | 38 MB | 38 MB |
| Language | Python | Go | Go |
| Modules (see module comparison) |
3 | 5 | 31 |
| Bundled Signatures | Open Source Signature Set (~4,000 YARA rules) |
Open Source Signature Set (~4,000 YARA rules) |
Nextron`s Private Signature Set (~30,000 YARA and 3,000 Sigma rules) |
| Support and Testing | GitHub README & Issues Travis-CI |
Manual Internal CI |
Manual Support Portal Internal CI |
| Special Extras | Levenshtein check PESieve check Double Pulsar check |
JSON output SYSLOG (tcp, udp, ssl) Scan Throttling |
Full Feature Set |
| Warning | Limited Coverage | Limited Coverage |
Modules
| Feature | Description | LOKI | THOR Lite | THOR |
|---|---|---|---|---|
| Custom File Hashes | Detect malware or hack tools based on custom file hashes. MD5/SHA1/SHA256 | |||
| Custom Filename Characteristics | Detect malware or hack tools based on filename characteristics (Regular Expression) | |||
| Custom Yara Rules | Detect malware or hack tools based on YARA signatures (file and process memory scan) | |||
| Eventlog Analysis | Detect attacker activity and traces of the hack tool usage in Windows Eventlogs (including SysInternals Sysmon, Windows Defender, Applocker, PowerShell and others) | |||
| Registry Analysis | Detect typical keys used in APT groups to maintain persistence on the system | |||
| Autoruns Analysis | Processes all autoruns elements, plugins, registered drivers, WMI consumer, LSA providers and applies the IOC database | |||
| WMI Persistence | Parses OBJECTS.DATA files, lists registered elements and warns on suspicious ones | |||
| Profile Directories Check | Checks identifying irregularities in the user profile directories | |||
| SHIM Cache Scan | Detects malicious tools in the SHIM Cache registry section that logs binary executions on Windows systems | |||
| Shell Bags Scan | Analysis of logged shell bags that show which locations of the file systems have been accessed by users | |||
| DNS Cache Analysis | Checking DNS cache entries for suspicious or malicious domain names | |||
| Firewall Configuration Check | Checking the local firewall for suspicious rule definitions | |||
| Active Sessions Check | Checking the current active sessions for suspicious attributes – e.g. length of the user sessions, remote end point | |||
| Process Analysis | Analysis of the current running processes for strange Hooks/File Handles/Mutex definitions, network connections, memory strings, working directories, cloaking attempts | |||
| Rootkit Checks | Checks for rootkits using Named Pipes or communicate via Device IO controls | |||
| Active Network Connections | Analysis of all active network connections; users, process ids, end points, strange port numbers | |||
| Network Share Check | Irregularities in the network share definition; user names, share names, permissions | |||
| Open Files Check | Files opened by processes; locations, user, permissions | |||
| LSA Session Analysis | Checking all active LSA sessions for duration or known and typical evil user names from known APT cases | |||
| Services Checks | Analysis of all local services to detect uncommon configurations; service executable location, start type and user account combination, malware names in service image path etc. | |||
| Scheduled Tasks Analysis | Checking the scheduled tasks for malicious entries | |||
| Run Key Contents Analysis | Intensive check of the RUN key entries to determine uncommon code executed at startup | |||
| Startup Element Analysis (WMI) | Analysis of the Startup Elements listed via WMI | |||
| File System Analysis | Analysis of the file system with signatures to identify attacker’s tool sets, common backdoor modifications, hash or password dump files, cloaked executables and much more. | |||
| MFT Analysis | Scanning the Master File Table for entries of already deleted files |
|||
| Mutex Check | Detects Mutexes from malicious programs like RATs or other malware by advanced threat groups | |||
| Pipes Check | Detects malicious named pipes often used by malware of advanced threat groups | |||
| Events Check | Detects malicious registered events often used by malware of advanced threat groups | |||
| At Jobs Check | Detects suspicious at job list entries | |||
| Host File Analysis | The analysis checks the hosts file for malicious and suspicious entries. | |||
| Windows Error Report (WER) Analysis | This check extracts relevant information from Windows crash reports (Dr. Watson reports) to determine crashes that were caused by exploits targeting known CVE vulnerabilities in browsers, browser plugins and other software. | |||
| Vulnerability Check | A basic vulnerability check on the most common vulnerabilities that allow for lateral movement (Tomcat misconfiguration, HP Data Protector, missing patches) | |||
| System File Integrity Check | Checks the integrity of the most common system files by using YARA rules | |||
| Decompressed EXE Scan | Scan decompressed executables in-memory | |||
| Archive Scan | Scan decompressed archives in-memory | |||
| Surface Scan (DeepDive) | Analysis of the disks space to find tools that have already been deleted by the attackers. | |||
| Text Export | Plain text log file of all events reported by THOR. | |||
| HTML Report | Structured HTML Report of all events reported by THOR. | |||
| Syslog Export | Syslog export of the events generated by THOR. This export option is fully flexible. You can define different target ports, multiple target systems, use UDP or TCP and choose between different formats. | |||
| CEF Message Format | Syslog sending messages in Arcsight CEF format to receive warnings and alerts in Arcsight SIEM systems. | |||
| JSON Output Format | Send JSON via UDP/TCP to a remote system or write a local file in JSON format | |||
| Throttling | Throttle scans to avoid high CPU usage on productive systems | |||
| Big Yara Signature Database | THOR includes a huge YARA signature database with more than 30,000 rules from different sources. These rules include selected antivirus rules and signatures for hack tools, web shells, networking tools and other software used by attackers on compromised systems. (AES256 encrypted) | |||
| Client APT Signature Database | THOR includes a YARA signature database with more than 240 rules from APT investigations in our client environments. (AES256 encrypted) | |||
| Drop Zone Mode | Define a folder in which to look for new for samples and scan (and optionally delete) dropped samples | |||
| THOR Remote | Remotely scan a system or set of systems from a single privileged Windows workstation | |||
| THOR ETW Watcher | The live system watcher thread that uses ETW to detect Coabalt Strike beacon activity and other threats | |||
| Eventlog Sigma Rule Scan | Apply Sigma rules in the Eventlog Scan (Security, System, Application, Sysmon, PowerShell, Task Scheduler, WMI Activity) | |||
| STIX v2 | Provide your own indicators of compromise via STIX v2 documents. The common observables used in STIX will be applied in various checks and modules. |