Compare our Scanners - Nextron Systems (original) (raw)

Custom File Hashes

Detect malware or hack tools based on custom file hashes. MD5/SHA1/SHA256

Custom Filename Characteristics

Detect malware or hack tools based on filename characteristics (Regular Expression)

Custom Yara Rules

Detect malware or hack tools based on YARA signatures (file and process memory scan)

Eventlog Analysis

Detect attacker activity and traces of the hack tool usage in Windows Eventlogs (including SysInternals Sysmon, Windows Defender, Applocker, PowerShell and others)

Registry Analysis

Detect typical keys used in APT groups to maintain persistence on the system

Autoruns Analysis

Processes all autoruns elements, plugins, registered drivers, WMI consumer, LSA providers and applies the IOC database

WMI Persistence

Parses OBJECTS.DATA files, lists registered elements and warns on suspicious ones

Profile Directories Check

Checks identifying irregularities in the user profile directories

SHIM Cache Scan

Detects malicious tools in the SHIM Cache registry section that logs binary executions on Windows systems

Shell Bags Scan

Analysis of logged shell bags that show which locations of the file systems have been accessed by users

DNS Cache Analysis

Checking DNS cache entries for suspicious or malicious domain names

Firewall Configuration Check

Checking the local firewall for suspicious rule definitions

Active Sessions Check

Checking the current active sessions for suspicious attributes – e.g. length of the user sessions, remote end point

Process Analysis

Analysis of the current running processes for strange Hooks/File Handles/Mutex definitions, network connections, memory strings, working directories, cloaking attempts

Rootkit Checks

Checks for rootkits using Named Pipes or communicate via Device IO controls

Active Network Connections

Analysis of all active network connections; users, process ids, end points, strange port numbers

Network Share Check

Irregularities in the network share definition; user names, share names, permissions

Open Files Check

Files opened by processes; locations, user, permissions

LSA Session Analysis

Checking all active LSA sessions for duration or known and typical evil user names from known APT cases

Services Checks

Analysis of all local services to detect uncommon configurations; service executable location, start type and user account combination, malware names in service image path etc.

Scheduled Tasks Analysis

Checking the scheduled tasks for malicious entries

Run Key Contents Analysis

Intensive check of the RUN key entries to determine uncommon code executed at startup

Startup Element Analysis (WMI)

Analysis of the Startup Elements listed via WMI

File System Analysis

Analysis of the file system with signatures to identify attacker’s tool sets, common backdoor modifications, hash or password dump files, cloaked executables and much more.

MFT Analysis

Scanning the Master File Table for entries of already deleted
files

Mutex Check

Detects Mutexes from malicious programs like RATs or other malware by advanced threat groups

Pipes Check

Detects malicious named pipes often used by malware of advanced threat groups

Events Check

Detects malicious registered events often used by malware of advanced threat groups

At Jobs Check

Detects suspicious at job list entries

Host File Analysis

The analysis checks the hosts file for malicious and suspicious entries.

Windows Error Report (WER) Analysis

This check extracts relevant information from Windows crash reports (Dr. Watson reports) to determine crashes that were caused by exploits targeting known CVE vulnerabilities in browsers, browser plugins and other software.

Vulnerability Check

A basic vulnerability check on the most common vulnerabilities that allow for lateral movement (Tomcat misconfiguration, HP Data Protector, missing patches)

System File Integrity Check

Checks the integrity of the most common system files by using YARA rules

Decompressed EXE Scan

Scan decompressed executables in-memory

Archive Scan

Scan decompressed archives in-memory

Surface Scan (DeepDive)

Analysis of the disks space to find tools that have already been deleted by the attackers.

Text Export

Plain text log file of all events reported by THOR.

HTML Report

Structured HTML Report of all events reported by THOR.

Syslog Export

Syslog export of the events generated by THOR. This export option is fully flexible. You can define different target ports, multiple target systems, use UDP or TCP and choose between different formats.

CEF Message Format

Syslog sending messages in Arcsight CEF format to receive warnings and alerts in Arcsight SIEM systems.

JSON Output Format

Send JSON via UDP/TCP to a remote system or write a local file in JSON format

Throttling

Throttle scans to avoid high CPU usage on productive systems

Big Yara Signature Database

THOR includes a huge YARA signature database with more than 30,000 rules from different sources. These rules include selected antivirus rules and signatures for hack tools, web shells, networking tools and other software used by attackers on compromised systems. (AES256 encrypted)

Client APT Signature Database

THOR includes a YARA signature database with more than 240 rules from APT investigations in our client environments. (AES256 encrypted)

Drop Zone Mode

Define a folder in which to look for new for samples and scan (and optionally delete) dropped samples

THOR Remote

Remotely scan a system or set of systems from a single privileged Windows workstation

THOR ETW Watcher

The live system watcher thread that uses ETW to detect Coabalt Strike beacon activity and other threats

Eventlog Sigma Rule Scan

Apply Sigma rules in the Eventlog Scan (Security, System, Application, Sysmon, PowerShell, Task Scheduler, WMI Activity)

STIX v2

Provide your own indicators of compromise via STIX v2 documents. The common observables used in STIX will be applied in various checks and modules.