Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
Sigma rule (View on GitHub)
1title: Suspicious Unsigned Thor Scanner Execution
2id: ea5c131b-380d-49f9-aeb3-920694da4d4b
3status: stable
4description: Detects loading and execution of an unsigned thor scanner binary.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-10-29
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.t1574.001
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 Image|endswith:
20 - '\thor.exe'
21 - '\thor64.exe'
22 ImageLoaded|endswith:
23 - '\thor.exe'
24 - '\thor64.exe'
25 filter_main:
26 Signed: 'true'
27 SignatureStatus: 'valid'
28 Signature: 'Nextron Systems GmbH'
29 condition: selection and not filter_main
30falsepositives:
31 - Other legitimate binaries named "thor.exe" that aren't published by Nextron Systems
32level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation
- DHCP Server Error Failed Loading the CallOut DLL