Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
Sigma rule (View on GitHub)
1title: Suspicious Unsigned Thor Scanner Execution
2id: ea5c131b-380d-49f9-aeb3-920694da4d4b
3status: stable
4description: Detects loading and execution of an unsigned thor scanner binary.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/10/29
9tags:
10 - attack.defense_evasion
11 - attack.t1574.002
12logsource:
13 category: image_load
14 product: windows
15detection:
16 selection:
17 Image|endswith:
18 - '\thor.exe'
19 - '\thor64.exe'
20 ImageLoaded|endswith:
21 - '\thor.exe'
22 - '\thor64.exe'
23 filter_main:
24 Signed: 'true'
25 SignatureStatus: 'valid'
26 Signature: 'Nextron Systems GmbH'
27 condition: selection and not filter_main
28falsepositives:
29 - Other legitimate binaries named "thor.exe" that aren't published by Nextron Systems
30level: high
References
Related rules
- Diamond Sleet APT DLL Sideloading Indicators
- Potential Azure Browser SSO Abuse
- Tasks Folder Evasion
- Third Party Software DLL Sideloading
- DLL Search Order Hijackig Via Additional Space in Path