Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
Sigma rule (View on GitHub)
1title: Suspicious Unsigned Thor Scanner Execution
2id: ea5c131b-380d-49f9-aeb3-920694da4d4b
3status: stable
4description: Detects loading and execution of an unsigned thor scanner binary.
5references:
6 - Internal Research
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-10-29
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.execution
13 - attack.stealth
14 - attack.t1574.001
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 Image|endswith:
21 - '\thor.exe'
22 - '\thor64.exe'
23 ImageLoaded|endswith:
24 - '\thor.exe'
25 - '\thor64.exe'
26 filter_main:
27 Signed: 'true'
28 SignatureStatus: 'valid'
29 Signature: 'Nextron Systems GmbH'
30 condition: selection and not filter_main
31falsepositives:
32 - Other legitimate binaries named "thor.exe" that aren't published by Nextron Systems
33level: high
References
Related rules
- APT27 - Emissary Panda Activity
- Aruba Network Service Potential DLL Sideloading
- Creation Of Non-Existent System DLL
- Creation of WerFault.exe/Wer.dll in Unusual Folder
- DHCP Callout DLL Installation