Detectionhighstable

Suspicious Unsigned Thor Scanner Execution

Detects loading and execution of an unsigned thor scanner binary.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Sun Oct 29ea5c131b-380d-49f9-aeb3-920694da4d4bwindows

Log Source

WindowsImage Load (DLL)

ProductWindows← raw: windows

CategoryImage Load (DLL)← raw: image_load

Detection Logic

detection:
    selection:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
        ImageLoaded|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_main:
        Signed: 'true'
        SignatureStatus: 'valid'
        Signature: 'Nextron Systems GmbH'
    condition: selection and not filter_main

False Positives

Other legitimate binaries named "thor.exe" that aren't published by Nextron Systems

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion

Sub-techniques

T1574.001 · DLL Search Order Hijacking

Rule Metadata

Rule ID

ea5c131b-380d-49f9-aeb3-920694da4d4b

Status

stable

Level

high

Type

Detection

Created

Sun Oct 29

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/image_load/image_load_thor_unsigned_execution.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001

View on GitHub