LoFP / other legitimate binaries named \"thor.exe\" that aren't published by nextron systems

Techniques

Sample rules

Suspicious Unsigned Thor Scanner Execution

source: sigma
technicques:
- t1574
- t1574.002

Description

Detects loading and execution of an unsigned thor scanner binary.

Detection logic

condition: selection and not filter_main
filter_main:
  Signature: Nextron Systems GmbH
  SignatureStatus: valid
  Signed: 'true'
selection:
  ImageLoaded|endswith:
  - \thor.exe
  - \thor64.exe
  Image|endswith:
  - \thor.exe
  - \thor64.exe