DFIR Hunting Tools: THOR, Loki, Chainsaw: The Open-Source Arsenal That Finds What EDR Misses

EDR platforms are essential, but they are not omniscient. They miss things. Fileless malware that operates entirely in memory, attacker tooling that was removed before the agent was deployed, lateral movement buried in weeks of Windows Event Logs, or persistence mechanisms using legitimate system binaries. When an incident responder lands on a compromised system or receives a triage package, they need tools that go deeper than what the EDR console shows.

This article covers the tools that working incident responders actually use to find evidence of compromise. Some are open-source, some are commercial, and all of them fill gaps that standard security tooling leaves open.

THOR APT Scanner

Developer: Nextron Systems Type: Commercial (THOR Lite available free for limited use) Platform: Windows, Linux, macOS Link: nextron-systems.com/thor

THOR is a comprehensive compromise assessment scanner built by Florian Roth and the Nextron Systems team. Where most tools focus on one thing, THOR combines file scanning, log analysis, process inspection, and anomaly detection into a single portable scanner that runs locally on the target system.

THOR scans for indicators of compromise using a regularly updated signature database that includes thousands of YARA rules, Sigma rules, IOC definitions, and heuristic checks derived from real-world incident response engagements. It inspects running processes, loaded modules, network connections, scheduled tasks, registry keys, WMI persistence, startup locations, and filesystem artefacts in a single pass.

# Run a full THOR scan on a Windows system
thor64.exe --alldrives --intense

# Scan a mounted forensic image
thor64.exe --lab -p E:\mounted-image\

# Scan with specific focus on process memory
thor64.exe --processcheck

What makes THOR particularly effective is its detection of “soft indicators”, things that are not definitively malicious on their own but are suspicious in combination. A base64-encoded PowerShell command in a scheduled task, a renamed system binary in an unusual directory, a service running from a temporary folder. THOR scores and aggregates these findings so the analyst can focus on what matters.

THOR Lite is a free version with a reduced rule set that still covers a significant portion of common threats. It is worth keeping on a USB drive as part of any IR toolkit.

When to use it: Initial compromise assessment on live systems or mounted images. Particularly effective when you suspect a breach but do not know the scope, or when onboarding a new client and need to validate that their environment is clean.

Loki

Developer: Nextron Systems Type: Open-source (GPLv3) Platform: Windows, Linux, macOS Link: github.com/Neo23x0/Loki

Loki is THOR’s open-source sibling. It is a straightforward IOC and YARA scanner that checks a system against known indicators of compromise. Where THOR is a full compromise assessment platform, Loki is deliberately focused: it scans files, processes, and specific system locations against signature databases and reports matches.

# Basic scan
python3 loki.py

# Scan a specific directory
python3 loki.py -p /path/to/scan/

# Scan with additional custom YARA rules
python3 loki.py --custom-yara /path/to/custom-rules/

# Update signatures before scanning
python3 loki.py --update

Loki ships with a curated set of YARA rules and hash-based IOCs maintained by Nextron Systems. It checks for filename patterns associated with known attacker tools, hashes of known malicious files, YARA rule matches against file contents, and process anomalies such as suspicious parent-child relationships.

Sample output when Loki finds something:

[ALERT] FILE: C:\Users\admin\AppData\Local\Temp\svc.exe
  REASON: Matches YARA rule 'CobaltStrike_Beacon_Encoded'
  SCORE: 100
  HASH: 5f2b3a1c... (SHA256)

[WARNING] PROCESS: rundll32.exe (PID: 4521)
  REASON: Suspicious command line - rundll32 loading DLL from Temp directory
  CMD: rundll32.exe C:\Users\admin\AppData\Local\Temp\debug.dll,StartW

When to use it: Quick triage scanning when you need a free, portable tool that can be run across multiple systems. It is less comprehensive than THOR but covers the most common indicators and is easy to deploy at scale via scripting or remote execution tools.

Chainsaw

Developer: WithSecure Labs (formerly F-Secure) Type: Open-source (GPLv3) Platform: Windows, Linux, macOS Link: github.com/WithSecureLabs/chainsaw

Chainsaw is purpose-built for one thing: rapidly searching and analysing Windows Event Logs. During incident response, you often end up with gigabytes of .evtx files and need to find evidence of lateral movement, privilege escalation, persistence, or credential access buried across Security, System, PowerShell, Sysmon, and dozens of other log channels. Chainsaw makes this fast.

It uses Sigma detection rules as its primary detection logic, which means it benefits from the entire open-source Sigma rule community. It also supports custom detection rules in its own YAML-based format and keyword searching.

# Hunt through event logs using Sigma rules
chainsaw hunt /path/to/evtx/ -s sigma/rules/ --mapping mappings/sigma-event-logs-all.yml

# Search for a specific keyword across all logs
chainsaw search "mimikatz" /path/to/evtx/

# Search for a specific Event ID
chainsaw search -e 4624 /path/to/evtx/

# Hunt with both Sigma rules and Chainsaw's built-in rules
chainsaw hunt /path/to/evtx/ -s sigma/rules/ -r rules/ --mapping mappings/sigma-event-logs-all.yml

# Output results as JSON for further processing
chainsaw hunt /path/to/evtx/ -s sigma/rules/ --json --output results.json

A typical Chainsaw hunt across a few gigabytes of event logs completes in seconds. It will flag events like:

• Pass-the-hash and pass-the-ticket authentication (Event ID 4624 with logon type 9)
• Suspicious service installations (Event ID 7045)
• PowerShell script block logging showing encoded commands (Event ID 4104)
• Sysmon process creation with suspicious parent-child chains (Event ID 1)
• Scheduled task creation for persistence (Event ID 4698)
• Security log clearing (Event ID 1102)

When to use it: Any time you have Windows Event Logs to analyse. It is the fastest way to get from a pile of .evtx files to a list of suspicious events ranked by severity. Pairs well with log collection tools like KAPE.

Hayabusa

Developer: Yamato Security Type: Open-source (GPLv3) Platform: Windows, Linux, macOS Link: github.com/Yamato-Security/hayabusa

Hayabusa is a Windows Event Log analysis tool written in Rust that serves a similar purpose to Chainsaw but with a different focus. Where Chainsaw is optimised for hunting and searching, Hayabusa excels at generating forensic timelines and provides more granular output formatting options. It also uses Sigma rules and maintains its own extensive set of detection rules.

# Generate a timeline from event logs
hayabusa csv-timeline -d /path/to/evtx/ -o timeline.csv

# Run threat hunting with all rules
hayabusa csv-timeline -d /path/to/evtx/ -o timeline.csv -p super-verbose

# Generate a summary of findings by severity
hayabusa metrics -d /path/to/evtx/

# Output a condensed timeline of critical and high severity events only
hayabusa csv-timeline -d /path/to/evtx/ -o critical.csv -l critical -l high

Hayabusa’s timeline output is particularly useful for building a chronological picture of attacker activity across multiple log sources. Load the CSV output into Timeline Explorer (part of Eric Zimmerman’s toolset) or a spreadsheet and you have a filterable, sortable view of every suspicious event correlated by timestamp.

The metrics command is useful for rapid triage, it gives you a count of detections by severity level so you immediately know whether you are dealing with a handful of alerts or hundreds.

When to use it: When you need a forensic timeline from Windows Event Logs, or when you want structured CSV/JSON output for ingestion into other analysis tools. Many responders use both Chainsaw and Hayabusa as they have different rule sets and output formats that complement each other.

Velociraptor

Developer: Rapid7 (originally Mike Cohen) Type: Open-source Platform: Windows, Linux, macOS Link: github.com/Velocidex/velociraptor

Velociraptor is a DFIR platform that goes beyond a single-purpose tool. It provides endpoint visibility, artifact collection, and threat hunting across an entire fleet through a server-agent architecture. Think of it as an open-source alternative to commercial EDR forensic capabilities.

Velociraptor uses VQL (Velociraptor Query Language) to define collection artifacts. The community maintains hundreds of pre-built artifacts covering common forensic data sources:

-- Collect prefetch files for evidence of execution
SELECT * FROM Artifact.Windows.Forensics.Prefetch()

-- Hunt for persistence mechanisms
SELECT * FROM Artifact.Windows.Sys.StartupItems()

-- Collect browser history
SELECT * FROM Artifact.Windows.Applications.Chrome.History()

-- Search for YARA matches across the filesystem
SELECT * FROM Artifact.Generic.Detection.Yara.Glob(
  PathGlob="C:/Users/**",
  YaraRule="rule test { strings: $a = \"mimikatz\" condition: $a }"
)

-- Collect memory from a Linux endpoint using AVML
SELECT * FROM Artifact.Linux.Memory.Acquisition()

Velociraptor can be deployed as a standalone binary for single-system triage or as a full server deployment for fleet-wide hunting. In incident response, the common pattern is to deploy the server rapidly, push agents to affected systems, and run targeted artifact collections, all within minutes.

When to use it: When you need to investigate and collect artefacts from multiple systems simultaneously, or when you need ongoing monitoring capability during an active incident. It fills the gap between manual forensic tools and full commercial EDR platforms.

KAPE (Kroll Artifact Parser and Extractor)

Developer: Eric Zimmerman (Kroll) Type: Free (closed source) Platform: Windows Link: kape.sh

KAPE is not an analysis tool, it is a collection tool. It rapidly collects forensic artefacts from a live Windows system or mounted image and packages them for analysis. In practice, KAPE is often the first tool deployed to a compromised system because it gathers everything an analyst needs without requiring a full disk image.

# Collect common triage artefacts
kape.exe --tsource C: --tdest E:\collection\ --tflush --target !SANS_Triage

# Collect and process with multiple parsers
kape.exe --tsource C: --tdest E:\collection\ --target !SANS_Triage --mdest E:\processed\ --module !EZParser

KAPE collects event logs, registry hives, prefetch files, browser data, jump lists, SRUDB, $MFT, amcache, shimcache, scheduled tasks, and dozens of other forensic artefact categories. A full triage collection typically takes 5-15 minutes and produces a package of a few gigabytes rather than a full disk image of hundreds of gigabytes.

When to use it: First step in any Windows incident response. Collect artefacts with KAPE, then analyse them with Chainsaw (event logs), Hayabusa (timelines), and Zimmerman’s parsers (registry, prefetch, shellbags, etc.).

Putting Together a Toolkit

These tools are most effective when used together. A practical IR toolkit workflow:

1. Collection: Deploy KAPE on Windows systems to gather forensic artefacts. On Linux, use targeted collection scripts or Velociraptor artifacts. Acquire memory using AVML where needed.

2. Scanning: Run THOR (or Loki if licensing is a constraint) against live systems or collected artefacts to identify known malware, attacker tools, and suspicious anomalies.

3. Log Analysis: Feed collected event logs through both Chainsaw and Hayabusa. Chainsaw for rapid hunting and specific searches, Hayabusa for comprehensive timeline generation.

4. Fleet-Wide Hunting: If the incident spans multiple systems, deploy Velociraptor to hunt for indicators across the environment simultaneously rather than investigating one system at a time.

5. Deep Dive: Use findings from the above tools to guide targeted forensic analysis, including memory forensics, registry analysis, and malware reverse engineering as needed.

The value of these tools is that they bring the collective detection knowledge of the DFIR community (through Sigma rules, YARA rules, and IOC databases) to bear on your specific incident, without requiring every analyst to carry that knowledge in their head. Keep them updated, keep them accessible, and practice using them before you need them.

---

Related Services:

• Incident Response & Forensics
• Threat Intelligence & Monitoring
• Security Reviews & Compliance