6. Scan Modes

You can select between six different scan modes in THOR:

  • Default

    We recommend using the default scan mode for all sweeping activities. Scans take from one to six hours, depending on the partition size and number of interesting files.

    In default mode, THOR automatically chooses the "Soft" mode if the system has only limited CPU and RAM resources.

    There's a special "Lab Scanning" (--lab) method described in section Lab Scanning, which disables many limitations and allows to scan mounted images in a Lab scenario, even with multiple THOR instances on a single Workstation.

    Note

    "Lab Scanning" requires a special forensic license.

  • Quick --quick

    This mode is the fastest one and oriented on the "Pareto Principle", covering 80% of the modules and checks in 20% of the normal scan time. In "quick" mode, THOR skips elements that have not been created or modified within the last 2 days in the "Eventlog", "Registry" and "Filescan" modules. A set of 40+ predefined directories will still be checked completely (e.g. AppData, Recycler, System32). "Quick" mode is known to be the "preventive" scan mode – less intense and very fast.

Themed scan modes:

  • Soft --soft - force disable with --nosoft

    This mode disables all modules and checks that could be risky for system stability. It is automatically activated on (more details in chapter Automatic Soft Mode):

    • Systems with only a single CPU core

    • Systems with less than 1024 MB of RAM

  • Lab Scan --lab

    This mode scans only the file system and disables all other modules. (see Lab Scanning for more details and flags used in this scan mode)

    Example:

    user@unix:~/thor$ ./thor64 --lab -p /mnt/image_c/
    
  • Intense --intense

    This mode is meant for system scanning in a non-productive or lab environment. It disables several speed optimizations and enables time-consuming extra checks for best detection results. Be careful with this mode on database servers, as this could corrupt your database due to the high load of the server. Snapshots/backups are advised before using this mode.

  • Difference --diff

    The Diff Mode looks for a last scan and last finished modules in the local THOR DB and scans only elements on disk that have been changed or created since the last scan start. This mode applies shortcuts to the "Filesystem", "Eventlog" and "Registry" modules. Diff scans are typically the shortest scans but require a completed previous scan. This scan mode is also susceptible to the so-called "Timestomping".

These scan modes can also be combined, e.g. for --soft --diff, though not all combinations may make sense, e.g. --soft --intense.

The following tables give an overview on the active modules and features in the different scan modes. The Modules section lists all available modules, whereas the Features section lists only features that are handled differently in the different scan modes.

6.1. Modules

Modules are standalone jobs, which are being executed one after the other by THOR. Those modules are invoking one job, for example the File System Scan module will scan your file system, or the User Account Check will scan your system for user accounts. Modules can invoke one or multiple Features, which we will explain further down in this section.

6.1.1. OS Module Overview

Module

Windows

Linux

MacOS

File System Scan

Supported

Supported

Supported

Registry Scan

Supported

Not Supported

Not Supported

SHIM Cache Scan

Supported

Not Supported

Not Supported

Mutex Check

Supported

Not Supported

Not Supported

Named Pipes Check

Supported

Not Supported

Not Supported

DNS Cache Check

Supported

Supported

Supported

Hotfix Check

Supported

Not Supported

Not Supported

Hosts File Check

Supported

Supported

Supported

Firewall Config Check

Supported

Supported

Not Supported

Network Share Check

Supported

Not Supported

Not Supported

Logged In Check

Supported

Supported

Supported

Process Check

Supported

Supported [1]

Supported [1]

Service Check

Supported

Supported

Not Supported

Autoruns Check

Supported

Supported

Supported

Rootkit Check

Supported

Supported

Not Supported

LSA Sessions Analysis

Supported

Not Supported

Not Supported

User Account Check

Supported

Supported

Supported

User Profile Check

Supported

Supported

Supported

Network Sessions Check

Supported

Not Supported

Not Supported

Scheduled Tasks Analysis

Supported

Not Supported

Not Supported

WMI Startup Check

Supported

Not Supported

Not Supported

At Entries Check

Supported

Not Supported

Not Supported

MFT Analysis

Supported

Not Supported

Not Supported

Eventlog Analysis

Supported

Not Supported

Not Supported

KnowledgeDB Check

Not Supported

Not Supported

Supported

Environment Variables Check

Supported

Supported

Supported

Crontab Check

Not Supported

Supported

Not Supported

Integrity Check

Not Supported

Supported

Not Supported

Event Check

Supported

Not Supported

Not Supported

ETW Watcher

Supported

Not Supported

Not Supported

Hint

For a list of module names and how to turn them off, please see Scan Module Names

6.1.2. Scan Mode Overview

Module

Normal

Quick

Soft

Intense

File System Scan

Reduced

Registry Scan

SHIM Cache Scan

Mutex Check

Disabled

Named Pipes Check

DNS Cache Check

Hotfix Check

Disabled

Hosts File Check

Disabled

Firewall Config Check

Disabled

Disabled

Network Share Check

Disabled

Logged In Check

Enabled [2]

Disabled

Process Check

Reduced [3]

Service Check

Autoruns Check

Rootkit Check

LSA Sessions Analysis

Disabled

User Account Check

Enabled [2]

User Profile Check

Enabled [2]

Disabled

Network Sessions Check

Enabled [2]

Disabled

Scheduled Tasks Analysis

WMI Startup Check

At Entries Check

MFT Analysis

Disabled

Disabled

Disabled

Enabled

Eventlog Analysis

Disabled

KnowledgeDB Check

Environment Variables Check

Crontab Check

Integrity Check

Event Check

ETW Watcher

6.1.3. Scan Module Names

Scan Mode

Module Name

Disable Module

File System Scan

Filescan

--nofilesystem

Registry Scan

RegistryChecks

--noreg

SHIM Cache Scan

SHIMCache

--noshimcache

Mutex Check

Mutex

--nomutex

Named Pipes Check

Pipes

--nopipes

DNS Cache Check

DNSCache

--nodnscache

Hotfix Check

HotfixCheck

--nohotfixes

Hosts File Check

Hosts

--nohosts

Firewall Config Check

Firewall

--nofirewall

Network Share Check

NetworkShares

--nonetworkshares

Logged In Check

LoggedIn

--nologons

Process Check

ProcessCheck

--noprocs

Service Check

ServiceCheck

--noservices

Autoruns Check

Autoruns

--noautorons

Rootkit Check

Rootkit

--norootkits

LSA Sessions Analysis

LSASessions

--nolsasessions

User Account Check

Users

--nousers

User Profile Check

UserDir

--noprofiles

Network Sessions Check

NetworkSessions

--nonetworksessions

Scheduled Tasks Analysis

ScheduledTasks

--notasks

WMI Startup Check

WMIStartup

--nowmi

At Entries Check

AtJobs

--noatjobs

MFT Analysis

MFT

--nomft

Eventlog Analysis

Eventlog

--noeventlog

KnowledgeDB Check

KnowledgeDB

--noknowledgedb

Environment Variables Check

EnvCheck

--noenv

Crontab Check

Cron

Integrity Check

Integritycheck

--nointegritycheck

Event Check

Events

--noevents

ETW Watcher

EtwWatcher

--noetwwatcher

6.1.4. Scan Module Explanation

Module

Explanation

Filescan

Events reported by the FileScan module typically originate from the file system scan. But due to the "Message Enrichment" feature, other modules that include events with full "file path" strings may also produce events of this type (e.g. module SHIMCache, Eventlog).

SHIMcache

The SHIM Cache or AppCompatCache (Application Compatibility Cache) is a special Registry cache containing valuable information, because the cache tracks metadata for binary files that were executed.

Autoruns

The Autoruns module makes use of the command line version of SysInternals Autoruns. It parses the tools output and integrates the output in each log message.

LogScan

The LogScan module processes *.log files found on disk line by line (It performs some checks to avoid scanning files that are not ASCII log files, but something else that uses the *.log extension). Each log line is checked with all file name and keyword IOCs and scanned with the "keyword" and "log" type YARA rules.

GroupsXML

The GroupsXML module is a module that reports on critical security issues related to decryptable passwords in group policy files, that are readable for anyone within a Windows Domain.

Registry

Registry matches can be caused by different signature types: File name IOCs, keywords or YARA signatures matches.

WMIPersistence

It is difficult to detect malicious WMIPersistence objects. The detection methods are based on whitelists and a blacklist with keywords from APT reports. The whitelists are extended every time our analysts detect false positives in a customer's environment. The black lists are extended every time an APT report states a certain WMI persistence method with specific event filer or event file name.

VulnerabilityCheck

The VulnerabilityCheck module is limited to a few vulnerabilities that are known to be exploited by various threat groups. The vulnerability checks focus on vulnerabilities that are used for lateral movement or weaknesses which allow an attacker to easily achieve persistence without using any kind of software as backdoor. Note: There are vulnerabilities covered by YARA rules and reported in other modules. The YARA rules that detect vulnerabilities start with VUL_.

LoggedIn

The LoggedIn module analyses all currently logged in users and analyses their names.

ProcessCheck

Different checks are performed in the ProcessCheck module. Some of them check the process characteristics such as parent/child relations, process priorities and executable file locations for anomalies. Other checks evaluate the processes network connections and YARA checks match on the process memory.

HotfixCheck

The HotFixCheck module analyses the installed hotfixes on the end system.

RunKeyCheck

The RunKeyCheck module processes entries in the RUN Key.

AmCache

The AmCache module processes entries in the AmCache of the system. In contrast to the SHIMCache entries, AmCache entries contain a SHA1 hash value that can be used to determine the exact program that was executed on the end system.

Firewall

The Firewall module evaluates all local Windows firewall rules and tries to detect suspicious entries by using white- and blacklists.

ServiceCheck

The ServiceCheck module evaluates all registered local Windows services. It detects suspicious service entries by different anomaly checks, blacklisted keywords and reports file path anomalies.

DNSCache

The DNSCache module evaluates the entries of the local DNS cache. It compares the entries with known C2 servers and reports suspicious entries based on some regular expression checks.

Hosts

The Hosts module evaluates the entries in the local hosts file.

WMIStartup

The WMIStartup module uses different WMI queries to retrieve information on elements that could be used for persistence. It is very likely that findings by this module also appear in other modules (e.g. Autoruns) in a different form, because it just uses a different method to look at the same elements.

CommandCheck

The CommandCheck module is a meta module that analyses full command lines (path, executable, parameters) in different modules.

ProcessHandles

The ProcessHandles module is a sub module of the ProcessCheck module that analyses the handles of each process. The module makes use of the SysInternals handle.exe tool that can be placed in the ./tools sub folder.

ProcessConnection

The ProcessConnections module checks the network connections of a process and generates alerts and warnings based on C2 signature matches and suspicious GEO IP lookups.

WER

The WER (Windows Error Reporting) module analyses program crash files and checks for special crashes caused by exploits and filename IOC signature matches in the application path. Software can break, so applications tend to crash, hack tools and exploits crash as well. Even if the attackers completely removed their tools from a system, a crashed exploit code, scanner, password dumper or backdoor will still be visible in the Windows Error Reports.

UserAccounts

The UserAccounts module analyses the local user database. It checks for suspicious user names, suspicious members in the Administrators group, activated guest accounts, user accounts created on Sundays and reports recently logged in users. It applies the hot time frame parameter (-f) if given and reports suspicious account activity on a given set of dates.

AtJobs

The AtJobs module analyses the local user jobs and just lists them in "Info" level messages and applies the global string check on the command line.

ScheduledTasks

The ScheduledTasks module analyses the local user at jobs and just lists them in "Info" level messages and applies the global string check on the command line.

Rescontrol

The Rescontrol (Resource Control) module generates "Warning" level messages in cases a resource limit has been reached. In most of the cases, this is caused by very low free main memory levels or false positives that generated many SYSLOG messages. Resource control is active by default and can be deactivated with (--norescontrol).

DeepDive

A DeepDive on memory images or disk space cannot be analyzed by THOR events alone. You typically need the memory dumps or restored chunks to evaluate the findings. This typically takes a lot more time, know-how and effort to complete.We recommend the analysis of DeepDive module events only in case other indicators give a sufficient initial suspicion.

Rootkit

6.2. Features

Features are being invoked by Modules and provide further Details about an item. For example, the File System Scan might find a .zip file during a scan and invoke the Archive Scan feature. The Archive Scan feature in return will extract the zip file and scan all the items in it.

Another example would be the Eventlog Analysis Module, which might invoke the Sigma Scan feature on certain eventlog entries.

Hint

Please see chapter Archive Scan for a list of supported archive formats.

6.2.1. Feature Scan Mode Overview

Feature

Normal

Quick

Soft

Intense

Sigma Scan

Disabled

Disabled

Disabled

Enabled

EXE Decompression [5]

Enabled

Enabled

Disabled

Enabled

Archive Scan

Enabled

Enabled

Enabled

Enabled

Double Pulsar Check [5]

Enabled

Enabled

Disabled

Enabled

Groups XML Analysis

Enabled

Enabled

Enabled

Enabled

Vulnerability Check

Enabled

Enabled

Enabled

Enabled

Web Server Dir Scan

Enabled

Disabled

Enabled

Enabled

WMI Persistence

Enabled

Enabled

Enabled

Enabled

Registry Hive Scan

Enabled [4]

Enabled

Enabled

Enabled

AmCache Analysis

Enabled

Enabled

Enabled

Enabled

Process Handle Check

Enabled

Enabled

Enabled

Enabled

Process Connections Check

Enabled

Enabled

Enabled

Enabled

Windows Error Report (WER)

Enabled

Enabled

Enabled

Enabled

Windows At Job File Analysis

Enabled

Enabled

Enabled

Enabled

EVTX File Scanning

Enabled

Disabled

Enabled

Enabled

Prefetch Library Scanning

Enabled

Enabled

Enabled

Enabled

Memory Dump DeepDive

Disabled

Disabled

Disabled

Enabled

Text Log File Scanning

Enabled

Disabled

Enabled

Enabled

Shellbag Entry Analysis

Enabled

Enabled

Enabled

Enabled

Authorized Key File Analysis

Enabled

Enabled

Enabled

Enabled

Bifrost File Upload

Enabled

Enabled

Enabled

Enabled

Malicious Domain Check

Enabled

Enabled

Enabled

Enabled

File Scan

Enabled

Enabled

Enabled

Enabled

Cobalt Strike Beacon Parsing

Enabled

Enabled

Enabled

Enabled

Process Integrity Check [5]

Disabled

Disabled

Disabled

Enabled

SHIM Cache Analysis

Enabled

Enabled

Enabled

Enabled

ETL File Scanning [5]

Enabled

Enabled

Enabled

Enabled

6.2.2. Feature caller list

The following table gives an overview of THOR's features and how they are called by the different modules and other features.

Feature

Callers

Sigma Scan

Eventlog, Log file scanning

EXE Decompression

File Scan

Archive Scan

File Scan

Double Pulsar Check

Rootkit Check

Groups XML Analysis

File Scan

Vulnerability Check

File Scan

Web Server Dir Scan

Process Check

WMI Persistence

File Scan

Registry Hive Scan

File Scan

AmCache Analysis

File Scan

Process Handle Check

Process Check

Process Memory Check

Process Check

Process Connections Check

Process Check

Windows Error Report (WER)

File Scan

Windows At Job File Analysis

File Scan

EVTX File Scanning

File Scan

Prefetch Library Scanning

File Scan

Memory Dump DeepDive

File Scan

Text Log File Scanning

File Scan

Shellbag Entry Analysis

Registry Hive Scan

Authorized Key File Analysis

File Scan

Bifrost File Upload

File Scan

Malicious Domain Check

File Scan

File Scan

Most modules and features

Cobalt Strike Beacon Parsing

File Scan, Process Check

Process Integrity Check

Process Check

SHIM Cache Analysis

SHIM Cache Scan, Registry Hive

ETL File Scanning

File Scan

6.2.3. Feature selectors

Since THOR 10.7, some features in THOR are triggered by YARA rules.

When a (meta or generic) YARA rule with a specific tag matches on a file, the corresponding feature is started and parses the file.

The standard signatures contain a number of rules with these tags, but if required, you can add additional rules with these tags as custom signatures.

Tag

Feature

Applied regardless of Filesize limit

AMCACHE

Amcache

no

ZIPARCHIVE

Archive

no

RARARCHIVE

Archive

no

TARARCHIVE

Archive

no

TARGZARCHIVE

Archive

no

TARBZ2ARCHIVE

Archive

no

CABARCHIVE

Archive

no

GZIPCOMPRESSEDFILE

Archive

no

SEVENZIPARCHIVE

Archive

no

ATJOBS

AtJobs

yes

AUDITLOG

Auditlog

yes

AUTHORIZEDKEYS

AuthorizedKeys

yes

EMAILFILE

EmailParser

no

ETL

ETL

yes

EVTX

EVTX

yes

UPX

ExeDecompress

no

WINRAR

ExeDecompress

no

LNK

LinkScan

yes

LOGSCAN

LogScan

yes

MFT

MftFile

yes

OLE

OleScan

no

PREFETCH

Prefetch

yes

REGISTRYHIVE

RegistryHive

yes

UNESCAPE

Unescaper

no

WER

WER

yes

WMIPERSISTENCE

WMIPersistence

yes

6.2.4. Feature names

Feature

Feature Name

Disable Feature

Use a persistent database for holding information across scans

ThorDB

--nothordb

Scan with Sigma signatures

Sigma

per default disabled, use --sigma to enable

Scan log file (identified by .log extension or location) entries one by one

LogScan

--nologscan

Check files, processes or blobs with YARA

Yara

Check files with STIX

Stix

--nostix

Extract files contained in archives

Archive

--noarchive

Scan files contained in archives

ArchiveScan

--noarchive

Run checks for known C2 Domains

C2

--noc2

Analyze process handles

ProcessHandles

--noprochandles

Analyze process connections

ProcessConnections

--noprocconnections

Analyze entries in Amcache files

Amcache

--noamcache

Parse and analyze registry hives

RegistryHive

--noregistryhive

Decompress and scan UPX or SFX packed portable executables

ExeDecompress

--noexedecompress

Analyze web directories that were found in process handles

WebdirScan

--nowebdirscan

Search for configuration file vulnerabilities (e.g. weak Tomcat passwords)

VulnerabilityCheck

--novulnerabilitycheck

Parse Windows prefetch directories

Prefetch

--noprefetch

Parse groups.xml files (for AD permissions) and search for vulnerabilities

GroupsXML

--nogroupsxml

Parse WMI Persistence directories

WMIPersistence

--nowmipersistence

Parse and analyze LNK files

Lnk

--nolnk

Check Knowledge DB on Mac OS

KnowledgeDB

--noknowledgedb

Parse .wer crash dump files

WER

--nower

Parse EVTX eventlogs and scan the contained log entries

EVTX

--noevtx

Analyze authorized_keys SSH files

AuthorizedKeys

--noauthorizedkeys

Parse and analyze .eml Email files

Eml

--noeml

Parse Windows Event Trace Logging files and scan the contained logs

ETL

--noetl

Parse jobs files scheduled with the 'at' tool

AtJobs

--noatjobs

Upload suspicious files to a server running the Bifrost 2 quarantine service

Bifrost2

per default disabled, use --bifrost2Server to enable

Scan multiple entries as a single block

BulkScan

can't be disabled

Disable cpulimit check

CPULimit

--nocpulimit

Run filename IOC, keyword IOC, and YARA rules on a chunk of data

CheckString

can't be disabled

Parse crontab files and analyze their entries

CronParser

can't be disabled

Check for DoublePulsar Backdoor in the rootkit module

DoublePulsar

--nodoublepulsar

Gather additional information (like hashes, owner, timestamps, ...) about file paths

EnrichFileInfo

can't be disabled

Apply filename IOCs

FilenameIOCs

can't be disabled

Scan files and similar objects

Filescan

can't be disabled

Apply keyword IOCs

KeywordIOCs

can't be disabled

Log information during a THOR run

Logger

can't be disabled

Detect a file's type based on its first bytes

MagicHeader

can't be disabled

Parse OLE files (e.g. old MS office documents, or MS Office macros)

OLE

can't be disabled

Parse additional information from a detected CobaltStrike beacon

ParseCobaltStrike

can't be disabled

Keep and display information about THOR's current activity

ProgressTracker

can't be disabled

Parse additional information from files in a Windows recycle bin

RecycleBin

can't be disabled

Check whether the system is running out of RAM, and end THOR, if this is the case

Rescontrol

--norescontrol

Parse SHIM Caches from registry and analyze their entries

SHIMCache

--noshimcache

React to interrupts from outside THOR in a controlled manner

SignalHandler

can't be disabled

Look for unencrypted TeamViewer passwords in registry hives

TeamViewer

can't be disabled

Add additional information from Virustotal to detected files

VirusTotal

per default disabled, use --vtkey to enable

Run a user defined command for detected files

Action

per default disabled, use --action_command to enable

Write a detailed output file with information about all scanned elements

AuditTrail

per default disabled, use --audit-trail to enable

Scan memory dump files in chunks

DumpScan

per default disabled, use --dumpscan to enable

Scan processes with PE-Sieve to check for process integrity (Windows only)

ProcessIntegrity

per default disabled, use --processintegrity to enable