5. Scan

First of all, THOR runs fine with the default settings. The recommended scan options are already active in the default scan.

5.1. Quick Start

Follow these steps to complete your first THOR scan

  1. Make sure you've read the Before You Begin guide

  2. Open a command line (cmd.exe) as Administrator

  3. Navigate to the folder in which you've extracted the THOR package and placed the license file(s)

  4. Start THOR with thor64.exe (macOS: thor-macos, Linux: thor-linux-64)

  5. Wait until the scan has completed (this can take between 20 and 180 minutes)

  6. When the scan is complete, check the text log and HTML report in the THOR program directory

5.2. Often Used Parameters

Parameter

Description

--soft

Reduce CPU usage, skip all checks that can consume a lot of memory
(even if only for a few seconds)

--quick

Perform a quick scan (skips Eventlog and checks
only the most relevant folders)

-e target-folder

Write all output files to the given folder

5.3. Parameters Possibly Relevant for Your User Case

Parameter

Description

-c percentage

Reduce the average CPU load to the given percentage value
note THOR already sets the process priority to the lowest possible
value). This can be helpful to reduce the load e.g. on server systems
with real-time services or reduce the noise produced by fans on
user laptops.

--allhds

By default THOR scans only the C: partition on Windows machines
and other files/folders only in cases in which some reference points
to adifferent partition (e.g. configured web root of IIS is on
D:inetpub, registered service runs from D:vendorservice)
--lookback days
--globallookback
Only check the elements changed or created during the last X days
in all availabe modules (reduces the scan duration significantly)

5.4. Parameters Better Avoided

This list contains flags often selected and used that should better be avoid unless you know exactly what you're doing.

Parameter

Description

--intense

long runtime, stability issues due to disabled resource control

--c2-in-memory

many false positives on user workstations (especially browser memory)

--alldrives

long runtime, stability issues due to scan on network drives or other remote
filesystems

--mft

stability issues due to high memory usage

--dump-procs

stability issues, possibly high disk space usage (free disk space checks are
implemented but may fail)

--full-registry

longer runtime, low positive impact

5.5. Lesser Known Parameters the Analysts Often Use

This list contains flags that are often used by analysts to tweak the scan in useful ways.

Parameter

Description

--allreasons

Show all reasons that led to a certain score

--printshim

Print all available SHIM cache entries into the log

--utc

Print all timestamps in UTC (helpful when creating timelines)

--string-context num-chars

Number of characters preceeding and following the string match to show
in the output

5.6. Help and Debugging

You can use the following parameters to

Parameter

Description

--debug

Get debug information if errors occur

--help

Get a help with the most important scan options

--fullhelp

Get a help with all scan options

5.7. Examples

5.7.1. Logging to a Network Share

The following command creates a plaintext log file on a share called "rep" on system "sys" if the user running the command has the respective access rights on the share.

thor64.exe --nohtml --nocsv -l \\sys\rep\%COMPUTERNAME%\_thor.txt

5.7.2. Logging to Syslog Server

The following command instructs THOR to log to a remote syslog server only.

thor64.exe --nohtml --nocsv --nolog -s syslog.server.net

5.7.3. Scan Run on a Single Directory

thor64.exe --lab -p C:\ProgramData
thor64.exe --lab -p I:\mounted\_image\disk1

IMPORTANT: This feature requires a forensic lab license type which is meant to be used in forensic labs.

You can imitate a lab scan without a lab license with these command line flags:

thor64.exe -a Filescan --intense --norescontrol --nosoft --cross-platform -p C:\ProgramData

5.7.4. Deactivate all file output - Syslog only

thor64.exe -s 10.1.5.14 --nohtml --nolog --nocsv

5.7.5. Save the result files to a different directory

thor64.exe -s 10.1.5.14 -e Z:\

5.7.6. Only scan the last 7 days of the Windows Eventlog and log files on disk

thor64.exe --lookback 7

5.7.7. Scan System with Defaults and Make a Surface Scan

By default, the surface scan (DeepDive) applies all YARA rules in "./custom-signatures" folder. In this example all output files are written to a network share.

thor64.exe --deepdivecustom -e \\server\share\thor_output\

5.7.8. Intense Scan and DeepDive on a Mounted Image as Drive Z

thor64.exe --lab --deepdive -p Z:\

IMPORTANT: Lab scanning mode requires a forensic lab license type which is meant to be used in forensic labs.

You can achieve a similar (but not equal) scan using:

thor64.exe -a Filescan --intense -p C:\path-to-scan

5.7.9. Throttled THOR Run (static throttling value)

Will restrict THOR’s CPU usage in the long running modules “FileScan”, “Eventlog”, “LogScan” and “Registry” to 60%. Note that THOR automatically applies certain restrictions in automatic soft mode.

thor64.exe -c 60

5.7.10. Scan Multiple Paths

thor64.exe --lab -p C:\\ D:\\webapps E:\\inetpub

(non-existent directories will be automatically skipped)

5.7.11. Scan All Hard Drives (Windows Only)

thor64.exe --allhds

5.7.12. Don't Scan Recursively

To instruct THOR to scan a folder non-recursively use the :NOWALK suffix.

thor64.exe -a FileScan -p C:\Windows\System32:NOWALK

5.8. Run a Scan with Specific Modules

With the parameter -a you can run a single module or select a set of modules that you’d like to run. 

Valid modules are:

Autoruns, DeepDive, Dropzone, EnvCheck, Filescan, Firewall, Hosts, LoggedIn, OpenFiles, ProcessCheck, UserDir, ServiceCheck, Users, AtJobs, DNSCache, Eventlog, HotfixCheck, LSASessions, MFT, Mutex, NetworkSessions, NetworkShares, RegistryChecks, Rootkit, SHIMCache, ScheduledTasks, WMIStartup

Run a Rootkit check only:

thor64.exe -a Rootkit

Run the Eventlog and file system scan:

thor64.exe –a Eventlog -a Filescan

5.9. PE-Sieve Integration

THOR integrates PE-Sieve, an open-source tool by @hasherezade to check for malware masquerading as benevolent processes.

PE-Sieve can be activated by using the --processintegrity flag. It runs on Windows as part of the ProcessCheck module and is capable of detecting advanced techniques such as Process Doppelganging.

When investigating likely infections, you can also raise the sensitivity of the integrated PE-Sieve beyond the default with --full-proc-integrity (at the cost of likely false positives).

THOR reports PE-Sieve results as follows:

Findings

THOR's Reporting Level

Replaced PE File
Implanted PE File
Warning

Unreachable File
Patched
IAT Hooked
Notice


Others
No Output in THOR

See the PE-Sieve documentation for more details on these values.

5.10. Multi-Threading

THOR 10.6 supports scanning a system with multiple threads in parallel, allowing for a significant increase in speed in exchange for a higher CPU usage.

To use this feature, use the --threads flag which allows you to specify THORs number of parallel threads.

When using the --lab (Lab Scanning), --dropzone (sample drop zone) or --thunderstorm (Thunderstorm) command line flags, THOR will default to using as many threads as the system has CPU cores; otherwise, THOR will still default to running with a single thread.

5.10.1. Enabled Modules

Not all modules support multi-threading. It is currently enabled in: File, Registry, Eventlog scanning and Thunderstorm and Dropzone service mode.