THOR Scanner User Manual

Contents:

• 1. What is THOR?
  • 1.1. Package
• 2. Requirements
  • 2.1. Supported
  • 2.2. Limited Support
  • 2.3. Special Versions
  • 2.4. Unsupported
  • 2.5. Update Servers
• 3. Before You Begin
  • 3.1. Add License File
  • 3.2. Upgrade THOR and Update The Signatures
  • 3.3. Define an Antivirus / EDR Exclusion
  • 3.4. Choose The Right THOR Variant
  • 3.5. Choose The Right Architecture
  • 3.6. Choose The Right Command Line Flags
  • 3.7. Verify Public Key Signatures (optional)
• 4. Deployment
  • 4.1. Licensing
  • 4.2. Network Share (Windows)
  • 4.3. ASGARD Management Center (Windows, Linux, macOS)
  • 4.4. Ansible (Linux)
  • 4.5. THOR Thunderstorm Service
  • 4.6. THOR Remote
  • 4.7. Distribute to Offline Networks / Field Offices
  • 4.8. System Load Considerations
• 5. Scan
  • 5.1. Quick Start
  • 5.2. Often Used Parameters
  • 5.3. Parameters Possibly Relevant for Your User Case
  • 5.4. Risky Flags
  • 5.5. Lesser Known But Useful Flags
  • 5.6. Help and Debugging
  • 5.7. Examples
  • 5.8. Run a Scan with Specific Modules
  • 5.9. PE-Sieve Integration
  • 5.10. Multi-Threading
• 6. Scan Modes
  • 6.1. Modules
  • 6.2. Features
• 7. Special Scan Modes
  • 7.1. Lab Scanning (--lab)
  • 7.2. Lookback Mode (--lookback --all-module-lookback)
  • 7.3. Drop Zone Mode (--dropzone)
  • 7.4. Image File Scan Mode (-m)
  • 7.5. DeepDive (--image_file)
  • 7.6. Eventlog Analysis (-n)
  • 7.7. MFT Analysis (--mft)
• 8. Analysis
  • 8.1. ASGARD Analysis Cockpit
  • 8.2. Splunk
  • 8.3. THOR Util Report Feature
  • 8.4. Log Analysis Manual
• 9. Configuration
  • 9.1. Scan Templates
  • 9.2. Maximum File Size
  • 9.3. Exclude Elements
• 10. Output Options
  • 10.1. Scan Output
  • 10.2. Syslog or TCP/UDP Output
  • 10.3. Encrypted Output Files
• 11. Update
  • 11.1. Update Locations
  • 11.2. Update Server Information
• 12. Custom Signatures
  • 12.1. Simple IOCs
  • 12.2. Rules
  • 12.3. STIX IOCs
  • 12.4. Enhance YARA Rules with THOR Specific Attributes
• 13. Other Topics
  • 13.1. Evidence Collection
  • 13.2. Resource Control
  • 13.3. Scoring System
  • 13.4. Action on Match
  • 13.5. THOR DB
• 14. Command Line Options
  • 14.1. Scan Options
  • 14.2. Scan Modes
  • 14.3. Resource Options
  • 14.4. Special Scan Modes
  • 14.5. Thor Thunderstorm Service
  • 14.6. License Retrieval
  • 14.7. Active Modules
  • 14.8. Module Extras
  • 14.9. Active Features
  • 14.10. Feature Extras
  • 14.11. Output Options
  • 14.12. ThorDB
  • 14.13. Syslog
  • 14.14. Reporting and Actions
  • 14.15. THOR Remote
  • 14.16. Automatic Collection of Suspicious Files (Bifrost)
  • 14.17. Debugging and Info
• 15. Debugging
  • 15.1. Collecting a Diagnostcs Pack
  • 15.2. Debugging Examples
  • 15.3. Finding Bottlenecks
  • 15.4. Most Frequent Causes of Missing Alerts
  • 15.5. Most Frequent Causes of Frozen Scans
  • 15.6. Most Frequent Causes of Failed Scans
  • 15.7. Help Us With The Debugging
• 16. Analysis and Info
  • 16.1. Log Analysis Manual
  • 16.2. VALHALLA Rule Lookup
  • 16.3. Rule List Output
• 17. Use Cases
  • 17.1. Disk Image Analysis
  • 17.2. Memory Image Analysis with Volatility
  • 17.3. Scanning a Fileserver
• 18. Known Issues
  • 18.1. THOR#003: No rules with DEEPSCAN tag found
  • 18.2. THOR#002: THOR in Lab-Mode does not scan network or external drives
  • 18.3. THOR#001: Could not parse sigma logsources
• 19. Links and References
  • 19.1. Open Source License Acknowledgements

Indices and tables

• Search Page