14. Command Line Options
This section lists all options that THOR TechPreview currently offers.
14.1. Scan Options
- -t, --template string
Process default scan parameters from this YAML file
- --generate-config
Print a YAML config from the given parameters and exit
- -p, --path strings
Scan a specific file path. Define multiple paths by specifying this option multiple times. Append ':NOWALK' to the path for non-recursive scanning (default: only the system drive)
- --allhds
(Windows Only) Scan all local hard drives (default: only the system drive)
- --alldrives
Scan all local drives, including network drives (default: only the system drive). Requires a Forensic Lab license.
- --max_file_size uint
Max. file size to check (larger files are ignored). Increasing this limit will also increase memory usage of THOR.
- --max_log_lines int
Maximum amount of lines to check in a log file before skipping the remaining lines
- --max_process_size uint
Max process size to check (larger processes won't be scanned)
- --max_runtime int
Maximum runtime in hours. THOR will stop once this time has run out. 0 means no maximum runtime.
- --nodoublecheck
Don't check whether another THOR instance is running (e.g. in Lab use cases when several mounted images are scanned simultaneously on a single system) (requires a Forensic Lab license)
- -f, --epoch strings
Specify a range of days with attacker activity as start and end date pairs.
Files created/modified between these days (including the specified start, excluding the specified end) will receive an extra score.
Example: -f 2009-10-09 -f 2009-10-10 marks the 09.10.2009 as relevant.
- --epochscore int
Score to add for files that were created/modified on days with attacker activity (see --epoch parameter)
- --insecure
Skip TLS host verification (insecure)
- --ca strings
Root CA for host certificate verification during TLS handshakes
- --cross-platform
Apply IOCs with path separators platform independently.
- --require-admin
Terminate immediately if THOR is executed without administrator rights.
- --follow-symlinks
When encountering a symlink during the file scan that points to a directory, scan the directory.
- --max-recursion-depth uint
Maximum depth of archives to scan
- --max-nested-objects uint
Maximum number of files per archive to scan
14.2. Scan Modes
- --quick
Activate a number of flags to speed up the scan at cost of some detection.
This is equivalent to: --noeventlog --nofirewall --noprofiles --nologscan --noevtx --nohotfixes --nomft --lookback 3 --lookback-modules filescan
- --soft
Skip CPU and RAM intensive modules (Mutexes, Firewall, Logons, Network sessions and shares, LSA sessions, open files, hosts file), don't decompress executables and doesn't perform a DoublePulsar backdoor check, lower max CPU usage to 70% and set low priority for THOR.
This mode activates automatically on systems with 1 CPU core or less than 1024 MB RAM.
- --intense
Paranoid scan mode that disables all safe guards. Only use this mode in lab scanning scenarios. We don't recommend using this mode to live scan productive systems. (enables: memory intensive extra modules)
- --diff
Set lookback time (see --lookback) for each module to the last time the module ran successfully and activates --global-lookback.
Effectively, this means that only elements that changed since the last scan are examined. (only works if ThorDB has been active)
- --lookback int
Specify how many past days shall be analyzed. Event log entries from before this point will be ignored. 0 means no limit
- --global-lookback
Apply Lookback to all modules that support it (not only Eventlog). See also --lookback and --lookback-modules.
Warning: Timestomping or similar methods of antivirus evasion may result in elements not being examined.
- --force-aptdir-lookback
Enforce lookback application on all files in the FileScan module. By default, especially endangered directories ignore the lookback value.
- --lookback-modules strings
Apply Lookback to the given modules. See also --lookback and --modules.
Warning: Timestomping or similar methods of antivirus evasion may result in elements not being examined.
- --lab
Lab scan mode - scan only the file system, disable resource checks and quick mode, activate intense mode, disable ThorDB, apply IOCs platform independently and use all CPU cores.
This option scans all drives by default, but is often used with -p to scan only a single path. Requires a Forensic Lab license.
- --virtual-map strings
Rewrite found file paths to use a different prefix.
This can be useful for mounted images, where the current location of files does not match the original location and therefore references might be out of date.
Specify the original and current path as --virtual-map path/to/current/location:path/to/original/location.
On Windows, drive names are also supported, e.g. specify --virtual-map F:C if the drive on F: was originally used as C:.
Requires a Forensic Lab license.
14.3. Resource Options
- -c, --cpulimit float
Limit CPU usage of THOR to this level (in percent). Minimum is 15%
- --nocpulimit
Disable cpulimit check
- --nosoft
Disable automatic activation of soft mode (see --soft)
- --norescontrol
Do not check whether the system is running out of resources. Use this option to enforce scans that have been canceled due to resource scarcity. (use with care!)
- --minmem uint
Cancel the running scan if the amount of free physical memory drops below this value (in MB)
- --lowprio
Reduce the priority of the THOR process to a lower level
- --verylowprio
Reduce the priority of the THOR process to a very low level
- --lowioprio
Reduce the disk priority of the THOR process to a lower level
- --nolowprio
Do not reduce the priority of the THOR process to a lower level due to soft mode (see --soft)
- --nolockthread
Do not lock calls to C libraries to main thread (this may increase performance at the cost of memory usage)
- --yara-stack-size int
Allocate this number of slots for the YARA stack. Default: 16384. Increasing this limit will allow you to use larger rules, albeit with more memory overhead.
- --yara-timeout int
Cancel any YARA checks that take longer this amount of time (in seconds)
- --threads uint16
Run this amount of THOR threads in parallel. Requires a Forensic Lab license.
- --bulk-size uint
Check this amount of elements together, e.g. log lines or registry entries
14.4. Special Scan Modes
- -m, --image_file string
Scan only the given single memory image / dump file (don't use for disk images, scan them mounted with --lab). Requires a Forensic Lab license.
- --image-chunk-size uint
Scan image / dump files in chunks of this size
- -r, --restore_directory string
Restore PE files with YARA rule matches during the DeepDive into the given folder
- --restore_score int
Restore only chunks with a total match score higher than the given value
- --dropzone
Watch and scan all files dropped to a certain directory (which must be passed with -p). Disable resource checks and quick mode, activate intense mode, disable ThorDB and apply IOCs platform independently. Requires a Forensic Lab license.
- --dropdelete
Delete all files dropped to the drop zone after the scan.
14.5. Thor Thunderstorm Service
- --thunderstorm
Watch and scan all files sent to a specific port (see --server-port). Disable resource checks and quick mode, activate intense mode, disable ThorDB and apply IOCs platform independently.
- --server-upload-dir string
Path to a directory where THOR drops uploaded files.
If this path does not exist, THOR tries to create it.
- --server-host string
IP address that THOR's server should bind to.
- --server-port uint16
TCP port that THOR's server should bind to.
- --server-cert string
TLS certificate that THOR's server should use. If left empty, TLS is not used.
- --server-key string
Private key for the TLS certificate that THOR's server should use. Required if --server-cert is specified.
- --server-store-samples string
Sets whether samples should be stored permanently in the folder specified with --server-upload-dir.
Specify "all" to store all samples, or "malicious" to store only samples that generated a warning or an alert.
- --server-result-cache-size uint32
Size of the cache that is used to store results of asynchronous requests temporarily.
If set to 0, the cache is disabled and asynchronous results are not stored.
- --pure-yara
Only scan files using YARA signatures (disables all programmatic checks, STIX, Sigma, IOCs, as well as most features and modules)
- --sync-only-threads uint16
Reserve this amount of THOR threads for synchronous requests
- --force-max-file-size
Enforce the maximum file size even on files like registry hives or log files which are usually scanned despite size.
14.6. License Retrieval
- --asgard string
Hostname of the ASGARD server from which a license should be requested, e.g. asgard.my-company.internal
- --asgard-token string
Use this token to authenticate with the License API of the asgard server. The token can be found in the 'Downloads' or 'Licensing' section in the ASGARD. This requires ASGARD 2.5+.
- -q, --license-path string
Path containing the THOR license
- --portal-key string
Get a license for this host from portal.nextron-systems.com using this API Key.
This feature is only supported for host-based server / workstation contracts.
- --portal-contracts ints
Use these contracts for license generation. If no contract is specified, the portal selects a contract by itself. See --portal-key.
- --portal-nonewlic
Only use an existing license from the portal. If none exists, exit. See --portal-key.
14.7. Active Modules
- -a, --module strings
Activate the following modules only (Specify multiple modules with -a Module1 -a Module2 ... -a ModuleN).
- --noprocs
Do not analyze Processes
- --nofilesystem
Do not scan the file system
- --noreg
Do not analyze the registry
- --nousers
Do not analyze user accounts
- --nologons
Do not show currently logged in users
- --noautoruns
Do not analyse autorun elements
- --noeventlog
Do not analyse the eventlog
- --norootkits
Do not check for rootkits
- --noevents
Do not check for malicious events
- --nodnscache
Do not analyze the local DNS cache
- --noenv
Do not analyze environment variables
- --nohosts
Do not analyze the hosts file
- --nomutex
Do not check for malicious mutexes
- --notasks
Do not analyse scheduled tasks
- --noservices
Do not analyze services
- --noprofiles
Do not analyze profile directories
- --noatjobs
Do not analyze jobs scheduled with the 'at' tool
- --nonetworksessions
Do not analyze network sessions
- --nonetworkshares
Do not analyze network shares
- --noshimcache
Do not analyze SHIM Cache entries
- --nohotfixes
Do not analyze Hotfixes
- --nowmistartup
Do not analyze startup elements using WMI
- --nofirewall
Do not analyze the local Firewall
- --nowmi
Disable all checks with WMI functions
- --nolsasessions
Do not analyze lsa sessions
- --nomft
Do not analyze the drive's MFT (default, unless in intense mode)
- --mft
Analyze the drive's MFT
- --nopipes
Do not analyze named pipes
- --noetwwatcher
Do not analyze ETW logs during THOR runtime
- --nointegritycheck
Do not check with the package manager for package integrity on Linux
- --notimestomp
Disable timestomping detection
14.8. Module Extras
- --process ints
Process IDs to be scanned. Define multiple processes by specifying this option multiple times (default: all processes) (Module: ProcessCheck)
- --dump-procs
Generate process dumps for suspicious or malicious processes (Module: ProcessCheck)
- --max-procdumps uint
Create at most this many process dumps (Module: ProcessCheck)
- --procdump-dir string
Store process dumps of suspicious processes in this directory (Module: ProcessCheck)
- -n, --eventlog-target strings
Scan specific Eventlogs (e.g. 'Security' or 'Microsoft-Windows-Sysmon/Operational') (Module: Eventlog)
- --nodoublepulsar
Do not check for DoublePulsar Backdoor (Module: Rootkit)
- --full-registry
Do not skip registry hives keys with less relevance (Module: Registry)
- --noregwalk
Do not scan the whole registry during the registry scan
- --showdeleted
Show deleted files found in the MFT as 'info' messages.
- --allfiles
Scan all files, even ones that are usually not interesting. Sets --max_file_size to 200MB unless specified otherwise.
- --ads
Scan Alternate Data Streams for all files
14.9. Active Features
- --nothordb
Do not use or create ThorDB database for holding scan information
- --nosigma
Disable Sigma signatures
- --dumpscan
Scan memory dumps
- --nologscan
Do not scan log files (identified by .log extension or location)
- --noyara
Disable checks with YARA
- --nostix
Disable checks with STIX
- --noarchive
Do not scan contents of archives
- --noc2
Disable checks for known C2 Domains
- --noprochandles
Do not analyze process handles
- --noprocconnections
Do not analyze process connections
- --noamcache
Do not analyze Amcache files
- --noregistryhive
Do not analyze Registry Hive files
- --noexedecompress
Do not decompress and scan portable executables
- --nowebdirscan
Do not analyze web directories that were found in process handles
- --novulnerabilitycheck
Do not analyze system for vulnerabilities
- --noprefetch
Do not analyze prefetch directory
- --nogroupsxml
Do not analyze groups.xml
- --nowmipersistence
Do not check WMI Persistence
- --nolnk
Do not analyze LNK files
- --noknowledgedb
Do not check Knowledge DB on Mac OS
- --nower
Do not analyze .wer files
- --noevtx
Do not analyze EVTX files
- --noauthorizedkeys
Do not analyze authorized_keys files
- --noimphash
Do not calculate imphash for suspicious EXE files (Windows only)
- --c2-in-memory
Apply C2 IOCs on process memory (not recommended unless you are willing to accept many false positives on browser and other process memories)
- --custom-c2-in-memory
Apply custom C2 IOCs on process memory
- --noeml
Disable Email parser
- --noetl
Disable ETL parser
14.10. Feature Extras
- --customonly
Use custom signatures only (disables all internal THOR signatures and detections)
- --full-proc-integrity
Increase sensitivity of --processintegrity for process impersonation detection. Likely to cause false positives, but also better at detecting real threats.
- --processintegrity
Run PE-Sieve to check for process integrity (Windows only)
14.11. Output Options
- -l, --logfile string
Log file for text output
- --htmlfile string
Log file for HTML output
- --nolog
Do not generate text or HTML log files
- --nohtml
Do not create an HTML report file
- --appendlog
Append text log to existing log instead of overwriting
- --keyval
Format text and HTML log files with key value pairs to simplify the field extraction in SIEM systems (key='value')
- --jsonfile string
Log file for JSON output. If no value is specified, defaults to :hostname:_thor_:time:.json.
- -o, --csvfile string
Generate a CSV containing MD5,Filepath,Score for all files with at least the minimum score
- --nocsv
Do not write a CSV of all mentioned files with MD5 hash (see --csvfile)
- --stats-file string
Generate a CSV file containing the scan summary in a single line. If no value is specified, defaults to :hostname:_stats.csv.
- -e, --rebase-dir string
Specify the output directory where all output files will be written. Defaults to the current working directory.
- --suppresspi
Suppress all personal information in log outputs to comply with local data protection policies
- --eventlog
Log to windows application eventlog
- -x, --min int
Only report files with at least this score
- --allreasons
Show all reasons why a match is considered dangerous (default: only the top 2 reasons are displayed)
- --printshim
Include all SHIM cache entries in the output as 'info' level messages
- --printamcache
Include all AmCache entries in the output as 'info' level messages
- -j, --overwrite-hostname string
Override the local hostname value with a static value (useful when scanning mounted images in the lab. Requires a Forensic Lab license.
- -i, --scanid string
Specify a scan identifier (useful to filter on the scan ID, should be unique)
- --scanid-prefix string
Specify a prefix for the scan ID that is concatenated with a random ID if neither --scanid nor --noscanid are specified
- --noscanid
Do not automatically generate a scan identifier if none is specified
- --silent
Do not print anything to command line
- --cmdjson
Format command line output as JSON
- --cmdkeyval
Use key-value pairs for command line output, see --keyval
- --encrypt
Encrypt the generated log files and the MD5 csv file
- --pubkey string
Use this RSA public key to encrypt the logfile and csvfile (see --encrypt). Both --pubkey="<key>" and --pubkey="<file>" are supported.
- --nocolor
Do not use ANSI escape sequences for colorized command line output
- --genid
Print a unique ID for each log message. Identical log messages will have the same ID.
- --print-rescontrol
Print THOR's resource threshold and usage when it is checked
- --truncate int
Max. length per THOR value (0 = no truncation)
- --registry_depth_print int
Don't print info messages when traversing registry keys at a higher depth than this
- --utc
Print timestamps in UTC instead of local time zone
- --rfc3339
Print timestamps in RFC3339 (YYYY-MM-DD'T'HH:mm:ss'Z') format
- --reduced
Reduced output mode - only warnings, alerts and errors will be printed
- --printlicenses
Print all licenses to command line (default: only 10 licenses will be printed)
- --local-syslog
Print THOR events to local syslog
- --showall
Print rule matches even if that rule already matched more than 10 times.
- --ascii
Don't print non-ASCII characters to command line and log files
- --string-context uint
When printing strings from YARA matches, include this many bytes surrounding the match
- --include-info-in-html
Include info messages in the HTML report
- --audit-trail string
Output file for audit trail
- --background string
Optimize font colors for given terminal background (options: default, light, dark)
14.12. ThorDB
- --dbfile string
Location of the thor.db file
- --resumeonly
Don't start a new scan, only finish an interrupted one. If no interrupted scan exists, nothing is done.
- --resume
Store information while running that allows to resume an interrupted scan later. If a previous scan was interrupted, resume it instead of starting a new one.
14.13. Syslog
- -s, --syslog strings
Write output to the specified syslog server, format: server[:port[:syslogtype[:sockettype]]].
Supported syslog types: DEFAULT/CEF/JSON/SYSLOGJSON/SYSLOGKV
Supported socket types: UDP/TCP/TCPTLS
Examples: -s syslog1.dom.net, -s arcsight.dom.net:514:CEF:UDP, -s syslog2:4514:DEFAULT:TCP, -s syslog3:514:JSON:TCPTLS
- --rfc3164
Truncate long Syslog messages to 1024 bytes
- --rfc5424
Truncate long Syslog messages to 2048 bytes
- --rfc
Use strict syslog according to RFC 3164 (simple host name, shortened message)
- --maxsysloglength int
Truncate Syslog messages to the given length (0 means no truncation)
- --cef_level int
Define the minimum severity level to log to CEF syslogs (Debug=1, Info=3, Notice=4, Error=5, Warning=8, Alarm=10)
14.14. Reporting and Actions
- --notice int
Minimum score on which a notice is generated
- --warning int
Minimum score on which a warning is generated
- --alert int
Minimum score on which an alert is generated
- --action_command string
Run this command for each file that has a score greater than the score from --action_level.
- --action_args strings
Arguments to pass to the command specified via --action_command.
The placeholders %filename%, %filepath%, %file%, %ext%, %md5%, %score% and %date% are replaced at execution time.
- --action_level int
Only run the command from --action_command for files with at least this score.
- --nofserrors
Silently ignore filesystem errors
14.15. THOR Remote
- --remote strings
Target host (use multiple --remote <host> statements for a set of hosts)
- --remote-user string
Username (if not specified, windows integrated authentication is used)
- --remote-password string
Password to be used to authenticate against remote hosts
- --remote-prompt
Prompt for password for remote hosts
- --remote-debug
Debug Mode for THOR Remote
- --remote-dir string
Upload THOR to this remote directory
- --remote-workers int
Number of concurrent scans
- --remote-rate int
Number of seconds to wait between scan starts
14.16. Automatic Collection of Suspicious Files (Bifrost)
- --bifrost2Server string
Server running the Bifrost 2 quarantine service. THOR will upload all suspicious files to this server.
This flag is only usable when invoking THOR from ASGARD 2.
- --bifrost2Score int
Send all files with at least this score to the Bifrost 2 quarantine service.
This flag is only usable when invoking THOR from ASGARD 2.
14.17. VirusTotal Integration
- --vtkey string
Virustotal API key for hash / sample uploads
- --vtmode string
VirusTotal lookup mode (limited = hash lookups only, full = hash and sample uploads)
- --vtscore int
Minimum score for hash lookup / sample upload to VirusTotal
- --vtaccepteula
By specifying this option, you accept VirusTotal's EULA: https://www.virustotal.com/en/about/terms-of-service/
- --vtwaitforquota
Wait if the VirusTotal API key quota is exceeded
- --vtverbose
Show more information from VirusTotal
14.18. Debugging and Info
- --debug
Show Debugging Output
- --trace
Show Tracing Output
- --printall
Print all files that are checked (noisy)
- --print-signatures
Show THOR Signatures and IOCs and exit
- --version
Show THOR, signature and software versions and exit
- -h, --help
Show help for most important options and exit
- --fullhelp
Show help for all options and exit