14. Command Line Options

This section lists all options that THOR TechPreview currently offers.

14.1. Scan Options

-t, --template string

Process default scan parameters from this YAML file


Print a YAML config from the given parameters and exit

-p, --path strings

Scan a specific file path. Define multiple paths by specifying this option multiple times. Append ':NOWALK' to the path for non-recursive scanning (default: only the system drive)


(Windows Only) Scan all local hard drives (default: only the system drive)


Scan all local drives, including network drives (default: only the system drive). Requires a Forensic Lab license.

--max_file_size uint

Max. file size to check (larger files are ignored). Increasing this limit will also increase memory usage of THOR.

--max_log_lines int

Maximum amount of lines to check in a log file before skipping the remaining lines

--max_process_size uint

Max process size to check (larger processes won't be scanned)

--max_runtime int

Maximum runtime in hours. THOR will stop once this time has run out. 0 means no maximum runtime.


Don't check whether another THOR instance is running (e.g. in Lab use cases when several mounted images are scanned simultaneously on a single system) (requires a Forensic Lab license)

-f, --epoch strings

Specify a range of days with attacker activity as start and end date pairs.

Files created/modified between these days (including the specified start, excluding the specified end) will receive an extra score.

Example: -f 2009-10-09 -f 2009-10-10 marks the 09.10.2009 as relevant.

--epochscore int

Score to add for files that were created/modified on days with attacker activity (see --epoch parameter)


Skip TLS host verification (insecure)

--ca strings

Root CA for host certificate verification during TLS handshakes


Apply IOCs with path separators platform independently.


Terminate immediately if THOR is executed without administrator rights.


When encountering a symlink during the file scan that points to a directory, scan the directory.

--max-recursion-depth uint

Maximum depth of archives to scan

--max-nested-objects uint

Maximum number of files per archive to scan

14.2. Scan Modes


Activate a number of flags to speed up the scan at cost of some detection.

This is equivalent to: --noeventlog --nofirewall --noprofiles --nologscan --noevtx --nohotfixes --nomft --lookback 3 --lookback-modules filescan


Skip CPU and RAM intensive modules (Mutexes, Firewall, Logons, Network sessions and shares, LSA sessions, open files, hosts file), don't decompress executables and doesn't perform a DoublePulsar backdoor check, lower max CPU usage to 70% and set low priority for THOR.

This mode activates automatically on systems with 1 CPU core or less than 1024 MB RAM.


Paranoid scan mode that disables all safe guards. Only use this mode in lab scanning scenarios. We don't recommend using this mode to live scan productive systems. (enables: memory intensive extra modules)


Set lookback time (see --lookback) for each module to the last time the module ran successfully and activates --global-lookback.

Effectively, this means that only elements that changed since the last scan are examined. (only works if ThorDB has been active)

--lookback int

Specify how many past days shall be analyzed. Event log entries from before this point will be ignored. 0 means no limit


Apply Lookback to all modules that support it (not only Eventlog). See also --lookback and --lookback-modules.

Warning: Timestomping or similar methods of antivirus evasion may result in elements not being examined.


Enforce lookback application on all files in the FileScan module. By default, especially endangered directories ignore the lookback value.

--lookback-modules strings

Apply Lookback to the given modules. See also --lookback and --modules.

Warning: Timestomping or similar methods of antivirus evasion may result in elements not being examined.


Lab scan mode - scan only the file system, disable resource checks and quick mode, activate intense mode, disable ThorDB, apply IOCs platform independently and use all CPU cores.

This option scans all drives by default, but is often used with -p to scan only a single path. Requires a Forensic Lab license.

--virtual-map strings

Rewrite found file paths to use a different prefix.

This can be useful for mounted images, where the current location of files does not match the original location and therefore references might be out of date.

Specify the original and current path as --virtual-map path/to/current/location:path/to/original/location.

On Windows, drive names are also supported, e.g. specify --virtual-map F:C if the drive on F: was originally used as C:.

Requires a Forensic Lab license.

14.3. Resource Options

-c, --cpulimit float

Limit CPU usage of THOR to this level (in percent). Minimum is 15%


Disable cpulimit check


Disable automatic activation of soft mode (see --soft)


Do not check whether the system is running out of resources. Use this option to enforce scans that have been canceled due to resource scarcity. (use with care!)

--minmem uint

Cancel the running scan if the amount of free physical memory drops below this value (in MB)


Reduce the priority of the THOR process to a lower level


Reduce the priority of the THOR process to a very low level


Reduce the disk priority of the THOR process to a lower level


Do not reduce the priority of the THOR process to a lower level due to soft mode (see --soft)


Do not lock calls to C libraries to main thread (this may increase performance at the cost of memory usage)

--yara-stack-size int

Allocate this number of slots for the YARA stack. Default: 16384. Increasing this limit will allow you to use larger rules, albeit with more memory overhead.

--yara-timeout int

Cancel any YARA checks that take longer this amount of time (in seconds)

--threads uint16

Run this amount of THOR threads in parallel. Requires a Forensic Lab license.

--bulk-size uint

Check this amount of elements together, e.g. log lines or registry entries

14.4. Special Scan Modes

-m, --image_file string

Scan only the given single memory image / dump file (don't use for disk images, scan them mounted with --lab). Requires a Forensic Lab license.

--image-chunk-size uint

Scan image / dump files in chunks of this size

-r, --restore_directory string

Restore PE files with YARA rule matches during the DeepDive into the given folder

--restore_score int

Restore only chunks with a total match score higher than the given value


Watch and scan all files dropped to a certain directory (which must be passed with -p). Disable resource checks and quick mode, activate intense mode, disable ThorDB and apply IOCs platform independently. Requires a Forensic Lab license.


Delete all files dropped to the drop zone after the scan.

14.5. Thor Thunderstorm Service


Watch and scan all files sent to a specific port (see --server-port). Disable resource checks and quick mode, activate intense mode, disable ThorDB and apply IOCs platform independently.

--server-upload-dir string

Path to a directory where THOR drops uploaded files.

If this path does not exist, THOR tries to create it.

--server-host string

IP address that THOR's server should bind to.

--server-port uint16

TCP port that THOR's server should bind to.

--server-cert string

TLS certificate that THOR's server should use. If left empty, TLS is not used.

--server-key string

Private key for the TLS certificate that THOR's server should use. Required if --server-cert is specified.

--server-store-samples string

Sets whether samples should be stored permanently in the folder specified with --server-upload-dir.

Specify "all" to store all samples, or "malicious" to store only samples that generated a warning or an alert.

--server-result-cache-size uint32

Size of the cache that is used to store results of asynchronous requests temporarily.

If set to 0, the cache is disabled and asynchronous results are not stored.


Only scan files using YARA signatures (disables all programmatic checks, STIX, Sigma, IOCs, as well as most features and modules)

--sync-only-threads uint16

Reserve this amount of THOR threads for synchronous requests


Enforce the maximum file size even on files like registry hives or log files which are usually scanned despite size.

14.6. License Retrieval

--asgard string

Hostname of the ASGARD server from which a license should be requested, e.g. asgard.my-company.internal

--asgard-token string

Use this token to authenticate with the License API of the asgard server. The token can be found in the 'Downloads' or 'Licensing' section in the ASGARD. This requires ASGARD 2.5+.

-q, --license-path string

Path containing the THOR license

--portal-key string

Get a license for this host from portal.nextron-systems.com using this API Key.

This feature is only supported for host-based server / workstation contracts.

--portal-contracts ints

Use these contracts for license generation. If no contract is specified, the portal selects a contract by itself. See --portal-key.


Only use an existing license from the portal. If none exists, exit. See --portal-key.

14.7. Active Modules

-a, --module strings

Activate the following modules only (Specify multiple modules with -a Module1 -a Module2 ... -a ModuleN).


Do not analyze Processes


Do not scan the file system


Do not analyze the registry


Do not analyze user accounts


Do not show currently logged in users


Do not analyse autorun elements


Do not analyse the eventlog


Do not check for rootkits


Do not check for malicious events


Do not analyze the local DNS cache


Do not analyze environment variables


Do not analyze the hosts file


Do not check for malicious mutexes


Do not analyse scheduled tasks


Do not analyze services


Do not analyze profile directories


Do not analyze jobs scheduled with the 'at' tool


Do not analyze network sessions


Do not analyze network shares


Do not analyze SHIM Cache entries


Do not analyze Hotfixes


Do not analyze startup elements using WMI


Do not analyze the local Firewall


Disable all checks with WMI functions


Do not analyze lsa sessions


Do not analyze the drive's MFT (default, unless in intense mode)


Analyze the drive's MFT


Do not analyze named pipes


Do not analyze ETW logs during THOR runtime


Do not check with the package manager for package integrity on Linux


Disable timestomping detection

14.8. Module Extras

--process ints

Process IDs to be scanned. Define multiple processes by specifying this option multiple times (default: all processes) (Module: ProcessCheck)


Generate process dumps for suspicious or malicious processes (Module: ProcessCheck)

--max-procdumps uint

Create at most this many process dumps (Module: ProcessCheck)

--procdump-dir string

Store process dumps of suspicious processes in this directory (Module: ProcessCheck)

-n, --eventlog-target strings

Scan specific Eventlogs (e.g. 'Security' or 'Microsoft-Windows-Sysmon/Operational') (Module: Eventlog)


Do not check for DoublePulsar Backdoor (Module: Rootkit)


Do not skip registry hives keys with less relevance (Module: Registry)


Do not scan the whole registry during the registry scan


Show deleted files found in the MFT as 'info' messages.


Scan all files, even ones that are usually not interesting. Sets --max_file_size to 200MB unless specified otherwise.


Scan Alternate Data Streams for all files

14.9. Active Features


Do not use or create ThorDB database for holding scan information


Disable Sigma signatures


Scan memory dumps


Do not scan log files (identified by .log extension or location)


Disable checks with YARA


Disable checks with STIX


Do not scan contents of archives


Disable checks for known C2 Domains


Do not analyze process handles


Do not analyze process connections


Do not analyze Amcache files


Do not analyze Registry Hive files


Do not decompress and scan portable executables


Do not analyze web directories that were found in process handles


Do not analyze system for vulnerabilities


Do not analyze prefetch directory


Do not analyze groups.xml


Do not check WMI Persistence


Do not analyze LNK files


Do not check Knowledge DB on Mac OS


Do not analyze .wer files


Do not analyze EVTX files


Do not analyze authorized_keys files


Do not calculate imphash for suspicious EXE files (Windows only)


Apply C2 IOCs on process memory (not recommended unless you are willing to accept many false positives on browser and other process memories)


Apply custom C2 IOCs on process memory


Disable Email parser


Disable ETL parser

14.10. Feature Extras


Use custom signatures only (disables all internal THOR signatures and detections)


Increase sensitivity of --processintegrity for process impersonation detection. Likely to cause false positives, but also better at detecting real threats.


Run PE-Sieve to check for process integrity (Windows only)

14.11. Output Options

-l, --logfile string

Log file for text output

--htmlfile string

Log file for HTML output


Do not generate text or HTML log files


Do not create an HTML report file


Append text log to existing log instead of overwriting


Format text and HTML log files with key value pairs to simplify the field extraction in SIEM systems (key='value')

--jsonfile string

Log file for JSON output. If no value is specified, defaults to :hostname:_thor_:time:.json.

-o, --csvfile string

Generate a CSV containing MD5,Filepath,Score for all files with at least the minimum score


Do not write a CSV of all mentioned files with MD5 hash (see --csvfile)

--stats-file string

Generate a CSV file containing the scan summary in a single line. If no value is specified, defaults to :hostname:_stats.csv.

-e, --rebase-dir string

Specify the output directory where all output files will be written. Defaults to the current working directory.


Suppress all personal information in log outputs to comply with local data protection policies


Log to windows application eventlog

-x, --min int

Only report files with at least this score


Show all reasons why a match is considered dangerous (default: only the top 2 reasons are displayed)


Include all SHIM cache entries in the output as 'info' level messages


Include all AmCache entries in the output as 'info' level messages

-j, --overwrite-hostname string

Override the local hostname value with a static value (useful when scanning mounted images in the lab. Requires a Forensic Lab license.

-i, --scanid string

Specify a scan identifier (useful to filter on the scan ID, should be unique)

--scanid-prefix string

Specify a prefix for the scan ID that is concatenated with a random ID if neither --scanid nor --noscanid are specified


Do not automatically generate a scan identifier if none is specified


Do not print anything to command line


Format command line output as JSON


Use key-value pairs for command line output, see --keyval


Encrypt the generated log files and the MD5 csv file

--pubkey string

Use this RSA public key to encrypt the logfile and csvfile (see --encrypt). Both --pubkey="<key>" and --pubkey="<file>" are supported.


Do not use ANSI escape sequences for colorized command line output


Print a unique ID for each log message. Identical log messages will have the same ID.


Print THOR's resource threshold and usage when it is checked

--truncate int

Max. length per THOR value (0 = no truncation)

--registry_depth_print int

Don't print info messages when traversing registry keys at a higher depth than this


Print timestamps in UTC instead of local time zone


Print timestamps in RFC3339 (YYYY-MM-DD'T'HH:mm:ss'Z') format


Reduced output mode - only warnings, alerts and errors will be printed


Print all licenses to command line (default: only 10 licenses will be printed)


Print THOR events to local syslog


Print rule matches even if that rule already matched more than 10 times.


Don't print non-ASCII characters to command line and log files

--string-context uint

When printing strings from YARA matches, include this many bytes surrounding the match


Include info messages in the HTML report

--audit-trail string

Output file for audit trail

--background string

Optimize font colors for given terminal background (options: default, light, dark)

14.12. ThorDB

--dbfile string

Location of the thor.db file


Don't start a new scan, only finish an interrupted one. If no interrupted scan exists, nothing is done.


Store information while running that allows to resume an interrupted scan later. If a previous scan was interrupted, resume it instead of starting a new one.

14.13. Syslog

-s, --syslog strings

Write output to the specified syslog server, format: server[:port[:syslogtype[:sockettype]]].


Supported socket types: UDP/TCP/TCPTLS

Examples: -s syslog1.dom.net, -s arcsight.dom.net:514:CEF:UDP, -s syslog2:4514:DEFAULT:TCP, -s syslog3:514:JSON:TCPTLS


Truncate long Syslog messages to 1024 bytes


Truncate long Syslog messages to 2048 bytes


Use strict syslog according to RFC 3164 (simple host name, shortened message)

--maxsysloglength int

Truncate Syslog messages to the given length (0 means no truncation)

--cef_level int

Define the minimum severity level to log to CEF syslogs (Debug=1, Info=3, Notice=4, Error=5, Warning=8, Alarm=10)

14.14. Reporting and Actions

--notice int

Minimum score on which a notice is generated

--warning int

Minimum score on which a warning is generated

--alert int

Minimum score on which an alert is generated

--action_command string

Run this command for each file that has a score greater than the score from --action_level.

--action_args strings

Arguments to pass to the command specified via --action_command.

The placeholders %filename%, %filepath%, %file%, %ext%, %md5%, %score% and %date% are replaced at execution time.

--action_level int

Only run the command from --action_command for files with at least this score.


Silently ignore filesystem errors

14.15. THOR Remote

--remote strings

Target host (use multiple --remote <host> statements for a set of hosts)

--remote-user string

Username (if not specified, windows integrated authentication is used)

--remote-password string

Password to be used to authenticate against remote hosts


Prompt for password for remote hosts


Debug Mode for THOR Remote

--remote-dir string

Upload THOR to this remote directory

--remote-workers int

Number of concurrent scans

--remote-rate int

Number of seconds to wait between scan starts

14.16. Automatic Collection of Suspicious Files (Bifrost)

--bifrost2Server string

Server running the Bifrost 2 quarantine service. THOR will upload all suspicious files to this server.

This flag is only usable when invoking THOR from ASGARD 2.

--bifrost2Score int

Send all files with at least this score to the Bifrost 2 quarantine service.

This flag is only usable when invoking THOR from ASGARD 2.

14.17. VirusTotal Integration

--vtkey string

Virustotal API key for hash / sample uploads

--vtmode string

VirusTotal lookup mode (limited = hash lookups only, full = hash and sample uploads)

--vtscore int

Minimum score for hash lookup / sample upload to VirusTotal


By specifying this option, you accept VirusTotal's EULA: https://www.virustotal.com/en/about/terms-of-service/


Wait if the VirusTotal API key quota is exceeded


Show more information from VirusTotal

14.18. Debugging and Info


Show Debugging Output


Show Tracing Output


Print all files that are checked (noisy)


Show THOR Signatures and IOCs and exit


Show THOR, signature and software versions and exit

-h, --help

Show help for most important options and exit


Show help for all options and exit