6. Scan Modes

You can select between six different scan modes in THOR:

  • Default

    We recommend using the default scan mode for all sweeping activities. Scans take from one to six hours, depending on the partition size and number of interesting files.

    In default mode, THOR automatically chooses the "Soft" mode if the system has only limited CPU and RAM resources.

    There's a special "Lab Scanning" (--lab) method described in section Lab Scanning, which disables many limitations and allows to scan mounted images in a Lab scenario, even with multiple THOR instances on a single Workstation.

    Note

    "Lab Scanning" requires a special forensic license.

  • Quick --quick

    This mode is the fastest one and oriented on the "Pareto Principle", covering 80% of the modules and checks in 20% of the normal scan time. In "quick" mode, THOR skips elements that have not been created or modified within the last 2 days in the "Eventlog", "Registry" and "Filescan" modules. A set of 40+ predefined directories will still be checked completely (e.g. AppData, Recycler, System32). "Quick" mode is known to be the "preventive" scan mode – less intense and very fast.

Themed scan modes:

  • Soft --soft - force disable with --nosoft

    This mode disables all modules and checks that could be risky for system stability. It is automatically activated on (more details in chapter Automatic Soft Mode):

    • Systems with only a single CPU core

    • Systems with less than 1024 MB of RAM

  • Lab Scan --lab

    This mode scans only the file system and disables all other modules. (see Lab Scanning for more details and flags used in this scan mode)

    Example:

    user@unix:~/thor$ ./thor64 --lab -p /mnt/image_c/
    
  • Intense --intense

    This mode is meant for system scanning in a non-productive or lab environment. It disables several speed optimizations and enables time-consuming extra checks for best detection results. Be careful with this mode on database servers, as this could corrupt your database due to the high load of the server. Snapshots/backups are advised before using this mode.

  • Difference --diff

    The Diff Mode looks for a last scan and last finished modules in the local THOR DB and scans only elements on disk that have been changed or created since the last scan start. This mode applies shortcuts to the "Filesystem", "Eventlog" and "Registry" modules. Diff scans are typically the shortest scans but require a completed previous scan. This scan mode is also susceptible to the so-called "Timestomping".

These scan modes can also be combined, e.g. for --soft --diff, though not all combinations may make sense, e.g. --soft --intense.

The following tables give an overview on the active modules and features in the different scan modes. The Modules section lists all available modules, whereas the Features section lists only features that are handled differently in the different scan modes.

6.1. Modules

Modules are standalone jobs, which are being executed one after the other by THOR. Those modules are invoking one job, for example the File System Scan module will scan your file system, or the User Account Check will scan your system for user accounts. Modules can invoke one or multiple Features, which we will explain further down in this section.

6.1.1. OS Module Overview

Module

Windows

Linux

MacOS

File System Scan

Supported

Supported

Supported

Registry Scan

Supported

Not Supported

Not Supported

SHIM Cache Scan

Supported

Not Supported

Not Supported

Mutex Check

Supported

Not Supported

Not Supported

Named Pipes Check

Supported

Not Supported

Not Supported

DNS Cache Check

Supported

Supported

Supported

Hotfix Check

Supported

Not Supported

Not Supported

Hosts File Check

Supported

Supported

Supported

Firewall Config Check

Supported

Supported

Not Supported

Network Share Check

Supported

Not Supported

Not Supported

Logged In Check

Supported

Supported

Supported

Process Check

Supported

Supported [1]

Supported [1]

Service Check

Supported

Supported

Not Supported

Autoruns Check

Supported

Supported

Supported

Rootkit Check

Supported

Supported

Not Supported

LSA Sessions Analysis

Supported

Not Supported

Not Supported

User Account Check

Supported

Supported

Supported

User Profile Check

Supported

Supported

Supported

Network Sessions Check

Supported

Not Supported

Not Supported

Scheduled Tasks Analysis

Supported

Not Supported

Not Supported

WMI Startup Check

Supported

Not Supported

Not Supported

At Entries Check

Supported

Not Supported

Not Supported

MFT Analysis

Supported

Not Supported

Not Supported

Eventlog Analysis

Supported

Not Supported

Not Supported

KnowledgeDB Check

Not Supported

Not Supported

Supported

Environment Variables Check

Supported

Supported

Supported

Crontab Check

Not Supported

Supported

Not Supported

Integrity Check

Not Supported

Supported

Not Supported

Event Check

Supported

Not Supported

Not Supported

ETW Watcher

Supported

Not Supported

Not Supported

Hint

For a list of module names and how to turn them off, please see Scan Module Names

6.1.2. Scan Mode Overview

Module

Normal

Quick

Soft

Intense

File System Scan

Reduced

Registry Scan

SHIM Cache Scan

Mutex Check

Disabled

Named Pipes Check

DNS Cache Check

Hotfix Check

Disabled

Hosts File Check

Disabled

Firewall Config Check

Disabled

Disabled

Network Share Check

Disabled

Logged In Check

Enabled [2]

Disabled

Process Check

Reduced [3]

Service Check

Autoruns Check

Rootkit Check

LSA Sessions Analysis

Disabled

User Account Check

Enabled [2]

User Profile Check

Enabled [2]

Disabled

Network Sessions Check

Enabled [2]

Disabled

Scheduled Tasks Analysis

WMI Startup Check

At Entries Check

MFT Analysis

Disabled

Disabled

Disabled

Enabled

Eventlog Analysis

Disabled

KnowledgeDB Check

Environment Variables Check

Crontab Check

Integrity Check

Event Check

ETW Watcher

6.1.3. Scan Module Names

Scan Mode

Module Name

Disable Module

File System Scan

Filescan

--nofilesystem

Registry Scan

RegistryChecks

--noreg

SHIM Cache Scan

SHIMCache

--noshimcache

Mutex Check

Mutex

--nomutex

Named Pipes Check

Pipes

--nopipes

DNS Cache Check

DNSCache

--nodnscache

Hotfix Check

HotfixCheck

--nohotfixes

Hosts File Check

Hosts

--nohosts

Firewall Config Check

Firewall

--nofirewall

Network Share Check

NetworkShares

--nonetworkshares

Logged In Check

LoggedIn

--nologons

Process Check

ProcessCheck

--noprocs

Service Check

ServiceCheck

--noservices

Autoruns Check

Autoruns

--noautorons

Rootkit Check

Rootkit

--norootkits

LSA Sessions Analysis

LSASessions

--nolsasessions

User Account Check

Users

--nousers

User Profile Check

UserDir

--noprofiles

Network Sessions Check

NetworkSessions

--nonetworksessions

Scheduled Tasks Analysis

ScheduledTasks

--notasks

WMI Startup Check

WMIStartup

--nowmi

At Entries Check

AtJobs

--noatjobs

MFT Analysis

MFT

--nomft

Eventlog Analysis

Eventlog

--noeventlog

KnowledgeDB Check

KnowledgeDB

--noknowledgedb

Environment Variables Check

EnvCheck

--noenv

Crontab Check

Cron

Integrity Check

Integritycheck

--nointegritycheck

Event Check

Events

--noevents

ETW Watcher

EtwWatcher

--noetwwatcher

6.2. Features

Features are being invoked by Modules and provide further Details about an item. For example, the File System Scan might find a .zip file during a scan and invoke the Archive Scan feature. The Archive Scan feature in return will extract the zip file and scan all the items in it.

Another example would be the Eventlog Analysis Module, which might invoke the Sigma Scan feature on certain eventlog entries.

Hint

Please see chapter Archive Scan for a list of supported archive formats.

6.2.1. Feature Scan Mode Overview

Feature

Normal

Quick

Soft

Intense

Sigma Scan

Disabled

Disabled

Disabled

Enabled

EXE Decompression [5]

Enabled

Enabled

Disabled

Enabled

Archive Scan

Enabled

Enabled

Enabled

Enabled

Double Pulsar Check [5]

Enabled

Enabled

Disabled

Enabled

Groups XML Analysis

Enabled

Enabled

Enabled

Enabled

Vulnerability Check

Enabled

Enabled

Enabled

Enabled

Web Server Dir Scan

Enabled

Disabled

Enabled

Enabled

WMI Persistence

Enabled

Enabled

Enabled

Enabled

Registry Hive Scan

Enabled [4]

Enabled

Enabled

Enabled

AmCache Analysis

Enabled

Enabled

Enabled

Enabled

Process Handle Check

Enabled

Enabled

Enabled

Enabled

Process Connections Check

Enabled

Enabled

Enabled

Enabled

Windows Error Report (WER)

Enabled

Enabled

Enabled

Enabled

Windows At Job File Analysis

Enabled

Enabled

Enabled

Enabled

EVTX File Scanning

Enabled

Disabled

Enabled

Enabled

Prefetch Library Scanning

Enabled

Enabled

Enabled

Enabled

Memory Dump DeepDive

Disabled

Disabled

Disabled

Enabled

Text Log File Scanning

Enabled

Disabled

Enabled

Enabled

Shellbag Entry Analysis

Enabled

Enabled

Enabled

Enabled

Authorized Key File Analysis

Enabled

Enabled

Enabled

Enabled

Bifrost File Upload

Enabled

Enabled

Enabled

Enabled

Malicious Domain Check

Enabled

Enabled

Enabled

Enabled

File Scan

Enabled

Enabled

Enabled

Enabled

Cobalt Strike Beacon Parsing

Enabled

Enabled

Enabled

Enabled

Process Integrity Check [5]

Disabled

Disabled

Disabled

Enabled

SHIM Cache Analysis

Enabled

Enabled

Enabled

Enabled

ETL File Scanning [5]

Enabled

Enabled

Enabled

Enabled

6.2.2. Feature caller list

The following table gives an overview of THOR's features and how they are called by the different modules and other features.

Feature

Callers

Sigma Scan

Eventlog, Log file scanning

EXE Decompression

File Scan

Archive Scan

File Scan

Double Pulsar Check

Rootkit Check

Groups XML Analysis

File Scan

Vulnerability Check

File Scan

Web Server Dir Scan

Process Check

WMI Persistence

File Scan

Registry Hive Scan

File Scan

AmCache Analysis

File Scan

Process Handle Check

Process Check

Process Memory Check

Process Check

Process Connections Check

Process Check

Windows Error Report (WER)

File Scan

Windows At Job File Analysis

File Scan

EVTX File Scanning

File Scan

Prefetch Library Scanning

File Scan

Memory Dump DeepDive

File Scan

Text Log File Scanning

File Scan

Shellbag Entry Analysis

Registry Hive Scan

Authorized Key File Analysis

File Scan

Bifrost File Upload

File Scan

Malicious Domain Check

File Scan

File Scan

Most modules and features

Cobalt Strike Beacon Parsing

File Scan, Process Check

Process Integrity Check

Process Check

SHIM Cache Analysis

SHIM Cache Scan, Registry Hive

ETL File Scanning

File Scan

6.2.3. Feature selectors

Since THOR 10.7, some features in THOR are triggered by YARA rules.

When a (meta or generic) YARA rule with a specific tag matches on a file, the corresponding feature is started and parses the file.

The standard signatures contain a number of rules with these tags, but if required, you can add additional rules with these tags as custom signatures.

Tag

Feature

Applied regardless of Filesize limit

AMCACHE

Amcache

no

ZIPARCHIVE

Archive

no

RARARCHIVE

Archive

no

TARARCHIVE

Archive

no

TARGZARCHIVE

Archive

no

TARBZ2ARCHIVE

Archive

no

CABARCHIVE

Archive

no

GZIPCOMPRESSEDFILE

Archive

no

SEVENZIPARCHIVE

Archive

no

ATJOBS

AtJobs

yes

AUDITLOG

Auditlog

yes

AUTHORIZEDKEYS

AuthorizedKeys

yes

EMAILFILE

EmailParser

no

ETL

ETL

yes

EVTX

EVTX

yes

UPX

ExeDecompress

no

WINRAR

ExeDecompress

no

LNK

LinkScan

yes

LOGSCAN

LogScan

yes

MFT

MftFile

yes

OLE

OleScan

no

PREFETCH

Prefetch

yes

REGISTRYHIVE

RegistryHive

yes

UNESCAPE

Unescaper

no

WER

WER

yes

WMIPERSISTENCE

WMIPersistence

yes

6.2.4. Feature names

Feature

Feature Name

Disable Feature

Use a persistent database for holding information across scans

ThorDB

--nothordb

Scan with Sigma signatures

Sigma

per default disabled, use --sigma to enable

Scan log file (identified by .log extension or location) entries one by one

LogScan

--nologscan

Check files, processes or blobs with YARA

Yara

Check files with STIX

Stix

--nostix

Extract files contained in archives

Archive

--noarchive

Scan files contained in archives

ArchiveScan

--noarchive

Run checks for known C2 Domains

C2

--noc2

Analyze process handles

ProcessHandles

--noprochandles

Analyze process connections

ProcessConnections

--noprocconnections

Analyze entries in Amcache files

Amcache

--noamcache

Parse and analyze registry hives

RegistryHive

--noregistryhive

Decompress and scan UPX or SFX packed portable executables

ExeDecompress

--noexedecompress

Analyze web directories that were found in process handles

WebdirScan

--nowebdirscan

Search for configuration file vulnerabilities (e.g. weak Tomcat passwords)

VulnerabilityCheck

--novulnerabilitycheck

Parse Windows prefetch directories

Prefetch

--noprefetch

Parse groups.xml files (for AD permissions) and search for vulnerabilities

GroupsXML

--nogroupsxml

Parse WMI Persistence directories

WMIPersistence

--nowmipersistence

Parse and analyze LNK files

Lnk

--nolnk

Check Knowledge DB on Mac OS

KnowledgeDB

--noknowledgedb

Parse .wer crash dump files

WER

--nower

Parse EVTX eventlogs and scan the contained log entries

EVTX

--noevtx

Analyze authorized_keys SSH files

AuthorizedKeys

--noauthorizedkeys

Parse and analyze .eml Email files

Eml

--noeml

Parse Windows Event Trace Logging files and scan the contained logs

ETL

--noetl

Parse jobs files scheduled with the 'at' tool

AtJobs

--noatjobs

Upload suspicious files to a server running the Bifrost 2 quarantine service

Bifrost2

per default disabled, use --bifrost2Server to enable

Scan multiple entries as a single block

BulkScan

can't be disabled

Disable cpulimit check

CPULimit

--nocpulimit

Run filename IOC, keyword IOC, and YARA rules on a chunk of data

CheckString

can't be disabled

Parse crontab files and analyze their entries

CronParser

can't be disabled

Check for DoublePulsar Backdoor in the rootkit module

DoublePulsar

--nodoublepulsar

Gather additional information (like hashes, owner, timestamps, ...) about file paths

EnrichFileInfo

can't be disabled

Apply filename IOCs

FilenameIOCs

can't be disabled

Scan files and similar objects

Filescan

can't be disabled

Apply keyword IOCs

KeywordIOCs

can't be disabled

Log information during a THOR run

Logger

can't be disabled

Detect a file's type based on its first bytes

MagicHeader

can't be disabled

Parse OLE files (e.g. old MS office documents, or MS Office macros)

OLE

can't be disabled

Parse additional information from a detected CobaltStrike beacon

ParseCobaltStrike

can't be disabled

Keep and display information about THOR's current activity

ProgressTracker

can't be disabled

Parse additional information from files in a Windows recycle bin

RecycleBin

can't be disabled

Check whether the system is running out of RAM, and end THOR, if this is the case

Rescontrol

--norescontrol

Parse SHIM Caches from registry and analyze their entries

SHIMCache

--noshimcache

React to interrupts from outside THOR in a controlled manner

SignalHandler

can't be disabled

Look for unencrypted TeamViewer passwords in registry hives

TeamViewer

can't be disabled

Add additional information from Virustotal to detected files

VirusTotal

per default disabled, use --vtkey to enable

Run a user defined command for detected files

Action

per default disabled, use --action_command to enable

Write a detailed output file with information about all scanned elements

AuditTrail

per default disabled, use --audit-trail to enable

Scan memory dump files in chunks

DumpScan

per default disabled, use --dumpscan to enable

Scan processes with PE-Sieve to check for process integrity (Windows only)

ProcessIntegrity

per default disabled, use --processintegrity to enable