6. Scan Modes
You can select between six different scan modes in THOR:
Default
We recommend using the default scan mode for all sweeping activities. Scans take from one to six hours, depending on the partition size and number of interesting files.
In default mode, THOR automatically chooses the "Soft" mode if the system has only limited CPU and RAM resources.
There's a special "Lab Scanning" (
--lab
) method described in section Lab Scanning, which disables many limitations and allows to scan mounted images in a Lab scenario, even with multiple THOR instances on a single Workstation.Note
"Lab Scanning" requires a special forensic license.
Quick
--quick
This mode is the fastest one and oriented on the "Pareto Principle", covering 80% of the modules and checks in 20% of the normal scan time. In "quick" mode, THOR skips elements that have not been created or modified within the last 2 days in the "Eventlog", "Registry" and "Filescan" modules. A set of 40+ predefined directories will still be checked completely (e.g. AppData, Recycler, System32). "Quick" mode is known to be the "preventive" scan mode – less intense and very fast.
Themed scan modes:
Soft
--soft
- force disable with--nosoft
This mode disables all modules and checks that could be risky for system stability. It is automatically activated on (more details in chapter Automatic Soft Mode):
Systems with only a single CPU core
Systems with less than 1024 MB of RAM
Lab Scan
--lab
This mode scans only the file system and disables all other modules. (see Lab Scanning for more details and flags used in this scan mode)
Example:
user@unix:~/thor$ ./thor64 --lab -p /mnt/image_c/
Intense
--intense
This mode is meant for system scanning in a non-productive or lab environment. It disables several speed optimizations and enables time-consuming extra checks for best detection results. Be careful with this mode on database servers, as this could corrupt your database due to the high load of the server. Snapshots/backups are advised before using this mode.
Difference
--diff
The Diff Mode looks for a last scan and last finished modules in the local THOR DB and scans only elements on disk that have been changed or created since the last scan start. This mode applies shortcuts to the "Filesystem", "Eventlog" and "Registry" modules. Diff scans are typically the shortest scans but require a completed previous scan. This scan mode is also susceptible to the so-called "Timestomping".
These scan modes can also be combined, e.g. for --soft --diff
, though not
all combinations may make sense, e.g. --soft --intense
.
The following tables give an overview on the active modules and features in the different scan modes. The Modules section lists all available modules, whereas the Features section lists only features that are handled differently in the different scan modes.
6.1. Modules
Modules are standalone jobs, which are being executed one after the other by THOR.
Those modules are invoking one job, for example the File System Scan
module will
scan your file system, or the User Account Check
will scan your system for user
accounts. Modules can invoke one or multiple Features,
which we will explain further down in this section.
6.1.1. OS Module Overview
Module |
Windows |
Linux |
MacOS |
---|---|---|---|
File System Scan |
Supported |
Supported |
Supported |
Registry Scan |
Supported |
Not Supported |
Not Supported |
SHIM Cache Scan |
Supported |
Not Supported |
Not Supported |
Mutex Check |
Supported |
Not Supported |
Not Supported |
Named Pipes Check |
Supported |
Not Supported |
Not Supported |
DNS Cache Check |
Supported |
Supported |
Supported |
Hotfix Check |
Supported |
Not Supported |
Not Supported |
Hosts File Check |
Supported |
Supported |
Supported |
Firewall Config Check |
Supported |
Supported |
Not Supported |
Network Share Check |
Supported |
Not Supported |
Not Supported |
Logged In Check |
Supported |
Supported |
Supported |
Process Check |
Supported |
Supported [1] |
Supported [1] |
Service Check |
Supported |
Supported |
Not Supported |
Autoruns Check |
Supported |
Supported |
Supported |
Rootkit Check |
Supported |
Supported |
Not Supported |
LSA Sessions Analysis |
Supported |
Not Supported |
Not Supported |
User Account Check |
Supported |
Supported |
Supported |
User Profile Check |
Supported |
Supported |
Supported |
Network Sessions Check |
Supported |
Not Supported |
Not Supported |
Scheduled Tasks Analysis |
Supported |
Not Supported |
Not Supported |
WMI Startup Check |
Supported |
Not Supported |
Not Supported |
At Entries Check |
Supported |
Not Supported |
Not Supported |
MFT Analysis |
Supported |
Not Supported |
Not Supported |
Eventlog Analysis |
Supported |
Not Supported |
Not Supported |
KnowledgeDB Check |
Not Supported |
Not Supported |
Supported |
Environment Variables Check |
Supported |
Supported |
Supported |
Crontab Check |
Not Supported |
Supported |
Not Supported |
Integrity Check |
Not Supported |
Supported |
Not Supported |
Event Check |
Supported |
Not Supported |
Not Supported |
ETW Watcher |
Supported |
Not Supported |
Not Supported |
Hint
For a list of module names and how to turn them off, please see Scan Module Names
6.1.2. Scan Mode Overview
Module |
Normal |
Quick |
Soft |
Intense |
---|---|---|---|---|
File System Scan |
Reduced |
|||
Registry Scan |
||||
SHIM Cache Scan |
||||
Mutex Check |
Disabled |
|||
Named Pipes Check |
||||
DNS Cache Check |
||||
Hotfix Check |
Disabled |
|||
Hosts File Check |
Disabled |
|||
Firewall Config Check |
Disabled |
Disabled |
||
Network Share Check |
Disabled |
|||
Logged In Check |
Enabled [2] |
Disabled |
||
Process Check |
Reduced [3] |
|||
Service Check |
||||
Autoruns Check |
||||
Rootkit Check |
||||
LSA Sessions Analysis |
Disabled |
|||
User Account Check |
Enabled [2] |
|||
User Profile Check |
Enabled [2] |
Disabled |
||
Network Sessions Check |
Enabled [2] |
Disabled |
||
Scheduled Tasks Analysis |
||||
WMI Startup Check |
||||
At Entries Check |
||||
MFT Analysis |
Disabled |
Disabled |
Disabled |
Enabled |
Eventlog Analysis |
Disabled |
|||
KnowledgeDB Check |
||||
Environment Variables Check |
||||
Crontab Check |
||||
Integrity Check |
||||
Event Check |
||||
ETW Watcher |
Disabled on Domain Controllers
No process memory scan with YARA rules
6.1.3. Scan Module Names
Scan Mode |
Module Name |
Disable Module |
---|---|---|
File System Scan |
Filescan |
--nofilesystem |
Registry Scan |
RegistryChecks |
--noreg |
SHIM Cache Scan |
SHIMCache |
--noshimcache |
Mutex Check |
Mutex |
--nomutex |
Named Pipes Check |
Pipes |
--nopipes |
DNS Cache Check |
DNSCache |
--nodnscache |
Hotfix Check |
HotfixCheck |
--nohotfixes |
Hosts File Check |
Hosts |
--nohosts |
Firewall Config Check |
Firewall |
--nofirewall |
Network Share Check |
NetworkShares |
--nonetworkshares |
Logged In Check |
LoggedIn |
--nologons |
Process Check |
ProcessCheck |
--noprocs |
Service Check |
ServiceCheck |
--noservices |
Autoruns Check |
Autoruns |
--noautorons |
Rootkit Check |
Rootkit |
--norootkits |
LSA Sessions Analysis |
LSASessions |
--nolsasessions |
User Account Check |
Users |
--nousers |
User Profile Check |
UserDir |
--noprofiles |
Network Sessions Check |
NetworkSessions |
--nonetworksessions |
Scheduled Tasks Analysis |
ScheduledTasks |
--notasks |
WMI Startup Check |
WMIStartup |
--nowmi |
At Entries Check |
AtJobs |
--noatjobs |
MFT Analysis |
MFT |
--nomft |
Eventlog Analysis |
Eventlog |
--noeventlog |
KnowledgeDB Check |
KnowledgeDB |
--noknowledgedb |
Environment Variables Check |
EnvCheck |
--noenv |
Crontab Check |
Cron |
|
Integrity Check |
Integritycheck |
--nointegritycheck |
Event Check |
Events |
--noevents |
ETW Watcher |
EtwWatcher |
--noetwwatcher |
6.2. Features
Features are being invoked by Modules and provide
further Details
about an item. For example, the File System Scan
might find a .zip
file during a scan and invoke the Archive Scan
feature. The Archive Scan
feature in return will extract the zip file
and scan all the items in it.
Another example would be the Eventlog Analysis
Module, which might invoke
the Sigma Scan
feature on certain eventlog entries.
Hint
Please see chapter Archive Scan for a list of supported archive formats.
6.2.1. Feature Scan Mode Overview
Feature |
Normal |
Quick |
Soft |
Intense |
---|---|---|---|---|
Sigma Scan |
Disabled |
Disabled |
Disabled |
Enabled |
EXE Decompression [5] |
Enabled |
Enabled |
Disabled |
Enabled |
Archive Scan |
Enabled |
Enabled |
Enabled |
Enabled |
Double Pulsar Check [5] |
Enabled |
Enabled |
Disabled |
Enabled |
Groups XML Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Vulnerability Check |
Enabled |
Enabled |
Enabled |
Enabled |
Web Server Dir Scan |
Enabled |
Disabled |
Enabled |
Enabled |
WMI Persistence |
Enabled |
Enabled |
Enabled |
Enabled |
Registry Hive Scan |
Enabled [4] |
Enabled |
Enabled |
Enabled |
AmCache Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Process Handle Check |
Enabled |
Enabled |
Enabled |
Enabled |
Process Connections Check |
Enabled |
Enabled |
Enabled |
Enabled |
Windows Error Report (WER) |
Enabled |
Enabled |
Enabled |
Enabled |
Windows At Job File Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
EVTX File Scanning |
Enabled |
Disabled |
Enabled |
Enabled |
Prefetch Library Scanning |
Enabled |
Enabled |
Enabled |
Enabled |
Memory Dump DeepDive |
Disabled |
Disabled |
Disabled |
Enabled |
Text Log File Scanning |
Enabled |
Disabled |
Enabled |
Enabled |
Shellbag Entry Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Authorized Key File Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
Bifrost File Upload |
Enabled |
Enabled |
Enabled |
Enabled |
Malicious Domain Check |
Enabled |
Enabled |
Enabled |
Enabled |
File Scan |
Enabled |
Enabled |
Enabled |
Enabled |
Cobalt Strike Beacon Parsing |
Enabled |
Enabled |
Enabled |
Enabled |
Process Integrity Check [5] |
Disabled |
Disabled |
Disabled |
Enabled |
SHIM Cache Analysis |
Enabled |
Enabled |
Enabled |
Enabled |
ETL File Scanning [5] |
Enabled |
Enabled |
Enabled |
Enabled |
Disabled on Domain Controllers
Only supported on Windows
6.2.2. Feature caller list
The following table gives an overview of THOR's features and how they are called by the different modules and other features.
Feature |
Callers |
---|---|
Sigma Scan |
Eventlog, Log file scanning |
EXE Decompression |
File Scan |
Archive Scan |
File Scan |
Double Pulsar Check |
Rootkit Check |
Groups XML Analysis |
File Scan |
Vulnerability Check |
File Scan |
Web Server Dir Scan |
Process Check |
WMI Persistence |
File Scan |
Registry Hive Scan |
File Scan |
AmCache Analysis |
File Scan |
Process Handle Check |
Process Check |
Process Memory Check |
Process Check |
Process Connections Check |
Process Check |
Windows Error Report (WER) |
File Scan |
Windows At Job File Analysis |
File Scan |
EVTX File Scanning |
File Scan |
Prefetch Library Scanning |
File Scan |
Memory Dump DeepDive |
File Scan |
Text Log File Scanning |
File Scan |
Shellbag Entry Analysis |
Registry Hive Scan |
Authorized Key File Analysis |
File Scan |
Bifrost File Upload |
File Scan |
Malicious Domain Check |
File Scan |
File Scan |
Most modules and features |
Cobalt Strike Beacon Parsing |
File Scan, Process Check |
Process Integrity Check |
Process Check |
SHIM Cache Analysis |
SHIM Cache Scan, Registry Hive |
ETL File Scanning |
File Scan |
6.2.3. Feature selectors
Since THOR 10.7, some features in THOR are triggered by YARA rules.
When a (meta or generic) YARA rule with a specific tag matches on a file, the corresponding feature is started and parses the file.
The standard signatures contain a number of rules with these tags, but if required, you can add additional rules with these tags as custom signatures.
Tag |
Feature |
Applied regardless of Filesize limit |
---|---|---|
AMCACHE |
Amcache |
no |
ZIPARCHIVE |
Archive |
no |
RARARCHIVE |
Archive |
no |
TARARCHIVE |
Archive |
no |
TARGZARCHIVE |
Archive |
no |
TARBZ2ARCHIVE |
Archive |
no |
CABARCHIVE |
Archive |
no |
GZIPCOMPRESSEDFILE |
Archive |
no |
SEVENZIPARCHIVE |
Archive |
no |
ATJOBS |
AtJobs |
yes |
AUDITLOG |
Auditlog |
yes |
AUTHORIZEDKEYS |
AuthorizedKeys |
yes |
EMAILFILE |
EmailParser |
no |
ETL |
ETL |
yes |
EVTX |
EVTX |
yes |
UPX |
ExeDecompress |
no |
WINRAR |
ExeDecompress |
no |
LNK |
LinkScan |
yes |
LOGSCAN |
LogScan |
yes |
MFT |
MftFile |
yes |
OLE |
OleScan |
no |
PREFETCH |
Prefetch |
yes |
REGISTRYHIVE |
RegistryHive |
yes |
UNESCAPE |
Unescaper |
no |
WER |
WER |
yes |
WMIPERSISTENCE |
WMIPersistence |
yes |
6.2.4. Feature names
Feature |
Feature Name |
Disable Feature |
---|---|---|
Use a persistent database for holding information across scans |
ThorDB |
--nothordb |
Scan with Sigma signatures |
Sigma |
per default disabled, use |
Scan log file (identified by .log extension or location) entries one by one |
LogScan |
--nologscan |
Check files, processes or blobs with YARA |
Yara |
|
Check files with STIX |
Stix |
--nostix |
Extract files contained in archives |
Archive |
--noarchive |
Scan files contained in archives |
ArchiveScan |
--noarchive |
Run checks for known C2 Domains |
C2 |
--noc2 |
Analyze process handles |
ProcessHandles |
--noprochandles |
Analyze process connections |
ProcessConnections |
--noprocconnections |
Analyze entries in Amcache files |
Amcache |
--noamcache |
Parse and analyze registry hives |
RegistryHive |
--noregistryhive |
Decompress and scan UPX or SFX packed portable executables |
ExeDecompress |
--noexedecompress |
Analyze web directories that were found in process handles |
WebdirScan |
--nowebdirscan |
Search for configuration file vulnerabilities (e.g. weak Tomcat passwords) |
VulnerabilityCheck |
--novulnerabilitycheck |
Parse Windows prefetch directories |
Prefetch |
--noprefetch |
Parse groups.xml files (for AD permissions) and search for vulnerabilities |
GroupsXML |
--nogroupsxml |
Parse WMI Persistence directories |
WMIPersistence |
--nowmipersistence |
Parse and analyze LNK files |
Lnk |
--nolnk |
Check Knowledge DB on Mac OS |
KnowledgeDB |
--noknowledgedb |
Parse .wer crash dump files |
WER |
--nower |
Parse EVTX eventlogs and scan the contained log entries |
EVTX |
--noevtx |
Analyze authorized_keys SSH files |
AuthorizedKeys |
--noauthorizedkeys |
Parse and analyze .eml Email files |
Eml |
--noeml |
Parse Windows Event Trace Logging files and scan the contained logs |
ETL |
--noetl |
Parse jobs files scheduled with the 'at' tool |
AtJobs |
--noatjobs |
Upload suspicious files to a server running the Bifrost 2 quarantine service |
Bifrost2 |
per default disabled, use |
Scan multiple entries as a single block |
BulkScan |
can't be disabled |
Disable cpulimit check |
CPULimit |
--nocpulimit |
Run filename IOC, keyword IOC, and YARA rules on a chunk of data |
CheckString |
can't be disabled |
Parse crontab files and analyze their entries |
CronParser |
can't be disabled |
Check for DoublePulsar Backdoor in the rootkit module |
DoublePulsar |
--nodoublepulsar |
Gather additional information (like hashes, owner, timestamps, ...) about file paths |
EnrichFileInfo |
can't be disabled |
Apply filename IOCs |
FilenameIOCs |
can't be disabled |
Scan files and similar objects |
Filescan |
can't be disabled |
Apply keyword IOCs |
KeywordIOCs |
can't be disabled |
Log information during a THOR run |
Logger |
can't be disabled |
Detect a file's type based on its first bytes |
MagicHeader |
can't be disabled |
Parse OLE files (e.g. old MS office documents, or MS Office macros) |
OLE |
can't be disabled |
Parse additional information from a detected CobaltStrike beacon |
ParseCobaltStrike |
can't be disabled |
Keep and display information about THOR's current activity |
ProgressTracker |
can't be disabled |
Parse additional information from files in a Windows recycle bin |
RecycleBin |
can't be disabled |
Check whether the system is running out of RAM, and end THOR, if this is the case |
Rescontrol |
--norescontrol |
Parse SHIM Caches from registry and analyze their entries |
SHIMCache |
--noshimcache |
React to interrupts from outside THOR in a controlled manner |
SignalHandler |
can't be disabled |
Look for unencrypted TeamViewer passwords in registry hives |
TeamViewer |
can't be disabled |
Add additional information from Virustotal to detected files |
VirusTotal |
per default disabled, use |
Run a user defined command for detected files |
Action |
per default disabled, use |
Write a detailed output file with information about all scanned elements |
AuditTrail |
per default disabled, use |
Scan memory dump files in chunks |
DumpScan |
per default disabled, use |
Scan processes with PE-Sieve to check for process integrity (Windows only) |
ProcessIntegrity |
per default disabled, use |