5. Scan

This chapter provides a quick introduction to running a THOR scan and to adjusting scans for your environment and use case.

Command-line arguments are used to fine-tune scans and can improve results for specific use cases.

There is no single command line that fits every scenario, but THOR is designed to provide broad coverage with minimal impact in the default operating mode. In this context, default means running THOR without additional command-line arguments.

5.1. Quick Start

Follow these steps to complete your first THOR scan:

  1. Make sure you've read the Before You Begin guide

  2. Open a command line with administrative privileges

    1. Administrator on Windows

    2. root on Linux and macOS

  3. Navigate to the folder where you extracted the THOR package and placed the license file(s)

  4. Start THOR on your command line

    1. thor64.exe on 64bit Windows systems

    2. thor.exe on 32bit Windows systems

    3. thor-linux-64 on x86-64 Linux systems

    4. thor-linux on i386 Linux systems

    5. thor-macosx on macOS

  5. Wait until the scan has completed (this can take between 20 and 180 minutes)

  6. When the scan is finished, review the text log and HTML report in the THOR program directory

5.2. Often Used Parameters

Parameter

Description

--soft

Reduce CPU usage, skip all checks that can consume a lot of memory (even if only for a few seconds)

--quick

Perform a quick scan (skips Eventlog and checks only the most relevant folders); see Scan Modes

-e target-folder

Write all output files to the given folder

5.3. Parameters Possibly Relevant for Your Use Case

Parameter

Description

-c, --cpulimit integer

Instruct THOR to pause scanning if the system's CPU load is higher than the specified value.

Please see CPU Limit (--cpulimit) Explained for more information.

--allhds

By default, THOR scans only the C: partition on Windows and checks other partitions only when references point to them, for example if an IIS web root is located on D:\inetpub or a registered service runs from D:\vendor\service.

--lookback <days>

--global-lookback

Check only elements that were changed or created during the last X days across all available modules. This can significantly reduce scan duration.

Hint

On Linux, the --allhds flag does nothing, since THOR already scans all mounted local file system (FS) devices. It does not scan remote file systems such as NFS, SMB, or other network shares by default - this has to be explicitly enabled.

5.4. Risky Flags

This list contains flags that should generally be avoided unless you know exactly what you are doing.

Parameter

Description

--intense

long runtime, stability issues due to disabled resource control

--c2-in-memory

many false positives on user workstations (especially browser memory)

--alldrives

long runtime, stability issues due to scan on network drives or other remote file systems

--mft

stability issues due to high memory usage

--dump-procs

stability issues, possibly high disk space usage (free disk space checks are implemented but may fail)

--full-registry

longer runtime, low positive impact

5.5. Lesser Known But Useful Flags

This list contains flags that analysts often use to adjust scans in useful ways.

Parameter

Description

--max-reasons 0

Show all reasons that led to a certain score

--printshim

Print all available SHIM cache entries into the log

--utc

Print all timestamps in UTC (helpful when creating timelines)

--string-context num-chars

Number of characters preceeding and following the string match to show in the output

5.6. Help and Debugging

The following parameters can help you better understand THOR and its output.

Parameter

Description

--debug

Get debug information if errors occur

--help

Get a help with the most important scan options

--fullhelp

Get a help with all scan options

5.7. Examples

5.7.1. Logging to a Network Share

The following command creates a plaintext log file on a share called "rep" on system "sys" if the user running the command has the respective access rights on the share.

thor64.exe --nohtml --nocsv -l \\sys\rep\%COMPUTERNAME%_thor.txt

5.7.2. Logging to Syslog Server

The following command instructs THOR to log to a remote syslog server only.

thor64.exe --nohtml --nocsv --nolog -s syslog.server.net

5.7.3. Scan a Single Directory

thor64.exe -a Filescan -p C:\temp

5.7.4. Change the output directory

thor64.exe -e Z:\

5.7.5. Only scan the last 7 days of (Windows) Event Logs

thor64.exe --lookback 7

By default the --lookback flag/value only applies to (Windows) Event Logs. To apply it to all modules, use the --global-lookback flag.

5.7.6. Scan System with Defaults and Make a Surface Scan

By default, the surface scan (DeepDive) applies all YARA rules in "./custom-signatures" folder. In this example, all output files are written to a network share.

thor64.exe --deepdivecustom -e \\server\share\thor_output\

5.7.7. Intense Scan and DeepDive on a Mounted Image

The following are two examples on how to scan a mounted image on Windows and Linux.

Important

Lab scanning mode requires a forensic lab license type, which is meant to be used in forensic labs.

5.7.7.1. Mounted as Drive Z

thor64.exe --lab --deepdive -p Z:\

5.7.7.2. Mounted as /mnt

thor64.exe --lab --deepdive -p /mnt

5.7.8. Scan Multiple Paths

thor64.exe --lab -p C:\\ D:\\webapps E:\\inetpub

Hint

non-existent directories will be automatically skipped

5.7.9. Scan All Hard Drives

thor64.exe --allhds

Hint

This flag only works with Windows

5.7.10. Don't Scan Recursively

To instruct THOR to scan a folder non-recursively use the :NOWALK suffix.

thor64.exe -a FileScan -p C:\Windows\System32:NOWALK

5.8. Run a Scan with Specific Modules

With the parameter -a you can run a single module or select a set of modules that you'd like to run. All available modules can be found in the section Scan Module Names.

Run a Rootkit check only:

thor64.exe -a Rootkit

Run the Eventlog and file system scan:

thor64.exe –a Eventlog -a Filescan

5.9. Select or filter Signatures during Initialization

THOR 10.7.8 introduces the Init Selector and Init Filter functionalities, allowing users to fine-tune and customize their scanning process for improved accuracy and efficiency.

You can use these flags to limit the signature set to a certain campaign, threat or threat actor.

The filter values are applied to:

  • Rule name

  • Tags

  • Description

Here are some examples:

C:\thor>thor64.exe --init-selector ProxyShell

You can pass multiple selector keywords separated by comma:

C:\thor>thor64.exe --init-selector RANSOM,Lockbit

Or filter a set of signatures that only cause false positives in your environment:

C:\thor>thor64.exe --init-filter AutoIt

It is important to note that while these features offer flexibility and customization, we recommend utilizing a limited signature set only for specific use cases. This approach is particularly suitable when scanning exclusively for indicators related to a specific campaign. By understanding the proper utilization of Init Selectors and Init Filters, users can optimize their scanning process and effectively identify targeted threats.

The main advantages of a reduced signature set are:

  • improved scan speed

  • lower memory usage

To get a list of all rules contained within the signature set of THOR, you can run the following command. Please keep in mind that the output is really long, so we recommend to send the console output to a file, which makes it easier to search for specific metadata:

C:\thor>thor64.exe --print-signatures > signatures.txt

Note

The command might take a bit, since the signature set is quite big.

5.10. PE-Sieve Integration

THOR integrates PE-Sieve, an open-source tool by @hasherezade to check for malware masquerading as benevolent processes.

PE-Sieve can be activated by using the --processintegrity flag. It runs on Windows as part of the ProcessCheck module and is capable of detecting advanced techniques such as Process Doppelganging.

When investigating infections, you can also raise the sensitivity of the integrated PE-Sieve beyond the default with --full-proc-integrity (at the cost of possible false positives).

THOR reports PE-Sieve results as follows:

Findings

THOR's Reporting Level

Replaced PE File

Warning

Implanted PE File

Warning

Unreachable File

Notice

Patched

Notice

IAT Hooked

Notice

Others

No Output in THOR

See the PE-Sieve documentation for more details on these values.

5.11. Multi-Threading

To use this feature, use the --threads flag which allows you to specify THOR's number of parallel threads.

When using the --lab (Lab Scanning), --dropzone (sample drop zone) or --thunderstorm (Thunderstorm) command line flags, THOR will default to using as many threads as the system has CPU cores; otherwise, THOR will still default to running with a single thread.

Note

The above listed modes are only available with the "Lab", "Thunderstorm" and "Incident Response" license type.

5.11.1. Enabled Modules

Not all modules support multi-threading. It is currently supported for:

  • Filescan

  • RegistryChecks

  • Eventlog

  • Thunderstorm (Thunderstorm License needed)

  • Dropzone (Lab License needed)