20.6. THOR 10.2
20.6.1. THOR 10.2.11
Type |
Description |
|---|---|
Feature |
Sigma modifiers "startswith" and "endswith" are now supported |
20.6.2. THOR 10.2.10
Type |
Description |
|---|---|
Bugfix |
Empty values for "(Default)" keys names in Registry matching |
20.6.3. THOR 10.2.9
Type |
Description |
|---|---|
Change |
Removed legacy files (sfx, bat) |
Change |
Removed fix skip of "SOFTWAREClasses" Registry key |
Bugfix |
custom IOC initialization used different keywords than described in documentation ("c2" > "domain", "trusted" > "falsepositive") |
20.6.4. THOR 10.2.8
Type |
Description |
|---|---|
Change |
Increased default max. file size from 4.5 MB to 6.5 MB |
Bugfix |
Fixed a bug in sigma scoring system |
20.6.5. THOR 10.2.7
Type |
Description |
|---|---|
Change |
Dropped max filesize check for many types in intense scan mode (--intense / --fsonly) including memory dumps, registry hives, EVTX files |
Change |
Added PKZIP and MS Office PK header to headers eligible for archive scan |
Change |
Added file name, file path, hostname and channel to matches on events found in EVTX files |
20.6.6. THOR 10.2.6
Type |
Description |
|---|---|
Change |
Improvements to MESSAGE field (better descriptions) |
20.6.7. THOR 10.2.5
Type |
Description |
|---|---|
Change |
List available modules if selected module is unknown |
Change |
Increased log window size for thor events in thor remote |
Change |
Print reasons for invalid licenses |
Change |
Sigma rules will be muted if they matched too often |
Change |
Event IOCs will be applied on Mutex checks and vice versa |
20.6.8. THOR 10.2.4
Type |
Description |
|---|---|
Bugfix |
Fixed logic error in lsasessions' kerberos ticket life time checks |
20.6.9. THOR 10.2.3
Type |
Description |
|---|---|
Change |
Removed THOR Remote warning that a file could not be collected, which doesn't exist |
Change |
Low sigma rules will not be printed anymore, medium sigma rules will only be printed in '--intense' mode |
20.6.10. THOR 10.2.2
Type |
Description |
|---|---|
Feature |
New module 'Events' that checks for malicious Windows events |
20.6.11. THOR 10.2.1
Type |
Description |
|---|---|
Feature |
New ThorDB table 'stats', which contains scan duration of scan elements |
Feature |
New output mode '--reduced' to reduce output to warnings, alerts and errors |
Change |
Files can be scanned multiple times in Dropzone mode |
20.6.12. THOR 10.2.0
Type |
Description |
|---|---|
Change |
Upgraded YARA to 3.11.0 |
Change |
Extended output of '--version' command |
Change |
Added ExecFlag to SHIMCache output |
Change |
Apply YARA on WMI Event Filters |
Change |
Passing new external YARA variables 'timezone' and 'language' to registry ruleset |