20.3. THOR 10.5 (Legacy)

20.3.1. THOR 10.5.18

Type	Description
Change	Remove outdated content from the tools folder in THOR packages
Bugfix	Exclude THOR logs from being detected by THOR

Type	Description
Feature	Authors of YARA rules are now included in match outputs
Change	Update PE-Sieve to v0.2.9.6
Change	Global YARA rules now cause an error since they can inadvertently affect THOR's internal signatures
Change	Some modules were removed on specific platforms (especially on MacOS and AIX) that only held dummy
Change	Add EVTX 3.2 support
Bugfix	Print Eventlog timestamps in local timezone, unless '--utc' is used

Type	Description
Change	Upgrade PE-Sieve to v0.2.9.5
Change	Upgrade OpenSSL to 1.1.1j
Bugfix	Ensure THOR honors low CPU limits correctly
Bugfix	Correct loading for some named pipe IOC files
Bugfix	Incorrect formatting for JSON syslog output

Type	Description
Feature	Add support for a THOR Util configuration file. This file allows setting a default configuration (e.g. to always upgrade to the TechPreview).
Change	Notarize THOR for MacOS

Type	Description
Feature	Scan all event logs if '--intense' was specified
Feature	Allow fetching the signatures in development by using '--sigdev' with thor-util update
Change	Add info resource to THOR Windows files
Change	Refactor bulk scanning to have less memory allocated / released to reduce memory usage volatility
Change	Let THOR Util default to its own directory for THOR and license paths (same behaviour as THOR already has)
Change	Check YARA / IOC filename indicators (like log, registry, keyword) with word boundaries
Change	Add additional event logs to list scanned by default
Change	Don't allow a downgrade in THOR Util unless '--force' is specified
Change	Update to Golang 1.15.10
Change	Specific options (dropzone mode, deep dive mode, fsonly, nodoublecheck, hostname rewrite) have been restricted to Forensic Lab and Incident Response license types
Bugfix	Add checks for improved handling of corrupted registry hives
Bugfix	Clarify some messages of THOR Util
Bugfix	Apply excludes with OS path separators with '--cross-platform'

Type	Description
Change	Minor directory exclusion adjustments for Microsoft Exchange

Type	Description
Bugfix	Remove some directory excludes specific to Microsoft Exchange

Type	Description
Feature	Make bulk scan size manually configurable with '--bulk-size'
Change	Disable 60 MB log size limit if debugging (with '--debug' or '--trace') is active

Type	Description
Feature	Suppress rule matches on log files after the same rule matched 10 times or more, this can be deactivated with '--showall'
Feature	Add a context menu for filtering to the HTML reports
Feature	Add support for NFTables firewalls on Linux
Feature	Add a field 'SIGTYPE' to messages which displays whether an IOC or YARA rule is custom or built-in
Feature	Reuse previous Scan ID if a scan is resumed
Feature	Add additional information to files detected in a Windows recycle bin (original file name, deletion time)
Change	Limit file enrichment to 10 files per message
Change	Name automatically generated YARA rules for C2 domains after the domain rather than after a counter
Change	Reduce score of a C2 match with a YARA rule by 30
Change	Upgrade to YARA 4.0.5
Change	Make matching of C2 IOCs on process memory optional, it can be enabled with '--c2-in-memory'
Bugfix	Deduplicate listen ports per process
Bugfix	Improve permission vulnerability check for Linux services
Bugfix	Skip specific registry hives where THOR could behave unstable

Type	Description
Feature	Apply C2 checks to log scans
Change	Increase the default maximum runtime to 1 week
Change	Apply special scan features on files even if those files exceed the maximum file size set
Bugfix	Remove several false positives on process memory of Antivirus products
Bugfix	Fix an issue where THOR Remote could freeze if too many remote scans were started
Bugfix	Fix an issue where packed files weren't unpacked completely before being scanned

Type	Description
Bugfix	Print time of currently analyzed event in Eventlog module

Type	Description
Change	Upgrade to Golang 1.14.7
Change	Catch Panics in a Module to leave other modules unaffected
Change	Disable support for licenses using an obsolete encryption method
Bugfix	Extend output in a specific Events module message
Bugfix	New parameter '--max_process_size' that limits the size of processes that THOR scans with YARA rules. Default value is 500 MB. THOR memory usage increases as this value is increased.

Type	Description
Bugfix	Catch possible panic during Amcache parsing
Bugfix	Catch possible panic if the Application Eventlog could not be opened

Type	Description
Change	Exchange signing certificate for newer
Bugfix	Check Registry Hive entries in the same format as Live Registry entries
Bugfix	Check UserData elements in EVTX files

Type	Description
Feature	Support download of Tech Previews in Thor-Util
Feature	Support license download from ASGARD 2.5+ with '--asgard-token'
Bugfix	Terminate if started with '--resumeonly' and no previous scan with the same context existed
Bugfix	Calculate the context that '--resume' used to check for previous scans differently, excluding elements prone to change

Type	Description
Bugfix	Catch Panic when handling specific Registry Hives on disk.

Type	Description
Bugfix	Disable PE-Sieve by default to follow up on some rare issues. It can be enabled with '--process-integrity' or '--intense'.

Type	Description
Feature	Generate process dumps of suspicious processes (for now Windows only) when '--procdumps' is specified
Feature	New command line option '--procdump-dir' to control where process dumps are stored
Feature	Integrate parser for Windows LNK files
Feature	New command line option '--image-chunk-size' to set the size of chunks when scanning image files
Feature	New command line option '--generate-config' to create a configuration file for THOR based on command line options
Feature	Open busy registry hives using a raw disk image and the MFT
Feature	On interactive interrupts, show progress and a menu to continue or abort the scan
Feature	Support new IOC file for named pipes on Windows
Feature	Detect files with uncommon / unlikely timestamps (timestomping)
Change	Reduce log level for open port messages to Info
Change	Extend '--all-module-lookback' to Registry Hive files and EVTX log files, rename it to '--global-lookback'
Change	Update used YARA to 4.0.1
Change	Print last scanned element when maximum runtime is exceeded
Bugfix	Don't stop HTML log generation on encountering certain uncommon log lines

Type	Description
Feature	New PowerShell script to download and run Thor easily
Feature	Execute PE-Sieve at runtime to discover processes with malicious sections, sensitivity can be raised further with '--full-proc-integrity'
Feature	New command line option '--scanid-prefix' to set a custom Scan ID prefix
Feature	New command line option '--print-signatures' to print metadata to all YARA and Sigma signatures
Feature	New command line option '--all-module-lookback' that applies lookback to the Filesystem, Registry, and Services modules as well
Feature	Make score for Handle IOCs customizable
Feature	New command line option '--ascii' to exclude non-ASCII characters from the logs
Change	Check open files without using an external 'lsof' executable on Unix platforms
Change	Update descriptions for most command line options
Change	Print non-ASCII strings in matches as hex sequences
Change	Include time (in addition to the date) in default log file name