{"id":7735,"date":"2020-05-23T16:17:27","date_gmt":"2020-05-23T14:17:27","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=7735"},"modified":"2022-03-25T14:15:44","modified_gmt":"2022-03-25T13:15:44","slug":"upcoming-changes-in-thor-v10-5","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/","title":{"rendered":"Upcoming Changes in THOR v10.5"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.4.5″][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.4.5″][et_pb_column type=”3_5″ _builder_version=”4.4.5″][et_pb_text _builder_version=”4.4.5″]<\/p>\n

PE Sieve Integration<\/h1>\n

With the integration of @hasharezade<\/a>‘s PE Sieve<\/a> project THOR is able to detect and report a variety of process implants like replaced or injected portable executables (process hollowing), injected shellcodes, hooks and in-memory patches.<\/p>\n

Naturally, since @hasharezade’s project is an open source project, this feature will also be available in THOR Lite, the free version of THOR.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.4.5″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Screenshot-2020-05-08-at-15.41.54.png” title_text=”Screenshot 2020-05-08 at 15.41.54″ _builder_version=”4.4.5″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.4.5″][et_pb_column type=”4_4″ _builder_version=”4.4.5″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Screenshot-2020-05-06-at-15.22.21.png” title_text=”Screenshot 2020-05-06 at 15.22.21″ _builder_version=”4.4.5″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.4.6″][et_pb_column type=”2_5″ _builder_version=”4.4.6″][et_pb_text _builder_version=”4.4.6″]<\/p>\n

Process Dumps<\/h1>\n

THOR v10.5 creates a process dump of any process that is considered suspicious or malicious.\u00a0<\/p>\n

This process dump can then be analyzed with standard tools later to examine the findings. Use the flag “–dump-procs” to activate this feature.<\/p>\n

To prevent excessive disk space usage, new dumps overwrite old dumps of the same process. Also, THOR stores the dumps in a compressed form and will not generate dumps if less than 5 GB disk space is available.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.4.6″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Screenshot-Process-Dump.png” title_text=”Screenshot Process Dump” _builder_version=”4.4.6″][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Screenshot-ProcessDump-Zipfile.png” title_text=”Screenshot ProcessDump Zipfile” _builder_version=”4.4.6″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.4.5″][et_pb_column type=”3_5″ _builder_version=”4.4.5″][et_pb_text _builder_version=”4.4.5″]<\/p>\n

Global Module Lookback<\/h1>\n

The current “–lookback” option allows you to restrict the Eventlog and log file scan to a given amount of days. E.g. by using “–lookback 3” you instruct THOR to check only the log entries that have been created in the last 3 days.<\/p>\n

We’ve extended this feature to include all applicable modules, including “FileScan”, “Registry”, “Services”, “Registry Hives” and “EVTX Scan”. By setting the flags “–global-lookback –lookback 2” you instruct THOR to scan only elements that have been created or modified during the last 2 days. This reduces the scan duration significantly.<\/p>\n

On our test systems, we were able to reduce the scan duration of a full filesystem scan and a lookback of three days to less than 4 minutes.<\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.4.5″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Speed_256.png” title_text=”Speed_256″ _builder_version=”4.4.5″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.4.5″][et_pb_column type=”4_4″ _builder_version=”4.4.5″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Screenshot-2020-05-08-at-15.27.00.png” title_text=”Screenshot 2020-05-08 at 15.27.00″ _builder_version=”4.4.5″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”2_5,3_5″ _builder_version=”4.4.7″][et_pb_column type=”2_5″ _builder_version=”4.4.7″][et_pb_text _builder_version=”4.4.7″]<\/p>\n

LNK File Parser<\/h3>\n

The link file parser module processes .lnk files, extracts relevant data and gathers more information on the linked contents. It also applies the anomaly detection methods to its contents to allow the detection of unknown threats.\u00a0<\/p>\n

 <\/p>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_5″ _builder_version=”4.4.7″][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2020\/05\/Screenshot-Dangerous-Link.png” title_text=”Screenshot Dangerous Link” _builder_version=”4.4.7″][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.4.5″][et_pb_column type=”4_4″ _builder_version=”4.4.5″][et_pb_text _builder_version=”4.4.5″]<\/p>\n

More Changes<\/h1>\n
    \n
  • Default output files include a timestamp and not just the date<\/li>\n
  • Outputs include non-ASCII characters in a hex encoded form (use –ascii to revert to ASCII only output)<\/li>\n
  • THOR DBs “–resume” feature is deactivated by default and has to be manually activated using “–resume” due to significant performance implications caused by updating resume states in THOR DB\u00a0<\/li>\n
  • New –portal* flags allow the licenses generation at runtime using our Netxron portal API<\/li>\n
  • New\u00a0–yara-max-strings-per-rule flag limits the output of matching strings<\/li>\n
  • New –nofserrors flag suppresses all error messages regarding access permissions<\/li>\n
  • New –scanid-prefix allows users to set a custom prefix to allow the identification of group of scans<\/li>\n
  • New –print-signatures flag lists names and meta data of all included YARA and Sigma rules<\/li>\n<\/ul>\n

    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

    PE Sieve Integration With the integration of @hasharezade’s PE Sieve project THOR is able to detect and report a variety of process implants like replaced or injected portable executables (process hollowing), injected shellcodes, hooks and in-memory patches. Naturally, since @hasharezade’s project is an open source project, this feature will also be available in THOR Lite, the free version of THOR.\u00a0Process Dumps THOR v10.5 creates a process dump of any process that is considered suspicious or malicious.\u00a0 This process dump can then be analyzed with standard tools later to examine the findings. Use the flag “–dump-procs” to activate this feature. To prevent excessive disk space usage, new dumps overwrite old dumps of the same process. Also, THOR stores the dumps in a compressed form and will not generate dumps if less than 5 GB disk space is available.\u00a0Global Module Lookback The current “–lookback” option allows you to restrict the Eventlog and log file scan to a given amount of days. E.g. by using “–lookback 3” you instruct THOR to check only the log entries that have been created in the last 3 days. We’ve extended this feature to include all applicable modules, including “FileScan”, “Registry”, “Services”, “Registry Hives” and “EVTX Scan”. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[32],"tags":[],"class_list":["post-7735","post","type-post","status-publish","format-standard","hentry","category-thor"],"yoast_head":"\nUpcoming Changes in THOR v10.5 - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Upcoming Changes in THOR v10.5\",\"datePublished\":\"2020-05-23T14:17:27+00:00\",\"dateModified\":\"2022-03-25T13:15:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/\"},\"wordCount\":805,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"articleSection\":[\"THOR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/\",\"name\":\"Upcoming Changes in THOR v10.5 - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2020-05-23T14:17:27+00:00\",\"dateModified\":\"2022-03-25T13:15:44+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Upcoming Changes in THOR v10.5 - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Upcoming Changes in THOR v10.5","datePublished":"2020-05-23T14:17:27+00:00","dateModified":"2022-03-25T13:15:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/"},"wordCount":805,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"articleSection":["THOR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/","url":"https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/","name":"Upcoming Changes in THOR v10.5 - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2020-05-23T14:17:27+00:00","dateModified":"2022-03-25T13:15:44+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2020\/05\/23\/upcoming-changes-in-thor-v10-5\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=7735"}],"version-history":[{"count":13,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7735\/revisions"}],"predecessor-version":[{"id":8089,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/7735\/revisions\/8089"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=7735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=7735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=7735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}