Type | Description |
---|---|
Change | Remove outdated content from the tools folder in THOR packages |
Bugfix | Exclude THOR logs from being detected by THOR |
Type | Description |
---|---|
Feature | Authors of YARA rules are now included in match outputs |
Change | Update PE-Sieve to v0.2.9.6 |
Change | Global YARA rules now cause an error since they can inadvertently affect THOR's internal signatures |
Change | Some modules were removed on specific platforms (especially on MacOS and AIX) that only held dummy |
Change | Add EVTX 3.2 support |
Bugfix | Print Eventlog timestamps in local timezone, unless '--utc' is used |
Type | Description |
---|---|
Change | Upgrade PE-Sieve to v0.2.9.5 |
Change | Upgrade OpenSSL to 1.1.1j |
Bugfix | Ensure THOR honors low CPU limits correctly |
Bugfix | Correct loading for some named pipe IOC files |
Bugfix | Incorrect formatting for JSON syslog output |
Type | Description |
---|---|
Feature | Add support for a THOR Util configuration file. This file allows setting a default configuration (e.g. to always upgrade to the TechPreview). |
Change | Notarize THOR for MacOS |
Type | Description |
---|---|
Feature | Scan all event logs if '--intense' was specified |
Feature | Allow fetching the signatures in development by using '--sigdev' with thor-util update |
Change | Add info resource to THOR Windows files |
Change | Refactor bulk scanning to have less memory allocated / released to reduce memory usage volatility |
Change | Let THOR Util default to its own directory for THOR and license paths (same behaviour as THOR already has) |
Change | Check YARA / IOC filename indicators (like log, registry, keyword) with word boundaries |
Change | Add additional event logs to list scanned by default |
Change | Don't allow a downgrade in THOR Util unless '--force' is specified |
Change | Update to Golang 1.15.10 |
Change | Specific options (dropzone mode, deep dive mode, fsonly, nodoublecheck, hostname rewrite) have been restricted to Forensic Lab and Incident Response license types |
Bugfix | Add checks for improved handling of corrupted registry hives |
Bugfix | Clarify some messages of THOR Util |
Bugfix | Apply excludes with OS path separators with '--cross-platform' |
Type | Description |
---|---|
Change | Minor directory exclusion adjustments for Microsoft Exchange |
Type | Description |
---|---|
Bugfix | Remove some directory excludes specific to Microsoft Exchange |
Type | Description |
---|---|
Feature | Make bulk scan size manually configurable with '--bulk-size' |
Change | Disable 60 MB log size limit if debugging (with '--debug' or '--trace') is active |
Type | Description |
---|---|
Feature | Suppress rule matches on log files after the same rule matched 10 times or more, this can be deactivated with '--showall' |
Feature | Add a context menu for filtering to the HTML reports |
Feature | Add support for NFTables firewalls on Linux |
Feature | Add a field 'SIGTYPE' to messages which displays whether an IOC or YARA rule is custom or built-in |
Feature | Reuse previous Scan ID if a scan is resumed |
Feature | Add additional information to files detected in a Windows recycle bin (original file name, deletion time) |
Change | Limit file enrichment to 10 files per message |
Change | Name automatically generated YARA rules for C2 domains after the domain rather than after a counter |
Change | Reduce score of a C2 match with a YARA rule by 30 |
Change | Upgrade to YARA 4.0.5 |
Change | Make matching of C2 IOCs on process memory optional, it can be enabled with '--c2-in-memory' |
Bugfix | Deduplicate listen ports per process |
Bugfix | Improve permission vulnerability check for Linux services |
Bugfix | Skip specific registry hives where THOR could behave unstable |
Type | Description |
---|---|
Feature | Apply C2 checks to log scans |
Change | Increase the default maximum runtime to 1 week |
Change | Apply special scan features on files even if those files exceed the maximum file size set |
Bugfix | Remove several false positives on process memory of Antivirus products |
Bugfix | Fix an issue where THOR Remote could freeze if too many remote scans were started |
Bugfix | Fix an issue where packed files weren't unpacked completely before being scanned |
Type | Description |
---|---|
Bugfix | Print time of currently analyzed event in Eventlog module |
Type | Description |
---|---|
Change | Upgrade to Golang 1.14.7 |
Change | Catch Panics in a Module to leave other modules unaffected |
Change | Disable support for licenses using an obsolete encryption method |
Bugfix | Extend output in a specific Events module message |
Bugfix | New parameter '--max_process_size' that limits the size of processes that THOR scans with YARA rules. Default value is 500 MB. THOR memory usage increases as this value is increased. |
Type | Description |
---|---|
Bugfix | Catch possible panic during Amcache parsing |
Bugfix | Catch possible panic if the Application Eventlog could not be opened |
Type | Description |
---|---|
Change | Exchange signing certificate for newer |
Bugfix | Check Registry Hive entries in the same format as Live Registry entries |
Bugfix | Check UserData elements in EVTX files |
Type | Description |
---|---|
Feature | Support download of Tech Previews in Thor-Util |
Feature | Support license download from ASGARD 2.5+ with '--asgard-token' |
Bugfix | Terminate if started with '--resumeonly' and no previous scan with the same context existed |
Bugfix | Calculate the context that '--resume' used to check for previous scans differently, excluding elements prone to change |
Type | Description |
---|---|
Bugfix | Catch Panic when handling specific Registry Hives on disk. |
Type | Description |
---|---|
Bugfix | Disable PE-Sieve by default to follow up on some rare issues. It can be enabled with '--process-integrity' or '--intense'. |
Type | Description |
---|---|
Feature | Generate process dumps of suspicious processes (for now Windows only) when '--procdumps' is specified |
Feature | New command line option '--procdump-dir' to control where process dumps are stored |
Feature | Integrate parser for Windows LNK files |
Feature | New command line option '--image-chunk-size' to set the size of chunks when scanning image files |
Feature | New command line option '--generate-config' to create a configuration file for THOR based on command line options |
Feature | Open busy registry hives using a raw disk image and the MFT |
Feature | On interactive interrupts, show progress and a menu to continue or abort the scan |
Feature | Support new IOC file for named pipes on Windows |
Feature | Detect files with uncommon / unlikely timestamps (timestomping) |
Change | Reduce log level for open port messages to Info |
Change | Extend '--all-module-lookback' to Registry Hive files and EVTX log files, rename it to '--global-lookback' |
Change | Update used YARA to 4.0.1 |
Change | Print last scanned element when maximum runtime is exceeded |
Bugfix | Don't stop HTML log generation on encountering certain uncommon log lines |
Type | Description |
---|---|
Feature | New PowerShell script to download and run Thor easily |
Feature | Execute PE-Sieve at runtime to discover processes with malicious sections, sensitivity can be raised further with '--full-proc-integrity' |
Feature | New command line option '--scanid-prefix' to set a custom Scan ID prefix |
Feature | New command line option '--print-signatures' to print metadata to all YARA and Sigma signatures |
Feature | New command line option '--all-module-lookback' that applies lookback to the Filesystem, Registry, and Services modules as well |
Feature | Make score for Handle IOCs customizable |
Feature | New command line option '--ascii' to exclude non-ASCII characters from the logs |
Change | Check open files without using an external 'lsof' executable on Unix platforms |
Change | Update descriptions for most command line options |
Change | Print non-ASCII strings in matches as hex sequences |
Change | Include time (in addition to the date) in default log file name |