How to scan systems with THOR lite scanner during compromise assessment and incident response

Md. Mahim Bin Firoj
5 min readSep 16, 2023

In this post, I tried to consolidate informations of thor-lite that I think will be helpful for IR folks.

First we need to know what is Thor lite scanner?

It is a compromise assessment tool developed by Nextron-systems and Florian Roth. This tool is used for detecting malicious activity in a compromised systems. Thor lite is a free tool (which require license) which use open source yara rules and undisclosed IOC’s in the backend. It comes with file scan module and process scan module. It will also extracts autoruns informations. They also have a paid version of this tool called Thor which includes all 27 detection modules. The paid version works in more extensive way i.e. more yara rules, sigma rules, IOC’s etc.

image: nextron-systems

Using this tool you can check your system is affected or not by any specific attack. When any major attack or any attack happens (and if the Nextron team aware of that attack) then Nextron team investigate the attack IOC’s, behavior, reverse engineering the malware and generate yara rules and IOC’s like file hashes etc. and integrate this both of their Thor and Thor lite tool.

Practical scenario when you should must use this tool:

Say 10 of your organiation users received a phishing mail from REvil ransomware group and 3 of them exeute the attachment from that malicious phishing mail. And Nextron systems security professionals already investigate REvil ransomware group in full phase and generate signatures for that, which Thor lite will use. In this case you should definitely go for it to be sure that whether the ransomware group successfully infected the systems or not. Here infecting the system does not mean encrypting the system because if you see it clearly that the system is encrypted then there is no point to scan the system for validation. Before encryption there are so many things happen. If we detect those at our earliest, we can still protect the systems.

If we found that the payload executed successfully from the mail and our EDR tool did not detect then we can give them the malicious files to investigate and generate signatures for us so that from next time our tool can detect the same attack.

You can also use this tool during your normal IR activity.

For windows, download the thor-lite from the above page. For this free tool, they only want their newsletter subscription. In your mail, you should get the license file and the link to download thor lite once the subscription is confirmed.

image: nextron-systems.com

Download the zip archive tool, extract it. Move the license to the folder where thor-lite .exe is present. Then simply run the tool by double clicking it. Normal scan could take 3–4 hours to complete but there are some ways to expedite the scanning process. See below:

First you need to tell thor to update its signatures to the latest so that the scan runs against the latest signature sets. You need thor-lite-util.exe tool for this which is present in the main folder. Command to do this is:

thor-lite-util.exe update
thor-lite-util.exe upgrade

Flags to Consider Before run the scan:

  1. If you are scanning virtual machines or systems that experience constant high load from other processes, it can be beneficial to utilize the “–nosoft” and “–nolowprio” flags. These flags allow thor-lite to run with the same process priority as any regular process, helping to ensure that the scan operates smoothly alongside other ongoing processes. But if you think your system has ample amount of resources, then you can skip these parameters. Commands to do that:
thor64-lite.exe --nolowprio --nosoft 

2. If you are interested in scanning recently created files and log entries, these flags direct THOR-lite to exclusively scan elements that have been created or modified within the past 150 days. Any file or event log entry older than that timeframe will be ignored, resulting in a significantly smaller set of elements being scanned. If this is the case of my previous REvil ransomware example then use these paramters. Commands to do that:

thor64-lite.exe --lookback 150 --global-lookback

— global-lookback means, the same days (150) will be checked for other enabled modules. As stated earlier, in this free version 5 modules comes by default.

3. To minimize the impact on end users working on a system during the scanning process, you have the option to reduce the CPU usage of the scanner to, for example, 30%. By doing so, you can prevent them from noticing the scan by decreasing the overall system load and fan noise. Commands to do that:


thor64-lite.exe --cpulimit 30

If you use number 3, then don’t use number 1.

Recommended CommandLine Flags for this REvil Use Case

If a regular scan takes an excessive amount of time, we recommend utilizing the following command line flags to expedite the scan process by limiting it to the changes that have occurred within the last 150 days:

thor64-lite.exe --nolowprio --lookback 150 --global-lookback

To minimize CPU usage and make it as inconspicuous or unnoticed as possible for end users working on the scanned systems, employ the following command:

thor64-lite.exe --cpulimit 35 --lookback 150 --global-lookback 

If you are investigating a system where end user is not present, then go for the following one:

thor64-lite.exe --nolowprio --lookback 150 --global-lookback

Analysing the result:

After the scan finishes, you will get a html format report on the same folder where this tool present. Then you need to analyze those.

For linux systems:

Download the linux version of thor-lite. Put the license file on the folder where linux executable is present.

chmod +x thor-lite-linux-64
./thor-lite-linux-64 -a FileScan --alldrives -p /mnt/ns

Thanks. I hope you like this. Please Subscribe below.

LinkedIn:

https://www.linkedin.com/in/md-mahimbin-firoj-7b8a5a113/

YouTube:

https://www.youtube.com/@mahimfiroj1802/videos

--

--