Welcome to THOR Log Analysis documentation!

Contents:

• 1. Introduction
• 2. Analyst Profile
  • 2.1. Recommended / 2nd Level
  • 2.2. Required / 1st Level
• 3. General Recommendations
  • 3.1. High Quantity Reduces Relevance
  • 3.2. Analysis by Module or Score
  • 3.3. Filter Clear the View
  • 3.4. Attribute Evaluation
• 4. FileScan
  • 4.1. Sample
  • 4.2. Typical False Positives
  • 4.3. Attribute Evaluation
  • 4.4. Typical REASONs
• 5. SHIMcache
  • 5.1. References
  • 5.2. Samples
  • 5.3. Typical False Positives
  • 5.4. Attribute Evaluation
• 6. Autoruns
  • 6.1. References
  • 6.2. Issues
  • 6.3. Samples
  • 6.4. Typical False Positives
  • 6.5. Attribute Evaluation
• 7. LogScan
  • 7.1. Samples
  • 7.2. Typical False Positives
  • 7.3. Attribute Evaluation
• 8. GroupsXML
  • 8.1. References
  • 8.2. Samples
  • 8.3. Typical False Positives
  • 8.4. Attribute Evaluation
• 9. Registry
  • 9.1. Samples
  • 9.2. Typical False Positives
  • 9.3. Attribute Evaluation
• 10. WMIPersistence
  • 10.1. References
  • 10.2. Samples
  • 10.3. Typical False Positives
  • 10.4. Attribute Evaluation
• 11. VulnerabilityCheck
  • 11.1. Samples
  • 11.2. Typical False Positives
  • 11.3. Attribute Evaluation
• 12. LoggedIn
  • 12.1. Samples
  • 12.2. Typical False Positives
  • 12.3. Attribute Evaluation
• 13. ProcessCheck
  • 13.1. References
  • 13.2. Samples
  • 13.3. Typical False Positives
  • 13.4. Attribute Evaluation
• 14. HotfixCheck
  • 14.1. Samples
  • 14.2. Typical False Positives
• 15. RunKeyCheck
  • 15.1. Samples
  • 15.2. Typical False Positives
  • 15.3. Attribute Evaluation
• 16. AmCache
  • 16.1. References
  • 16.2. Samples
  • 16.3. Typical False Positives
  • 16.4. Attribute Evaluation
• 17. Firewall
  • 17.1. Samples
  • 17.2. Typical False Positives
  • 17.3. Attribute Evaluation
• 18. ServiceCheck
  • 18.1. Samples
  • 18.2. Typical False Positives
  • 18.3. Attribute Evaluation
• 19. DNSCache
  • 19.1. Samples
  • 19.2. Typical False Positives
  • 19.3. Attribute Evaluation
• 20. Hosts
  • 20.1. References
  • 20.2. Samples
  • 20.3. Typical False Positives
  • 20.4. Attribute Evaluation
• 21. WMIStartup
  • 21.1. Samples
  • 21.2. Typical False Positives
  • 21.3. Attribute Evaluation
• 22. CommandCheck
  • 22.1. Samples
  • 22.2. Typical False Positives
  • 22.3. Attribute Evaluation
• 23. ProcessHandles
  • 23.1. Samples
  • 23.2. Typical False Positives
  • 23.3. Attribute Evaluation
• 24. ProcessConnection
  • 24.1. Samples
  • 24.2. Typical False Positives
  • 24.3. Attribute Evaluation
• 25. WER
  • 25.1. Samples
  • 25.2. Typical False Positives
  • 25.3. Attribute Evaluation
• 26. UserAccounts
  • 26.1. Samples
  • 26.2. Typical False Positives
  • 26.3. Attribute Evaluation
• 27. AtJobs
  • 27.1. Samples
  • 27.2. Typical False Positives
  • 27.3. Attribute Evaluation
• 28. ScheduledTasks
  • 28.1. Samples
  • 28.2. Typical False Positives
  • 28.3. Attribute Evaluation
• 29. Rescontrol
  • 29.1. Samples
• 30. DeepDive
  • 30.1. Samples
  • 30.2. Typical False Positives
• 31. Other Modules
  • 31.1. Samples
• 32. Generic Checks
  • 32.1. File Path Checks
  • 32.2. Hash Checks
• 33. Tools for Event Analysis
  • 33.1. VirusTotal
  • 33.2. PEStudio
  • 33.3. APT Custom Search
  • 33.4. Hybrid Analysis
  • 33.5. any.run
  • 33.6. Automatic Hash Checks

Indices and tables

• Search Page