IR1.10 Scanning and Detection Tools — THOR, Hayabusa, RegRipper, and Sysinternals

Scanning and Detection Tools

Adding detection power to your forensic analysis

You have collected artifacts with KAPE, parsed them with EZTools, and built a timeline. You have identified suspicious files and processes. Now you want confirmation: are these files known malware? Do they match any threat intelligence indicators? Scanning and detection tools — YARA rules, THOR, Hayabusa — add automated detection on top of your manual analysis. They do not replace the investigation reasoning taught in this course, but they accelerate identification and catch indicators you might miss in a 50,000-line timeline.

The investigation workflow established in IR1.2-IR1.3 is: collect with KAPE → parse with EZTools → analyze in Timeline Explorer. Scanning tools add a detection layer between parsing and manual analysis: collect → parse → scan for known-bad → analyze. The scan reduces the haystack. Instead of examining 300,000 event log entries, the investigator examines the 47 entries that matched Sigma rules for known attack techniques. Instead of reviewing 800 Prefetch entries, the investigator focuses on the 3 that matched YARA signatures for known hacking tools. Instead of checking 15 service paths manually, the YARA scan flags the 1 that matches a known backdoor signature.

Scanning does not replace manual analysis. A skilled attacker using custom tooling specifically designed to evade signatures will not match any rule. But the majority of real-world incidents involve well-documented tools and techniques: Cobalt Strike beacons (used in approximately 60% of ransomware incidents), Mimikatz for credential dumping, PsExec for lateral movement, encoded PowerShell for payload execution, WMI for persistence, scheduled tasks for persistence. These patterns have robust, well-maintained detection signatures. The scanning tools handle the 80% of cases that involve known patterns; the investigator's manual analysis (IR3-IR7) handles the remaining 20%.

THOR and THOR Lite — Compromise Assessment Scanner

THOR is the most comprehensive compromise assessment scanner available, created by Florian Roth (the co-creator of YARA and the Sigma detection format) and the Nextron Systems team. THOR applies over 30,000 handcrafted YARA signatures, 4,000+ Sigma rules, thousands of IOCs, and custom anomaly detection rules to scan a live system or collected forensic evidence for traces of hacking activity that antivirus and EDR miss.

THOR does not just scan files. It scans the filesystem (every file against the YARA rule set), registry hives (looking for known-malicious keys and values), event logs (applying Sigma rules to every event), the $MFT (checking filenames against IOC databases), ShimCache and Amcache (looking for evidence of known attacker tools), crash dumps and Windows Error Reports (checking for artifacts of exploit activity), and the running process list (identifying hidden or suspicious processes). This breadth makes THOR uniquely effective at finding the traces attackers leave behind — not just the malware itself but the tool output files, temporary files, configuration changes, and log entries that indicate hacking activity.

THOR Lite is the free version available for non-commercial use (register at nextron-systems.com/thor-lite). It includes the open-source YARA rules from the VALHALLA repository and the full Sigma rule set, but not the proprietary Nextron detection rules or the full 30,000+ signature database. For this course, THOR Lite provides sufficient detection capability for all investigation exercises.

# Download THOR Lite from: https://www.nextron-systems.com/thor-lite/
# Register for a free license key
# Extract to C:\IR\Tools\THOR\

Set-Location "C:\IR\Tools\THOR"

# Quick scan — fast check for high-confidence indicators (5-15 minutes)
.\thor-lite.exe --quick

# Full scan of a KAPE collection or mounted forensic image
.\thor-lite.exe -p "C:\IR\Cases\INC-NE-2026-0315-001\Evidence" --quick

# Scan with custom YARA rules (add your own organization-specific rules)
.\thor-lite.exe -p "C:\IR\Evidence\CASE001" --quick --custom-yara "C:\IR\Tools\THOR\custom-rules"

# Output interpretation:
# THOR produces a text log categorized by severity:
#   Alert    — high confidence malicious (investigate immediately)
#   Warning  — medium confidence suspicious (investigate soon)
#   Notice   — low confidence or informational (review if time permits)
# Each finding includes: the matched rule name, the artifact that
# triggered it, the file path or registry key, and the MITRE ATT&CK
# technique ID where applicable

How THOR integrates with the investigation workflow: After collecting with KAPE, run THOR against the collection output before manual analysis. THOR scans the collected registry hives with YARA rules (detecting known malware signatures in registry data), applies Sigma rules to the collected event logs (detecting known attack patterns like encoded PowerShell execution, service installation for persistence, or credential dumping), checks the collected $MFT and Amcache against IOC databases (detecting known-bad file hashes and suspicious file paths), and examines Prefetch files for evidence of known hacking tools (Mimikatz, PsExec, Rubeus, SharpHound, Cobalt Strike components). The THOR report highlights specific artifacts — the investigator then examines those artifacts in depth using EZTools and Timeline Explorer.

THOR with Velociraptor: THOR can be deployed through Velociraptor as a VQL artifact for enterprise-wide compromise assessment. The Velociraptor artifact uploads THOR to each endpoint, executes the scan, and returns results to the server. This enables fleet-wide scanning for known threats — equivalent to running a compromise assessment across thousands of endpoints simultaneously, with results aggregated in the Velociraptor GUI.

Worked investigation finding:

>

Finding: THOR Lite scan of KAPE collection from DESKTOP-NGE042 produced an Alert-level detection: YARA rule HKTL_CobaltStrike_Beacon_Encoded_Config matched in the Amcache entry for C:\ProgramData\Microsoft\Crypto\svchost.exe (SHA1: 4a2b3c...). The rule detects the encoded configuration block characteristic of Cobalt Strike beacons.

>

Proves: The executable identified in the process investigation (IR1.9 worked finding) contains a Cobalt Strike beacon configuration. This confirms the process is malicious, not a false positive from a legitimate application using a common filename.

Does not prove: When the beacon was first deployed, who deployed it, or what actions the attacker performed through the beacon.

Next step: Extract the Cobalt Strike configuration from the binary (using CobaltStrikeParser or 1768.py) to identify the C2 server address, beacon interval, watermark, and other operational parameters. Cross-reference with Defender XDR alerts for the same endpoint.

Hayabusa — Fast Event Log Forensics with Sigma Rules

Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Written in Rust for speed (multi-threaded, memory-safe), Hayabusa applies 4,000+ Sigma rules and 170+ custom Hayabusa detection rules to Windows event logs and produces a consolidated CSV timeline highlighting only the events that match detection rules. It is the fastest way to find attacker activity in a large collection of event logs.

The name means "peregrine falcon" in Japanese — the fastest animal in the world. Hayabusa processes 50 GB of event logs in minutes, applying thousands of rules to each event and producing a timeline of detections sorted by severity (Critical, High, Medium, Low, Informational) with MITRE ATT&CK tactic mapping for every detection.

The critical distinction between Hayabusa and EvtxECmd: EvtxECmd parses ALL events into a comprehensive CSV — every logon, every process creation, every service installation — and the investigator must manually filter to find the relevant entries among hundreds of thousands of rows. Hayabusa filters first, applying Sigma rules to every event and outputting only the events that match known attack patterns. Use EvtxECmd for comprehensive analysis (when you need to see everything in a specific timeframe). Use Hayabusa for threat hunting (when you need to find attacker activity in a large log collection and do not know exactly what timeframe to look at).

# Download Hayabusa from: https://github.com/Yamato-Security/hayabusa/releases
# Extract to C:\IR\Tools\Hayabusa\

Set-Location "C:\IR\Tools\Hayabusa"

# Update detection rules to the latest Sigma + Hayabusa rules
.\hayabusa.exe update-rules

# Generate a threat-hunting CSV timeline from KAPE-collected event logs
.\hayabusa.exe csv-timeline -d "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\Windows\System32\winevt\Logs" -o "C:\IR\Cases\INC-NE-2026-0315-001\Output\hayabusa_timeline.csv" -T -E --no-color

# Command breakdown:
# csv-timeline   — output as CSV for Timeline Explorer
# -d             — directory containing .evtx files (from KAPE or wevtutil export)
# -o             — output file path
# -T             — include MITRE ATT&CK tactics in output columns
# -E             — include all event detail fields (not just matched fields)
# --no-color     — disable ANSI codes for clean CSV output

# Generate an HTML summary report (executive-level overview)
.\hayabusa.exe html-summary -d "C:\IR\Cases\INC-NE-2026-0315-001\Evidence\C\Windows\System32\winevt\Logs" -o "C:\IR\Cases\INC-NE-2026-0315-001\Output\hayabusa_report.html"

# Live analysis — scan the local system's event logs directly
.\hayabusa.exe csv-timeline --live-analysis -o live_scan.csv -T -E --no-color

# Scan only a specific time range
.\hayabusa.exe csv-timeline -d "C:\IR\Evidence\evtx_files" -o results.csv -T -E --no-color --timeline-start "2026-03-15 14:00:00 +00:00" --timeline-end "2026-03-15 18:00:00 +00:00"

Hayabusa output in Timeline Explorer: Open the hayabusa_timeline.csv in Timeline Explorer. Each row is an event that matched a detection rule. Key columns: Timestamp (when the event occurred), RuleTitle (what was detected — e.g., "Suspicious Encoded PowerShell Command Line"), Level (Critical/High/Medium/Low/Informational), MitreTactics (which ATT&CK tactic — Execution, Persistence, Lateral Movement, etc.), MitreTags (specific technique IDs), Computer (which endpoint), Channel (which log source), EventID, and the extracted event details. Sort by Level descending to see critical detections first. Filter by MitreTactics to focus on specific attack phases.

Hayabusa with Velociraptor: Hayabusa can be deployed through Velociraptor for enterprise-wide event log analysis. The Velociraptor-Hayabusa combination retroactively reproduces a SIEM in environments where no SIEM was deployed — applying Sigma rules to every endpoint's event logs and aggregating detections across the fleet. This is invaluable for organizations that discover they were compromised months ago and need to hunt through historical event logs to determine scope and timeline.

Worked investigation finding:

>

Finding: Hayabusa scan of event logs from DESKTOP-NGE042 produced 3 Critical-level detections: (1) "Suspicious Encoded PowerShell Command" (Event ID 4104, March 15 14:32:07 UTC, MitreTactics: Execution), (2) "Service Installed with Suspicious Path" (Event ID 7045, March 15 14:33:41 UTC, MitreTactics: Persistence), (3) "WMI Remote Process Creation" (Event ID 4688, March 15 14:35:22 UTC, MitreTactics: Lateral Movement). The three detections form a sequential attack chain: execution → persistence → lateral movement within a 3-minute window.

>

Proves: The event logs contain evidence of attacker activity matching three distinct MITRE ATT&CK tactics in chronological sequence. Sigma rules confirmed the patterns — these are not ambiguous events requiring interpretation.

Does not prove: Who initiated the attack, whether the lateral movement was successful, or how many other endpoints were targeted.

Next step: Examine each detection in detail using EvtxECmd parsed output (which provides the full event fields that Hayabusa summarizes). Trace the lateral movement target from the WMI event. Hunt for the same indicators across the fleet using Velociraptor.

RegRipper — Deep Registry Forensic Analysis

RegRipper is a registry analysis tool created by Harlan Carvey, a pioneer in Windows forensic analysis and author of "Windows Forensic Analysis." It applies a library of purpose-built Perl plugins to Windows registry hives and extracts forensically significant data with interpretive context that batch processing tools (like RECmd) may not provide.

Where RECmd (EZTools) processes registry hives through batch files producing structured CSV output optimized for Timeline Explorer, RegRipper applies investigation-specific plugins that extract and interpret specific registry keys with forensic context. The plugin output often includes explanation of what the extracted data means for the investigation — not just raw values but their significance.

# Download RegRipper from: https://github.com/keydet89/RegRipper3.0
# Extract to C:\IR\Tools\RegRipper\

Set-Location "C:\IR\Tools\RegRipper"

# Run all applicable plugins against a NTUSER.DAT hive
.\rip.exe -r "C:\IR\Evidence\CASE001\C\Users\jmorrison\NTUSER.DAT" -a > "C:\IR\Output\ntuser_rip.txt"

# Run all plugins against the SYSTEM hive
.\rip.exe -r "C:\IR\Evidence\CASE001\C\Windows\System32\config\SYSTEM" -a > "C:\IR\Output\system_rip.txt"

# Run a specific targeted plugin
.\rip.exe -r "C:\IR\Evidence\CASE001\C\Users\jmorrison\NTUSER.DAT" -p userassist
# The userassist plugin extracts GUI program execution history with
# timestamps and run counts — evidence of execution from the registry
# perspective that complements Prefetch analysis from PECmd

.\rip.exe -r "C:\IR\Evidence\CASE001\C\Windows\System32\config\SYSTEM" -p services
# The services plugin extracts all registered services with binary paths,
# start types, and last-known-good configurations — identifying persistence
# mechanisms from the registry that complement the live service query

.\rip.exe -r "C:\IR\Evidence\CASE001\C\Windows\System32\config\SYSTEM" -p usbstor
# The usbstor plugin extracts USB device connection history with device
# serial numbers, first and last connection timestamps — critical for
# insider threat investigations involving data exfiltration to USB drives

Use RECmd for structured batch analysis. Use RegRipper when you need targeted plugin analysis for specific investigation questions — particularly USB device history (usbstor plugin), user program execution (userassist), network connection timestamps (networkconnections), and service installation dates (services). The RegRipper output text format is also useful for pasting directly into IR reports because it includes interpretive context alongside the raw data.

Sysinternals — Microsoft's Live System Investigation Suite

Sysinternals is a suite of system utilities created by Mark Russinovich (now CTO of Microsoft Azure) that provide deep visibility into Windows system internals. While not forensic tools in the traditional sense (they do not analyze collected artifacts), several Sysinternals utilities are indispensable for live system investigation during active incidents.

Autoruns / autorunsc.exe — the definitive persistence detector. Displays every program configured to run at boot or logon from every possible autostart location: registry Run keys, services, drivers, scheduled tasks, Winlogon entries, browser helper objects, Winsock providers, image hijacks, AppInit DLLs, KnownDLLs, and dozens more. Autoruns identifies more autostart locations than any other tool — including locations that attackers exploit specifically because other tools do not check them. It integrates with VirusTotal for hash checking, flagging known-malicious entries automatically.

# Autoruns: export all autostart entries to CSV
# This is the single fastest way to identify persistence mechanisms on a live system
Set-Location "C:\IR\Tools\Sysinternals"
.\autorunsc.exe -a * -c -h -s -v -vt > "C:\IR\Evidence\autoruns.csv"
# -a * = all autostart categories (over 20 categories)
# -c   = CSV output (opens in Timeline Explorer)
# -h   = hide Microsoft-signed entries (focus on non-Microsoft)
# -s   = verify digital signatures
# -v   = include VirusTotal results if available
# -vt  = submit hashes to VirusTotal for checking

# Open the CSV in Timeline Explorer
# Filter the "Signer" column to "(Not verified)" — unsigned entries
# are more likely to be malicious or attacker-deployed
# Check the "Image Path" column for entries in unusual locations
# (AppData, Temp, ProgramData, Public directories)

Process Explorer — enhanced Task Manager for live investigation. Shows the complete process hierarchy (parent-child tree), all loaded DLLs per process, open handles (files, registry keys, mutexes, network connections), thread details, and VirusTotal hash checking. During live triage, Process Explorer reveals suspicious process relationships and loaded modules that Task Manager and even Get-Process do not show. The DLL view is particularly valuable — a legitimate svchost.exe with an unsigned DLL loaded from a temp directory is a strong injection indicator.

Process Monitor (ProcMon) — real-time activity capture. Captures every file read/write, registry access, network connection, and process event in real time. During a live investigation where the attacker is still active, ProcMon reveals what the attacker's process is doing right now — which files it is reading, which registry keys it is modifying, which network connections it is establishing. ProcMon generates millions of events per minute, so always use targeted filters (filter to specific process names, paths, or operations) to keep the data volume manageable.

TCPView — real-time network connection monitor. Maps every active connection to its owning process with a live-updating display. Connections opening and closing appear in green and red. Useful for identifying intermittent C2 connections that beacon at intervals — the connection appears briefly (green), communicates, then closes (red), then reappears at the next beacon interval.

Strings — extract readable text from binaries. When you identify a suspicious executable, Strings extracts all printable character sequences from the binary without executing it. The output reveals embedded URLs, IP addresses, file paths, registry keys, error messages, and tool names — quick indicator extraction without full reverse engineering.

# Strings: extract indicators from a suspicious binary
.\strings.exe -n 8 "C:\IR\Evidence\suspicious.exe" > "C:\IR\Output\strings_output.txt"
# -n 8 = minimum string length 8 characters (reduces noise)
# Search output for: http://, https://, IP addresses (regex: \d+\.\d+\.\d+\.\d+),
# file paths, registry paths (HKLM, HKCU), known tool names (mimikatz, beacon, etc.)

# Quick indicator extraction
Select-String -Path "C:\IR\Output\strings_output.txt" -Pattern 'http[s]?://|(\d{1,3}\.){3}\d{1,3}|HKLM|HKCU' |
    Select-Object -ExpandProperty Line | Sort-Object -Unique

PsExec — remote command execution. Already covered in IR1.2 (KAPE remote deployment) and IR1.4 (Velociraptor alternative). PsExec enables running commands on remote systems using admin credentials. Used for deploying collection tools, executing containment actions, and performing live response when Velociraptor and PowerShell remoting are unavailable.

Sysmon — system monitoring for evidence generation. Sysmon is not an investigation tool — it is a monitoring driver that generates detailed event logs for process creation (with command lines, hashes, and parent process), network connections (with process attribution), file creation (with hashes), registry changes, DNS queries, and more. If Sysmon is installed on the compromised system, the Sysmon event log (Microsoft-Windows-Sysmon/Operational) is one of the most valuable evidence sources available. KAPE collects Sysmon logs as part of !SANS_Triage, and both EvtxECmd and Hayabusa parse them with dedicated rules. IR5 covers Sysmon in depth.