Neo23x0
commented
2 years ago As you said, it finds the strings in the process memory of other processes. You can always exclude the matches found in certain processes from the output. https://thor-manual.nextron-systems.com/en/latest/usage/configuration.html?highlight=false%20positive#false-positives
Did you, by chance, run LOKI on these machines before running THOR Lite? Using cleartext signatures pollutes the memory of several processes as long as they don't get restarted.
ghost
I'm seeing processcheck matches for svchost and c:\windows\ccm\ccmexec.exe somewhat inconsistently on several machines, specifically for the SUSP_PowerShell_Caret_Obfuscation_2, p0wnedShellx64, Mimikatz_Memory_Rule_2, and HKTL_Meterpreter_inMemory signatures.
The results seem fairly improbable.
My best guess is that thor lite is finding its own signatures in the memory of the sccm processes that are hosting it. If there was an easy way to confirm this and/or whitelist thor's own process, that would be useful.