Scribd Logo
Upload

Welcome to Scribd!

  • THOR Util Manual

    Uploaded by

    minhquy03032001
    20 views8 pages

    Original Title

    THOR_Util_Manual

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    20 views8 pages

    THOR Util Manual

    Uploaded by

    minhquy03032001

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    THOR Util - Manual

    Version 1.6
    Nextron Systems GmbH
    1 What is THOR Util? ................................................................................................. 3
    2 Upgrade (upgrade) ................................................................................................. 3
    2.1 Upgrade Locations.................................................................................................. 4
    2.2 Update Server Information ...................................................................................... 4
    3 Download Packages (download)............................................................................... 5
    4 Install Packages (install) ........................................................................................ 5
    5 Custom Signature Encryption (encrypt)..................................................................... 5
    6 Report Generation (report) ...................................................................................... 6
    7 Verify Binaries (verify) ........................................................................................... 6
    8 License Retrieval (license) ...................................................................................... 7
    9 Decrypt Reports and Log Files (decrypt) ................................................................... 8
    10 Log Conversion (logconvert) ................................................................................... 8

    THOR Util Manual Page 2 of 8


    1 What is THOR Util?
    THOR Util is the swiss-army knife with many maintenance features like update, download
    and license fetching. But it also supports executable signature verification, custom
    signature encryption and report generation.

    2 Upgrade (upgrade)
    You can download updates for THOR and SPARK with “thor-util.exe”. The old “thor-
    upgrade.exe” utility is obsolete and no longer supported.
    Running “thor-util.exe --help” shows two options that look very similar: “download” and
    “upgrade”.
    The difference is that the “download” option downloads a full pack with all config files while
    the “upgrade” option fetches a full package but excludes the config files to avoid accidental
    overwrites of local config files (like: thor.cfg, falsepositive_filters.cfg etc.)
    If you have a full program package present, you should always use the “upgrade” option.

    Screenshot 1 - THOR-util Help

    Every other option has its own help. You can see the help of each option with

    thor-util.exe option --help

    Listing 1 - THOR-util shows help for each option

    Screenshot 2 – THOR-util Upgrade Help

    THOR Util Manual Page 3 of 8


    The following two examples show different upgrade methods.

    thor-util.exe upgrade

    Listing 2 - THOR Upgrade with direct Internet Connection

    thor-util.exe -a https://proxy.company.net:8080

    Listing 3 – THOR Upgrade using a Proxy Server

    thor-util.exe -a -a https://proxy.company.net:8080 -n dom\user -p password

    Listing 4 - THOR Upgrade using a Proxy Server with Basic Authentication

    thor-util.exe -a -a https://proxy.local:8080 --ntlm -n dom\user -p password

    Listing 5 – THOR Upgrade using NTLM authentication

    2.1 Upgrade Locations


    The following servers are used as update mirrors and should be accessible via HTTPS:
    update1.nextron-systems.com

    update2.nextron-systems.com

    These two download locations are obsolete:


    www.apt-detection.com

    www.bsk-consulting.de

    2.2 Update Server Information


    You can get information on the available update packages on this site:
    https://update1.nextron-systems.com/info.php

    Screenshot 3 - Update server information

    THOR Util Manual Page 4 of 8


    3 Download Packages (download)
    Using the “download” flag you can download any of the scanner packages for Windows,
    Linux and macOS.

    4 Install Packages (install)


    The “install” feature is only used to install previously downloaded packages using the
    “download” feature and often used on systems without Internet connection.

    5 Custom Signature Encryption (encrypt)


    You can encrypt the YARA signatures and IOC files with the help of THOR-Util’s “encrypt”
    feature.
    thor-util.exe encrypt --help

    Listing 6 – Show the help of the “encrypt” feature

    Screenshot 4 – THOR Util’s Encrypt Feature Help

    As target for the encrypt command, you can use a single file, a list of files or wildcards.
    thor-util.exe encrypt ~/sigs/case14.yar
    thor-util.exe encrypt ~/sigs/case14.yar ~/sigs/case14-hashes.txt
    thor-util.exe encrypt ~/sigs/case14.*

    Listing 7 – THOR Util Encrypt Examples

    It will automatically detect the type of the signature based on its extension.
    File Type Clear Text Extension Extension of Encrypted File
    IOC File .txt .dat
    YARA Rule .yar, .yara, .yac (compiled YARA) .yas
    Sigma1 .yml, .yaml .yms
    STIXv21 .json .jsos
    Table 1 - Extension of Clear Text and Encrypted Signatures

    Place the encrypted IOC files in the “./custom-signatures” sub folder in the program
    directory and the encrypted YARA rules in the “./custom-signatures/yara” sub folder.

    1
    only available in SPARK

    THOR Util Manual Page 5 of 8


    6 Report Generation (report)
    Using the --report flag, you can generate HTML report from plain text log files.

    Screenshot 5 - THOR Utils report generation functions

    thor-util report --logfile PROMETHEUS_thor.log


    thor-util report --logdir ./logs

    Listing 8 - THOR Util reports generation examples

    Screenshot 6 – HTML report generated by thor-util

    See this blog post for details:


    https://www.nextron-systems.com/2018/06/20/thor-util-with-html-report-generation/

    7 Verify Binaries (verify)


    This feature allows to verify the authenticity of the included binaries. The signature
    verification is based on a public key encryption algorithm and requires the “*.sig” files that
    are shipped with the packages.

    THOR Util Manual Page 6 of 8


    Screenshot 7 - Verify thor.exe signature using THOR Util

    8 License Retrieval (license)


    This feature can be used to retrieve a license from a remote ASGARD server system.

    Screenshot 8 - THOR Utils license generation feature

    Screenshot 9 - License retrieval from an ASGARD server

    thor-util license --hostname machine1 server --url https://asgard1.bsk


    thor-util license --http-insecure --url https://asgard1.bsk

    Listing 9 - THOR Util license generation examples

    THOR Util Manual Page 7 of 8


    9 Decrypt Reports and Log Files (decrypt)
    This feature can be used to decrypt HTML reports or text log files that have previously been
    encrypted by SPARK upon scan completion.

    Screenshot 10 - THOR Utils decryption feature options

    10 Log Conversion (logconvert)


    The log conversion features allows to convert between Text and JSON format.

    Screenshot 11 - Log Conversion Options

    ./thor-util logconvert --from-log --to-json -f spark.log -o spark-converted.json


    ./thor-util logconvert --from-json --to-log -f spark.json -o spark-converted.log

    Listing 10 - THOR Util log conversion examples

    THOR Util Manual Page 8 of 8

    You might also like