THOR Util User Manual
What is THOR Util?
THOR Util is the swiss-army knife with many maintenance features like update, download and license fetching. But it also supports executable signature verification, custom signature encryption, report generation and diagnostics for troubleshooting THOR scans.
Upgrade (upgrade) and Updates (update)
You can download updates for THOR with thor-util.exe
(Windows) or thor-util (Linux, macOS).
Running thor-util --help shows three options that seem to have a very
similar meaning: "upgrade", "update" and "download".
The difference is that the "download" option downloads a full pack with
all config files while the "upgrade" option fetches a full package but
excludes the config files to avoid accidental overwrites of local config
files (like: thor.yml, falsepositive_filters.cfg, etc.).
The "update" option retrieves only the newest signature pack (not the program files).
Option |
Description |
|---|---|
upgrade |
Get new program files and signatures |
update |
Get new signatures |
download |
Get new program files, signatures and config files |
If you have a full program package present, you should use the "upgrade" option.
Every other option has its own help. You can see the help of each option with
user@unix:~/thor$ ./thor-util *option* --help
THOR-util Upgrade Help
The following examples show different upgrade methods.
C:\thor>thor-util.exe upgrade
C:\thor>thor-util.exe upgrade -a https://proxy.company.net:8080
C:\thor>thor-util.exe upgrade -a https://proxy.company.net:8080 -n dom\\user -p password
C:\thor>thor-util.exe upgrade -a https://proxy.local:8080 --ntlm -n dom\\user -p password
THOR TechPreview Version
To upgrade your current version to the TechPreview version, use the following command:
C:\thor>thor-util.exe upgrade --techpreview
You can find more information on the TechPreview version here.
Hint
To make the TechPreview version persistent, consider adding it to your THOR Util
configuration file (thor-util.yml). Please see TechPreview configuration.
Update Locations
When using the full version of THOR, the following servers are used as update mirrors and should be accessible via HTTPS:
update1.nextron-systems.com
update2.nextron-systems.com
When using THOR Lite, the following server is used instead and should be accessible:
update-lite.nextron-systems.com
Hint
For a detailed and up to date list of our update and licensing servers, please visit https://www.nextron-systems.com/hosts/.
SigDev Signatures
Usually it takes our internal testing 1-2 days to verify the quality of new rules. In rare cases in which a new and severe threat has been discovered it could make sense to use the newest and untested signatures that are still in our testing process. (e.g. new vulnerability and public proof-of-concept code)
To retrieve the newest and untested signatures you can use the thor-util.exe update --sigdev flag.
To reset the signature set to the latest stable version use thor-util.exe update --force.
(retrieve the stable set and enforce the download even if the current set is newer)
Update Server Information
You can get information on the available update packages on this site:
https://update1.nextron-systems.com/info.php
Update server information
Download Packages (download)
Using the “download” flag you can download any of the scanner packages for Windows, Linux and macOS.
This option is especially useful in cases in which you have to download the updates on an Internet connected machine and bring them to a system without Internet access.
C:\thor>thor-util.exe download -t thor10-win
THOR TechPreview Version
To download the TechPreview version, use the following command line flag.
C:\thor>thor-util.exe download -t thor10-win --techpreview
You can find more information on the TechPreview version here.
Install Packages (install)
The "install" feature is only used to install previously downloaded packages.
The packages can be downloaded
using the "download" function in THOR Util
using the displayed URL that is shown during update or upgrade procedures
It is often used to update THOR program folders on systems without Internet access.
Custom Signature Encryption (encrypt)
You can encrypt the YARA signatures and IOC files with the help of THOR-Util's "encrypt" feature.
C:\thor>thor-util.exe encrypt --help
THOR Util's Encrypt Feature Help
As target for the encrypt command, you can use a single file, a list of files or wildcards.
C:\thor>thor-util.exe encrypt ~/sigs/case14.yar
C:\thor> hor-util.exe encrypt ~/sigs/case14.yar ~/sigs/case14-hashes.txt
C:\thor>thor-util.exe encrypt ~/sigs/case14.\*
It will automatically detect the type of the signature based on its extension.
File Type |
Clear Text Extension |
Extension of Encrypted File |
|---|---|---|
IOC File |
.txt |
.dat |
YARA Rule |
.yar, .yara, .yac (compiled YARA) |
.yas |
Sigma |
.yml, .yaml |
.yms |
STIXv2 |
.json |
.jsos |
Place the encrypted IOC files in the ./custom-signatures sub folder in
the program directory and the encrypted YARA rules in the
./custom-signatures/yara sub folder.
Report Generation (report)
Using the --report flag, you can generate HTML report from plain text
log files.
THOR Util's report generation functions
user@unix:~/thor$ ./thor-util report --logfile system-xyz_thor.log
user@unix:~/thor$ ./thor-util report --logdir ./logs
HTML report generated by thor-util
See this blog post for details:
https://www.nextron-systems.com/2018/06/20/thor-util-with-html-report-generation/
Verify Binaries (verify)
This feature allows to verify the authenticity of the included binaries.
The signature verification is based on a public key encryption algorithm
and requires the *.sig files that are shipped with the packages.
Verify thor.exe signature using THOR Util
To verify the integrity of THOR Util, download the public key used for the
verification on Nextrons Website: https://www.nextron-systems.com/pki/
The public key can be then used with the following command to verify the integrity of thor-util:
on Windows:
C:\thor>openssl dgst -sha256 -verify codesign.pem -signature thor-util.exe.sig thor-util.exe
on Linux:
C:\thor>openssl dgst -sha256 -verify codesign.pem -signature thor-util.sig thor-util
Decrypt Reports and Log Files (decrypt)
This feature can be used to decrypt HTML reports or text log files that have previously been encrypted by THOR upon scan completion.
THOR Util's decryption feature options
Log Conversion (logconvert)
The log conversion features allows you to convert THOR Logs between different formats. You can chose whatever format fits your needs the most:
Format |
Convert From |
Convert To |
|---|---|---|
Log [1] |
Yes |
Yes |
JSON |
Yes |
Yes |
Key-Value |
No [2] |
Yes |
CSV |
No |
Yes |
ZIP CSV |
No |
Yes |
C:\nextron\thor>thor-util.exe logconvert --help
________ ______ ___ __ ______________
/_ __/ // / __ \/ _ \ / / / /_ __/ _/ /
/ / / _ / /_/ / , _/ / /_/ / / / _/ // /__
/_/ /_//_/\____/_/|_| \____/ /_/ /___/____/
Copyright by Nextron Systems GmbH, 2023
v1.11.0+thor10.7.6
Convert log file into another format
Usage:
thor-util logconvert [flags]
Examples:
thor-util logconvert --from-json --to-log --file example.json --output example.log
Flags:
-f, --file string Input file
--from-json Convert from JSON
--from-kv Convert from KV
--from-log Convert from Log
-h, --help help for logconvert
-o, --output string Output file
--to-csv Convert to CSV
--to-csv-zip Convert to ZIP containing one CSV log per module
--to-json Convert to JSON
--to-kv Convert to KV
--to-log Convert to Log
Note
The feature to convert logs into CSV and CSV-zip was introduced in THOR Util Version 1.11.0
Conversion Examples
Here you can find some examples on how to convert logs to different formats.
Your command should always follow the same structure of a --from format,
as well as a --to format. Additionally, you also need to instruct which file
is your input file -f and which should be your output file -o.
user@unix:~/thor$ ./thor-util logconvert --from-log --to-json -f thor.txt -o thor-converted.json
user@unix:~/thor$ ./thor-util logconvert --from-log --to-csv -f thor.txt -o thor-converted.csv
user@unix:~/thor$ ./thor-util logconvert --from-json --to-log -f thor.json -o thor-converted.log
user@unix:~/thor$ ./thor-util logconvert --from-log --to-csv -f thor.txt -o thor-converted.csv
user@unix:~/thor$ ./thor-util logconvert --from-log --to-csv-zip -f thor.txt -o thor-converted.zip
Templates
THOR Util reads a default configuration from config/thor-util.yml.
Within this file, default parameters can be set in YAML form.
These default parameters can be overwritten with command line flags.
All global flags for THOR Util are supported in the configuration file. These flags can be shown with:
user@unix:~/thor$ ./thor-util --help
Proxy configuration
If you want to use a specific HTTP proxy, this can be specified in your configuration file with:
proxy: http://myproxy:8080
TechPreview configuration
If you always want to download the latest TechPreview instead of the standard THOR version, add:
techpreview: True
Diagnostics
If THOR does not behave like it should, e.g. using more resources than you expected, taking more time with the scan as usual or unexpectedly exits with a generic error, you can create a diagnostics pack for our support to help in troubleshooting the issue.
This can be done using THOR Util's diagnostics command.
C:\thor>thor-util.exe help diagnostics
Create diagnostics pack
Usage:
thor-util diagnostics [flags]
Flags:
-h, --help help for diagnostics
--output string File to write diagnostics pack to (default "[...]\diagnostics.zip")
--run Rerun last THOR scan with debug logging before collecting diagnostics pack
By default the diagnostics.zip file is put in THOR's working
directory. The location is printed on the commandline in the end
of the data collection and can be changed using the --output flag.
Get diagnostics of a running THOR scan
The generally preferred method of collecting THOR diagnostics is to run THOR Util's diagnostics command directly when the issue is occurring.
C:\thor>thor-util.exe diagnostics
Get diagnostics of a finished THOR scan
If the THOR run is already finished, you can also use the diagnostics command like above with reduced information being collected.
Another possibility is to use the --run flag to rerun the last
THOR scan. In addition to conveniently rerunning the scan, THOR
Util can now watch over the THOR process for interrupting signals
from other processes (e.g. anti virus) which greatly helps in
determining if anti virus exclusions for THOR are applied correctly
or not. Using the --run flag should be the preferred method if
THOR is exiting unexpectedly.
C:\thor>thor-util.exe diagnostics --run