THOR Util User Manual

What is THOR Util?

THOR Util is the swiss-army knife with many maintenance features like update, download and license fetching. But it also supports executable signature verification, custom signature encryption and report generation.

Upgrade (upgrade) and Updates (update)

You can download updates for THOR and SPARK with “thor-util.exe” (Windows) or “thor-util” (Linux, macOS).

Running “thor-util –help” shows three options that seem to have a very similar meaning: “upgrade”, “update” and “download”.

The difference is that the “download” option downloads a full pack with all config files while the “upgrade” option fetches a full package but excludes the config files to avoid accidental overwrites of local config files (like: thor.yml, falsepositive_filters.cfg etc.).

The “update” option only works with THOR 10 and retrieves only the newest signature pack.

Option

­­­Description

Program

upgrade

Get new program files and signatures

THOR 8, SPARK, THOR 10

update

Get new signatures

THOR 10

download

Get new program files, signatures and config files

THOR 8, SPARK, THOR 10

If you have a full program package present, you should use the “upgrade” option.

Every other option has its own help. You can see the help of each option with

thor-util *option* --help
THOR Util Upgrade Help

THOR-util Upgrade Help

The following two examples show different upgrade methods.

thor-util.exe upgrade
thor-util.exe upgrade -a https://proxy.company.net:8080
thor-util.exe upgrade -a https://proxy.company.net:8080 -n dom\\user -p password
thor-util.exe upgrade -a https://proxy.local:8080 --ntlm -n dom\\user -p password

THOR TechPreview Version

To upgrade your current version to the TechPreview version, use the following command:

thor-util.exe upgrade --techpreview

You can find more information on the TechPreview version here.

Update Locations

The following servers are used as update mirrors and should be accessible via HTTPS:

update1.nextron-systems.com

update2.nextron-systems.com

Update Server Information

You can get information on the available update packages on this site:

https://update1.nextron-systems.com/info.php

Update server information

Update server information

Download Packages (download)

Using the “download” flag you can download any of the scanner packages for Windows, Linux and macOS.

This option is especially useful in cases in which you have to download the updates on an Internet connected machine and bring them to a system without Internet access.

thor-util.exe download -t thor10-win

THOR TechPreview Version

To download the TechPreview version, use the following command line flag.

thor-util.exe download -t thor10-win --techpreview

You can find more information on the TechPreview version here.

THOR Legacy Version

To download the Legacy version, which is usable on windows XP, Vista, 2003 and 2008, use the following command line flag.

thor-util.exe download -t thor10-win --legacy

You can find more information on the Legacy version here.

Important: The THOR Legacy version is not supported.

Install Packages (install)

The “install” feature is only used to install previously downloaded packages using the “download” feature and often used on systems without Internet connection.

Custom Signature Encryption (encrypt)

You can encrypt the YARA signatures and IOC files with the help of THOR-Util’s “encrypt” feature.

thor-util.exe encrypt --help
THOR Util's Encrypt Feature Help

THOR Util’s Encrypt Feature Help

As target for the encrypt command, you can use a single file, a list of files or wildcards.

thor-util.exe encrypt ~/sigs/case14.yar
thor-util.exe encrypt ~/sigs/case14.yar ~/sigs/case14-hashes.txt
thor-util.exe encrypt ~/sigs/case14.\*

It will automatically detect the type of the signature based on its extension.

File Type

Clear Text Extension

Extension of Encrypted File

IOC File

.txt

.dat

YARA Rule

.yar, .yara, .yac (compiled YARA)

.yas

Sigma

.yml, .yaml

.yms

STIXv2

.json

.jsos

Place the encrypted IOC files in the “./custom-signatures” sub folder in the program directory and the encrypted YARA rules in the “./custom-signatures/yara” sub folder.

Report Generation (report)

Using the –report flag, you can generate HTML report from plain text log files.

THOR Util's report genearation functions

THOR Util’s report generation functions

thor-util report --logfile PROMETHEUS\_thor.log
thor-util report --logdir ./logs
HTML report generated by thor-util

HTML report generated by thor-util

See this blog post for details:

https://www.nextron-systems.com/2018/06/20/thor-util-with-html-report-generation/

Verify Binaries (verify)

This feature allows to verify the authenticity of the included binaries. The signature verification is based on a public key encryption algorithm and requires the “*.sig” files that are shipped with the packages.

Verify thor.exe signature using THOR Util

Verify thor.exe signature using THOR Util

License Retrieval (license)

This feature can be used to retrieve a license from a remote ASGARD server system.

THOR Util's license generation feature

THOR Util’s license generation feature

License retrieval from an ASGARD server

License retrieval from an ASGARD server

thor-util license --hostname machine1 server --url https://asgard1.bsk
thor-util license --http-insecure --url https://asgard1.bsk

Decrypt Reports and Log Files (decrypt)

This feature can be used to decrypt HTML reports or text log files that have previously been encrypted by SPARK upon scan completion.

THOR Util's decryption feature options

THOR Util’s decryption feature options

Log Conversion (logconvert)

The log conversion features allows to convert between Text and JSON format.

Log Conversion Options

Log Conversion Options

Indices and tables