5. Custom Signature Encryption (encrypt)¶
You can encrypt the YARA signatures and IOC files with the help of THOR-Util’s “encrypt” feature.
thor-util.exe encrypt --help
As target for the encrypt command, you can use a single file, a list of files or wildcards.
thor-util.exe encrypt ~/sigs/case14.yar
thor-util.exe encrypt ~/sigs/case14.yar ~/sigs/case14-hashes.txt
thor-util.exe encrypt ~/sigs/case14.\*
It will automatically detect the type of the signature based on its extension.
File Type |
Clear Text Extension |
Extension of Encrypted File |
---|---|---|
IOC File |
.txt |
.dat |
YARA Rule |
.yar, .yara, .yac (compiled YARA) |
.yas |
Sigma |
.yml, .yaml |
.yms |
STIXv2 |
.json |
.jsos |
Place the encrypted IOC files in the “./custom-signatures” sub folder in the program directory and the encrypted YARA rules in the “./custom-signatures/yara” sub folder.