5. Custom Signature Encryption (encrypt)

You can encrypt the YARA signatures and IOC files with the help of THOR-Util's "encrypt" feature.

C:\thor>thor-util.exe encrypt --help
THOR Util's Encrypt Feature Help

THOR Util's Encrypt Feature Help

As target for the encrypt command, you can use a single file, a list of files or wildcards.

C:\thor>thor-util.exe encrypt ~/sigs/case14.yar
C:\thor> hor-util.exe encrypt ~/sigs/case14.yar ~/sigs/case14-hashes.txt
C:\thor>thor-util.exe encrypt ~/sigs/case14.\*

It will automatically detect the type of the signature based on its extension.

File Type

Clear Text Extension

Extension of Encrypted File

IOC File




.yar, .yara, .yac (compiled YARA)



.yml, .yaml





Place the encrypted IOC files in the ./custom-signatures sub folder in the program directory and the encrypted YARA rules in the ./custom-signatures/yara sub folder.