10. Output Options

10.1. Scan Output

THOR creates several files during and at the end of the scan.

Real Time - the text log file is written during the scan process. Also the SYSLOG output is sent in real-time to one or more remote systems.

End of Scan - the full HTML report and CSV file with all file scan elements reported as suspicious are written at the end of the scan.

You can define different formatting options for each the FILE and the SYSLOG output.

10.1.1. Placeholders

Two placeholders can be used in command line parameters to facilitate the use of parameter on different operating systems.

  • :hostname:

  • :time:

These can be used in command line parameters and scan templates across all platforms.

thor64.exe -a FileScan -p S:\\ -o :hostname:\_:time:.csv

10.1.2. Log File Output (.txt)

The standard log file is written by default.

  • --nolog
    Don’t create a log file
  • -l / --logfile filename
    Set a filename for the log file

The log file’s format aligns with the format of SYSLOG messages. This way it can easily be imported to most SIEM or log analysis systems.

10.1.3. CSV Output (.csv)

The CSV output is an optional legacy output file without much details. It contains only “Filescan” module findings and consist of 3 columns, file hash, file path and score.

CSV File Output:

c926bf384319e40506e3d6e409dc856e,C:\PowerZure.ps1,140

62160f1a71507e35ebf104a660d92794,C:\f.bat,180

c926bf384319e40506e3d6e409dc856e,C:\ntds.dit,50

c926bf384319e40506e3d6e409dc856e,C:\temp\ntds.zip|ntds.dit,140

36a93511fc0e2e967bc5ced6a5bc36a6,C:\temp\ntds.zip,50

44b34aac3135dcb03ababac5f7767a55,C:\temp\windows-hardening.bat,60

Be aware that archives with matches show up as “archive.zip|file-with-finding.js” (pipe separator) in the second column.

If you need more columns in that CSV, consider processing the JSON output instead.

Note: our Github repository contains scripts to convert THOR’s JSON output into a CSV with any given field values, see:

https://github.com/NextronSystems/nextron-helper-scripts/tree/master/thor-log-processors

10.1.4. CSV Stats

The CSV stats file is an optional output file that contains only the scan statistics. It contains a single line with:

Hostname, scan start, scan end, THOR version, used command line flags, number of alerts, number of warnings, number of notices and number of errors

CSV Stats Output:

HYPERION,2021-02-17 17:01:25,2021-02-17 17:01:28,10.6.2,--lab -p C:\temp -o HYPERION_test_:time:.csv --csvstats,5,2,3,0

10.1.5. JSON Output (.json)

The JSON output file can be configured with these options:

  • --json
    Create a JSON output file
  • --jsonfile filename
    Set a filename for the JSON log file
  • --cmdjson
    Print JSON format into the command line (e.g. used with Splunk scripted input)
  • -s [syslogtarget]:[port]: SYSLOGJSON
    Send syslog messages with JSON formatting

10.1.6. Key Value Output

THOR provides the option to create a "Key/Value" pair output that simplifies the SIEM integration.

By using the "--keyval" option you get the text and syslog output transformed as shown in the following example. The command line output stays untouched by this setting.

There are three different Key Value Pair Formatting flags:

  • --keyval
    Write key/value pairs to the log file
  • --cmdkeyval
    Print key/value pairs in the command line (e.g. used with Splunk scripted input)
  • -s [syslogtarget]:[port]:SYSLOGKV
    Send syslog messages with propper key/value formatting

Default - Without "--keyval" parameter

Jul 10 09:08:47 PROMETHEUS/10.0.2.15 THOR: Alert: MODULE: SHIMCache MESSAGE: Malware
name found in Shim Cache Entry ENTRY: C:\Users\neo\Desktop\ncat.exe KEYWORD: \\ncat\.exe
DATE: 07/29/13 05:16:04 TYPE: system HIVEFILE: None EXTRAS: N/A N/A True

Key/Value Pairs - With "--keyval" parameter

Jul 10 09:07:59 PROMETHEUS/10.0.2.15 THOR : Alert: MODULE="SHIMCache" MESSAGE="Malware
name found in Shim Cache Entry" ENTRY="C:\Users\neo\Desktop\ncat.exe" KEYWORD="\\ncat\.exe"
DATE="07/29/13 05:16:04" TYPE="system" HIVEFILE="None" EXTRAS="N/A N/A True"

10.1.7. Timestamps

Timestamp in all modules use the ANSIC standard, which looks like:

Mon Jan 2 15:04:05 2006
Mon Mar 19 09:04:05 2018

https://flaviocopes.com/go-date-time-format

10.1.7.1. UTC

The --utc parameter allows to use UTC in all timestamps.

10.1.7.2. RFC3339 Time Stamps

The parameter --rfc3339 generates time stamps for UTC time in the format described in RFC 3339. In contrast to the default time stamps RFC 3339 timestamps include a year and look like this:

2017-02-31T23:59:60Z

10.1.8. SCAN ID

The former parameter “-i”, which has been used for so-called case IDs (CID) has been repurposed to allow users to set a certain scan ID (SCANID) that appears in every log line.

The scan ID helps SIEM and analysis systems to correlate the scan lines from multiple scans on a single host. Otherwise it would be very difficult to answer the following questions:

  • How many scans completed successfully on a certain end system?

  • Which scan on a certain end system terminated during the scan run?

If no parameter is set, THOR will automatically generate a random scan ID, which starts with an “S-“ and contains the following characters: a-zA-Z0-9_-

Users can overwrite the scan ID with “-i myscanid” to assign the logs of multiple scan runs to a single logical scan, e.g. if multiple partitions of a system get scanned in the lab in different scan runs, but should be shown as a single scan in Analysis Cockpit or your SIEM of choice.

Examples:

S-Rooa61RfuuM S-0vRKu-1_p7A

In a log line, it looks like:

Jul 10 09:08:47 PROMETHEUS/10.0.2.15 THOR: Alert: MODULE: SHIMCache
SCANID: S-r4GhEhEiIRg MESSAGE: Malware name found in Shim Cache Entry ENTRY:
C:\Users\neo\Desktop\ncat.exe KEYWORD: \\ncat\.exe DATE: 07/29/13 05:16:04 TYPE: system
HIVEFILE: None EXTRAS: N/A N/A True

10.1.8.1. Custom Scan ID Prefix

Since version 10.5 you are able to set you custom prefix by using --scanid-prefix. The fixed character “S” can be replaced with any custom string. This allows users to set an identifier for a group of scans that can be grouped together in a SIEM or Analysis Cockpit.

10.2. Syslog or TCP/UDP Output

10.2.1. Target Definition

THOR version 10 comes with a very flexible Syslog target definition. You can define as many targets as you like and give them different ports, protocols and formats.

For example, if you want to send the THOR log entries to a Syslog server and an ArcSight SIEM at the same time, you just have to define two log targets with different formats.

thor.exe -s syslog1.server.net -s arsight.server.net:514:CEF

The definition consists of 4 elements:

System

:

Port

:

Type

:

Protocol

The available options for each element are:

(target ip):(target port):(DEFAULT/CEF/JSON/SYSLOGJSON/SYSLOGKV):(UDP/TCP/TCPTLS)

The available type field values require an explication:

  • DEFAULT: standard THOR log format

  • CEF: Common Event Format (ArcSight)

  • JSON: Raw JSON

  • SYSLOGJSON: encoded and escaped single line JSON

  • SYSLOGKV: syslog messages that contain strict key/value pairs

There are default values, which do not have to be defined explicitly:

(your target system ip):514:DEFAULT:UDP

Sending Syslog to a target on a port that differs from the default port 514/udp looks like this:

-s 10.0.0.4:2514

Sending Syslog to a receiving server using an SSL/TLS encrypted TCP connection:

-s 10.0.0.4:6514:DEFAULT:TCPTLS

You can define as many targets as you like.

An often used combination sends JSON formatted messages to a certain UDP port:

-s 10.0.0.4:5444:JSON:UDP

10.2.2. Common Event Format (CEF)

THOR supports the CEF format for easy integration into ArcSight SIEM systems. The CEF mapping is applied to a log line if the syslog target has the CEF format set, e.g.:

thor.exe -s syslog1.server.local:514:CEF

10.3. Encrypted Output Files

THOR allows to encrypt the output files of each scan using the --encrypt parameter. A second parameter --pubkey can be used to specify a public key to use. The public key must be a RSA key of 1024, 2048 or 4096 bit size in PEM format.

thor64.exe --encrypt --pubkey mykey.pub

If you don’t specify a public key, THOR uses a default key. The private key for this default key is stored in "thor-util", which can be used to decrypt output files encrypted with the default key.

thor-util decrypt file.txt

For more information on "thor-util" see the separate THOR Util manual.