10. Output Options
10.1. Scan Output
THOR creates several files during and at the end of the scan.
the text log file is written during the scan process. Also the SYSLOG output is sent in real-time to one or more remote systems.
End of Scan
the full HTML report and CSV file with all file scan elements reported as suspicious are written at the end of the scan.
You can define different formatting options for each the FILE and the SYSLOG output.
Two placeholders can be used in command line parameters to facilitate the use of parameter on different operating systems.
These can be used in command line parameters and scan templates across all platforms.
C:\thor>thor64.exe -a FileScan -p S:\\ -o :hostname:\_:time:.csv
10.1.2. Log File Output (.txt)
The standard log file is written by default.
Don't create a log file
Set a filename for the log file
The log file's format aligns with the format of SYSLOG messages. This way it can easily be imported to most SIEM or log analysis systems.
10.1.3. CSV Output (.csv)
The CSV output is an optional legacy output file without much details. It contains only “Filescan” module findings and consist of 3 columns, file hash, file path and score.
CSV File Output:
1c926bf384319e40506e3d6e409dc856e,C:\PowerZure.ps1,140 262160f1a71507e35ebf104a660d92794,C:\f.bat,180 3c926bf384319e40506e3d6e409dc856e,C:\ntds.dit,50 4c926bf384319e40506e3d6e409dc856e,C:\temp\ntds.zip|ntds.dit,140 536a93511fc0e2e967bc5ced6a5bc36a6,C:\temp\ntds.zip,50 644b34aac3135dcb03ababac5f7767a55,C:\temp\windows-hardening.bat,60
Be aware that archives with matches show up as “archive.zip|file-with-finding.js” (pipe separator) in the second column.
If you need more columns in that CSV, consider processing the JSON
output instead. To do this, you can use
thor-util to convert
logs from one format to the other:
10.1.4. CSV Stats
The CSV stats file is an optional output file that contains only the scan statistics. It contains a single line with:
Hostname, scan start, scan end, THOR version, used command line flags, number of alerts, number of warnings, number of notices and number of errors
CSV Stats Output:
HYPERION,2021-02-17 17:01:25,2021-02-17 17:01:28,10.6.2,--lab -p C:temp -o HYPERION:time:.csv --csvstats,5,2,3,0
10.1.5. JSON Output (.json)
The JSON output file can be configured with these options:
--json (deprecated since THOR 10.7, use
Create a JSON output file
--jsonv2 (THOR >= 10.7)
Use the JSON v2 format, which is easier to parse than the old v1 format.
This can be used with
Log file for JSON output. If no value is specified, defaults to
Print JSON format into the command line (e.g. used with Splunk scripted input)
Send syslog messages with JSON formatting
10.1.6. Key Value Output
THOR provides the option to create a "Key/Value" pair output that simplifies the SIEM integration.
By using the "--keyval" option you get the text and syslog output transformed as shown in the following example. The command line output stays untouched by this setting.
There are three different Key Value Pair Formatting flags:
Write key/value pairs to the log file
Print key/value pairs in the command line (e.g. used with Splunk scripted input)
Send syslog messages with proper key/value formatting
Default - Without "--keyval" parameter
Jul 10 09:08:47 PROMETHEUS/10.0.2.15 THOR: Alert: MODULE: SHIMCache MESSAGE: Malware name found in Shim Cache Entry ENTRY: C:\Users\neo\Desktop\ncat.exe KEYWORD: \\ncat\.exe DATE: 07/29/13 05:16:04 TYPE: system HIVEFILE: None EXTRAS: N/A N/A True
Key/Value Pairs - With "--keyval" parameter
Jul 10 09:07:59 PROMETHEUS/10.0.2.15 THOR : Alert: MODULE="SHIMCache" MESSAGE="Malware name found in Shim Cache Entry" ENTRY="C:\Users\neo\Desktop\ncat.exe" KEYWORD="\\ncat\.exe" DATE="07/29/13 05:16:04" TYPE="system" HIVEFILE="None" EXTRAS="N/A N/A True"
Timestamp in all modules use the ANSI standard, which looks like:
Mon Jan 2 15:04:05 2006 Mon Mar 19 09:04:05 2018
--utc parameter allows to use UTC in all timestamps.
10.1.7.2. RFC3339 Time Stamps
--rfc3339 generates time stamps for UTC time in the
format described in RFC 3339. In contrast to the default time stamps RFC
3339 timestamps include a year and look like this:
10.1.8. SCAN ID
The former parameter
-i, which has been used for so-called case IDs
(CID) has been repurposed to allow users to set a certain scan ID
(SCANID) that appears in every log line.
The scan ID helps SIEM and analysis systems to correlate the scan lines from multiple scans on a single host. Otherwise it would be very difficult to answer the following questions:
How many scans completed successfully on a certain endpoint?
Which scan on a certain endpoint terminated during the scan run?
If no parameter is set, THOR will automatically generate a random scan
ID, which starts with an
S- and contains the following
Users can overwrite the scan ID with
-i myscanid to assign the logs of
multiple scan runs to a single logical scan, e.g. if multiple partitions
of a system get scanned in the lab in different scan runs, but should be
shown as a single scan in Analysis Cockpit or your SIEM of choice.
In a log line, it looks like (set newlines for readability):
Jul 10 09:08:47 PROMETHEUS/10.0.2.15 THOR: Alert: MODULE: SHIMCache SCANID: S-r4GhEhEiIRg MESSAGE: Malware name found in Shim Cache Entry ENTRY: C:\Users\neo\Desktop\ncat.exe KEYWORD: \\ncat\.exe DATE: 07/29/13 05:16:04 TYPE: system HIVEFILE: None EXTRAS: N/A N/A True
10.1.8.1. Custom Scan ID Prefix
Since THOR version 10.5 you are able to set you custom prefix by using
--scanid-prefix. The fixed character "S" can be replaced with any
custom string. This allows users to set an identifier for a group of
scans that can be grouped together in a SIEM or Analysis Cockpit.
10.2. Syslog or TCP/UDP Output
10.2.1. Target Definition
THOR version 10 comes with a very flexible Syslog target definition. You can define as many targets as you like and give them different ports, protocols and formats.
For example, if you want to send the THOR log entries to a Syslog server and an ArcSight SIEM at the same time, you just have to define two log targets with different formats.
C:\nextron\thor>thor.exe -s syslog1.server.net -s arsight.server.net:514:CEF
The definition consists of 4 elements:
The available options for each element are:
(target ip):(target port):(DEFAULT/CEF/JSON/SYSLOGJSON/SYSLOGKV):(UDP/TCP/TCPTLS)
The available type field values require an explication:
standard THOR log format
Common Event Format (ArcSight)
encoded and escaped single line JSON
syslog messages that contain strict key/value pairs
There are default values, which do not have to be defined explicitly:
(your target system ip):514:DEFAULT:UDP
Sending Syslog to a target on a port that differs from the default port 514/udp looks like this:
Sending Syslog to a receiving server using an SSL/TLS encrypted TCP connection:
You can define as many targets as you like.
An often used combination sends JSON formatted messages to a certain UDP port:
10.2.2. Common Event Format (CEF)
THOR supports the CEF format for easy integration into ArcSight SIEM systems. The CEF mapping is applied to a log line if the syslog target has the CEF format set, e.g.:
C:\nextron\thor>thor.exe -s syslog1.server.local:514:CEF
10.2.3. Local Syslog
If your Linux system is already configured to forward syslog messages,
you might just want to write to your local syslog and use the existing
system configuration to forward the events. This can be achieved by
THOR logs to the
local0 facility, which is not being written to a
file by default on every Linux distribution. By default Debian derivatives
log it to
/var/log/syslog; Others such as Red Hat do not. To enable
local0 messages to a file a syslog configuration for
/etc/rsyslog.conf) could look like:
# THOR --local-syslog destination local0.* -/var/log/thor
Do not forget to restart the syslog daemon (e.g.
systemctl restart rsyslog.service).
You then either add that file in your syslog forwarding configuration or write to a file that is already forwarded instead.
10.3. Encrypted Output Files
THOR allows to encrypt the output files of each scan using the
--encrypt parameter. A second parameter
--pubkey can be used to
specify a public key to use. The public key must be an RSA key of 1024,
2048 or 4096 bit size in PEM format.
C:\nextron\thor>thor64.exe --encrypt --pubkey mykey.pub
If you don't specify a public key, THOR uses a default key. The private key for this default key is stored in "thor-util", which can be used to decrypt output files encrypted with the default key.
nextron@unix:~$ thor-util decrypt file.txt
For more information on "thor-util" see the separate THOR Util manual.