nextronsystems/custom-signatures
custom-signatures/SKILL.md
Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.
$ install --global
skillsauthnpx skillsauth add nextronsystems/thor-skill custom-signaturesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 8, 2026, 2:31 AM49.3s8 files scanned
SKILL.md
- name:
- custom-signatures
- description:
- Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.
Custom Signatures Skill
Goal: Help users create, format, and deploy custom detection content for THOR.
Overview
THOR processes all files in the ./custom-signatures folder. The file extension and filename tags determine how each file is interpreted:
| Extension | Type | Description |
|-----------|------|-------------|
| .txt | Simple IOCs | CSV-style IOC files (hashes, filenames, C2s, etc.) |
| .dat | Encrypted IOCs | Encrypted simple IOCs (via thor-util) |
| .yar | YARA rules | Plain text YARA rules |
| .yas | Encrypted YARA | Encrypted YARA rules |
| .yml | Sigma rules | Log detection rules |
| .yms | Encrypted Sigma | Encrypted Sigma rules |
| .json | STIX v2 | STIXv2 JSON indicators |
| .jsos | Encrypted STIX | Encrypted STIX indicators |
Simple IOCs
Filename tags determine IOC type. Tag is detected via regex \Wc2\W (word boundary match).
| Tag in Filename | Purpose | Example Filename |
|-----------------|---------|------------------|
| c2 or domains | IPs, hostnames, CIDR ranges | case22-c2-iocs.txt |
| filename or filenames | Regex-based path/name IOCs | apt-filename-iocs.txt |
| hash or hashes | MD5, SHA1, SHA256, Imphash | misp-hashes.txt |
| keyword or keywords | String-based keywords | incident-keywords.txt |
| trusted-hash | Whitelist hashes (reduce score) | my-trusted-hashes.txt |
| handles | Mutex/Event values | malware-handles.txt |
| pipes | Named pipes | c2-pipes.txt |
Rules
YARA Rules
Critical: The filename determines how THOR initializes the rule. See YARA Rules Reference for full details.
| Filename Contains | Rule Type | Applied To |
|-------------------|-----------|------------|
| (none), process | Generic rules | Files, process memory, DeepDive chunks |
| meta | Meta rules | All files (first 64KB + externals) |
| keyword | Keyword rules | THOR module output (tasks, services, etc.) |
| registry | Registry rules | Registry keys/values |
| log | Log rules | Log lines, event log entries |
Common mistake: Using limit = "ScheduledTasks" without keyword in the filename. This causes the rule to be initialized as a generic rule (file/memory scanner), which won't match module output like scheduled task names.
Sigma Rules
Applied to Windows Eventlogs and log files. By default only high and critical levels shown.
STIX v2
Supports file observables (name, path, hashes, size, timestamps) and registry key observables.
THOR-Specific YARA Enhancements
Score Attribute
meta:
score = 80 // Default is 75 if not specified
External Variables
Available in generic and meta YARA rules:
| Variable | Description | Example |
|----------|-------------|---------|
| filename | File name only | cmd.exe |
| filepath | Path without filename | C:\temp |
| extension | Extension with dot, lowercase | .exe |
| filetype | Magic header type | EXE, ZIP, PDF |
| filesize | Size in bytes | (YARA built-in) |
| owner | File owner | NT-AUTHORITY\SYSTEM |
| filemode | POSIX-style file mode | |
| unpack_parent | Immediate container | ZIP |
| unpack_source | Full unpack chain | EMAIL>ZIP |
Restriction Attributes
meta:
type = "memory" // or "file" - restrict to memory/file only
limit = "Mutex" // Restrict to specific module
nodeepdive = 1 // Exclude from DeepDive
falsepositive = 1 // Reduce score instead of add
Reference Documentation
- Simple IOCs - Hash, filename, C2, keyword IOC formats
- YARA Rules - Generic and specific YARA rules for THOR
- Sigma Rules - Log detection with Sigma
- STIX IOCs - STIX v2 indicator format
Examples
- examples/hash-iocs.md - Hash IOC file examples
- examples/filename-iocs.md - Filename/path IOC patterns
- examples/yara-enhanced.md - YARA rules with THOR externals
Quick Reference
File Naming
# Good - tag detected
case22-c2-domains.txt ✓ (c2 tag)
misp-export-hashes.txt ✓ (hashes tag)
incident-filename-iocs.txt ✓ (filename tag)
# Bad - tag not detected
myc2iocs.txt ✗ (no word boundary)
filenameiocs.txt ✗ (no word boundary)
Deployment
# Place files in custom-signatures folder
cp my-hashes.txt /path/to/thor/custom-signatures/
# For YARA rules, use yara subfolder
cp my-rules.yar /path/to/thor/custom-signatures/yara/
# Encrypt sensitive IOCs (optional)
thor-util encrypt --file my-c2-domains.txt
# Creates my-c2-domains.dat
Testing
# Run with custom signatures only
./thor-macosx --customonly -p /target/path
# Verify IOC loading in startup
./thor-macosx 2>&1 | grep -i "custom\|ioc\|signature"
Related Skills
nextronsystems/thor-troubleshooting
data-ai
VerifiedTrustedCommunity
Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-scan
content-media
VerifiedTrustedCommunity
Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-plugins
tools
VerifiedTrustedCommunity
Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.
9SKILL.mdUpdated Apr 8, 2026
nextronsystems/thor-maintenance
development
VerifiedTrustedCommunity
--- name: thor-maintenance description: Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation. --- # THOR Maintenance Skill Rules - Be precise about thor-util verbs: - update = signatures - upgrade = program + signatures, keep config - download = full pack incl config (offline use case) - Prefer stable signatures; mention sigdev only for urg
9SKILL.mdUpdated Apr 8, 2026