Skip to content

docs: refine master custom-signatures wording #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
redteampanda-ng merged 6 commits into from
May 19, 2026
+20 −22
Merged

docs: refine master custom-signatures wording #175

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e763d85
Merge pull request #90 from NextronSystems/v10.7
redteampanda-ng Apr 16, 2026
f7d6829
Merge pull request #93 from NextronSystems/v10.7
redteampanda-ng Apr 16, 2026
89e082d
Merge pull request #95 from NextronSystems/v10.7
redteampanda-ng Apr 22, 2026
6847b2b
Merge pull request #97 from NextronSystems/v10.7
redteampanda-ng Apr 28, 2026
d0f3638
Merge pull request #99 from NextronSystems/v10.7
redteampanda-ng Apr 28, 2026
3359780
docs: refine master custom-signatures wording
Neo23x0 May 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 20 additions & 22 deletions usage/custom-signatures.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,25 +2,23 @@ Custom Signatures
=================

THOR checks the contents of the ``./custom-signatures`` folder and
processes every file in this folder. The file extension determines the type
of signature (e.g. a simple IOC file, a YARA rule or a Sigma rule).
For some signature types, string tags in the file names are used to
further distinguish the signatures.

For example, a file named ``my-c2-iocs.txt`` will be
initialized as a file containing simple IOC indicators with
C2 server information.

Internally the regex ``\Wc2\W`` is used to detect the
tag, so ``mysource-c2-iocs.txt`` and
``dec15-batch1-c2-indicators.txt`` would be detected correctly,
whereas ``filenameiocs.txt`` or ``myc2iocs.txt`` would
not be detected.

If you do not wish to place your custom IOCs on potentially compromised systems
during an engagements, you can use thor-util to encrypting custom signatures.
This is described in detail in the
`THOR Util manual <https://thor-util-manual.nextron-systems.com>`_
processes every file in this folder. The file extension determines the
signature type, for example a simple IOC file, a YARA rule, or a Sigma
rule. For some signature types, string tags in the filename are used to
distinguish them further.

For example, a file named ``my-c2-iocs.txt`` is initialized as a file
containing simple IOC indicators with C2 server information.

Internally, the regex ``\Wc2\W`` is used to detect the tag, so
``mysource-c2-iocs.txt`` and ``dec15-batch1-c2-indicators.txt`` are
detected correctly, whereas ``filenameiocs.txt`` or ``myc2iocs.txt``
are not.

If you do not want to place custom IOCs on potentially compromised
systems during an engagement, you can use ``thor-util`` to encrypt
custom signatures. This is described in detail in the
`THOR Util manual <https://thor-util-manual.nextron-systems.com>`__.

.. this is for the formatting of the Feature/Module lists.
.. raw:: html
Expand All @@ -40,9 +38,9 @@ This is described in detail in the
Simple IOCs
-----------

Simple IOC files are basically CSV files that include the IOC and
comments. Simple IOC files must have the extension ``.txt``.
encrypted simple IOC files must have the extension ``.dat``.
Simple IOC files are essentially CSV files that include the IOC and
comments. Simple IOC files must use the ``.txt`` extension. Encrypted
simple IOC files must use the ``.dat`` extension.

The following tags for simple IOCs are currently supported:

Expand Down
Loading