custom-signatures

Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.

Best use case

custom-signatures is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.

Teams using custom-signatures should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/custom-signatures/SKILL.md --create-dirs "https://raw.githubusercontent.com/NextronSystems/thor-skill/main/custom-signatures/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/custom-signatures/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How custom-signatures Compares

Feature / Agentcustom-signaturesStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Custom Signatures Skill

Goal: Help users create, format, and deploy custom detection content for THOR.

## Overview

THOR processes all files in the `./custom-signatures` folder. The file extension and filename tags determine how each file is interpreted:

| Extension | Type | Description |
|-----------|------|-------------|
| `.txt` | Simple IOCs | CSV-style IOC files (hashes, filenames, C2s, etc.) |
| `.dat` | Encrypted IOCs | Encrypted simple IOCs (via thor-util) |
| `.yar` | YARA rules | Plain text YARA rules |
| `.yas` | Encrypted YARA | Encrypted YARA rules |
| `.yml` | Sigma rules | Log detection rules |
| `.yms` | Encrypted Sigma | Encrypted Sigma rules |
| `.json` | STIX v2 | STIXv2 JSON indicators |
| `.jsos` | Encrypted STIX | Encrypted STIX indicators |

## Simple IOCs

Filename tags determine IOC type. Tag is detected via regex `\Wc2\W` (word boundary match).

| Tag in Filename | Purpose | Example Filename |
|-----------------|---------|------------------|
| `c2` or `domains` | IPs, hostnames, CIDR ranges | `case22-c2-iocs.txt` |
| `filename` or `filenames` | Regex-based path/name IOCs | `apt-filename-iocs.txt` |
| `hash` or `hashes` | MD5, SHA1, SHA256, Imphash | `misp-hashes.txt` |
| `keyword` or `keywords` | String-based keywords | `incident-keywords.txt` |
| `trusted-hash` | Whitelist hashes (reduce score) | `my-trusted-hashes.txt` |
| `handles` | Mutex/Event values | `malware-handles.txt` |
| `pipes` | Named pipes | `c2-pipes.txt` |

## Rules

### YARA Rules

**Critical:** The filename determines how THOR initializes the rule. See [YARA Rules Reference](reference/yara-rules.md#yara-rule-types) for full details.

| Filename Contains | Rule Type | Applied To |
|-------------------|-----------|------------|
| (none), `process` | Generic rules | Files, process memory, DeepDive chunks |
| `meta` | Meta rules | All files (first 64KB + externals) |
| `keyword` | Keyword rules | THOR module output (tasks, services, etc.) |
| `registry` | Registry rules | Registry keys/values |
| `log` | Log rules | Log lines, event log entries |

**Common mistake:** Using `limit = "ScheduledTasks"` without `keyword` in the filename. This causes the rule to be initialized as a **generic rule** (file/memory scanner), which won't match module output like scheduled task names.

### Sigma Rules

Applied to Windows Eventlogs and log files. By default only `high` and `critical` levels shown.

### STIX v2

Supports file observables (name, path, hashes, size, timestamps) and registry key observables.

## THOR-Specific YARA Enhancements

### Score Attribute

```yara
meta:
    score = 80  // Default is 75 if not specified
```

### External Variables

Available in generic and meta YARA rules:

| Variable | Description | Example |
|----------|-------------|---------|
| `filename` | File name only | `cmd.exe` |
| `filepath` | Path without filename | `C:\temp` |
| `extension` | Extension with dot, lowercase | `.exe` |
| `filetype` | Magic header type | `EXE`, `ZIP`, `PDF` |
| `filesize` | Size in bytes | (YARA built-in) |
| `owner` | File owner | `NT-AUTHORITY\SYSTEM` |
| `filemode` | POSIX-style file mode | |
| `unpack_parent` | Immediate container | `ZIP` |
| `unpack_source` | Full unpack chain | `EMAIL>ZIP` |

### Restriction Attributes

```yara
meta:
    type = "memory"      // or "file" - restrict to memory/file only
    limit = "Mutex"      // Restrict to specific module
    nodeepdive = 1       // Exclude from DeepDive
    falsepositive = 1    // Reduce score instead of add
```

## Reference Documentation

- [Simple IOCs](reference/simple-iocs.md) - Hash, filename, C2, keyword IOC formats
- [YARA Rules](reference/yara-rules.md) - Generic and specific YARA rules for THOR
- [Sigma Rules](reference/sigma-rules.md) - Log detection with Sigma
- [STIX IOCs](reference/stix-iocs.md) - STIX v2 indicator format

## Examples

- [examples/hash-iocs.md](examples/hash-iocs.md) - Hash IOC file examples
- [examples/filename-iocs.md](examples/filename-iocs.md) - Filename/path IOC patterns
- [examples/yara-enhanced.md](examples/yara-enhanced.md) - YARA rules with THOR externals

## Quick Reference

### File Naming

```
# Good - tag detected
case22-c2-domains.txt       ✓ (c2 tag)
misp-export-hashes.txt      ✓ (hashes tag)
incident-filename-iocs.txt  ✓ (filename tag)

# Bad - tag not detected
myc2iocs.txt                ✗ (no word boundary)
filenameiocs.txt            ✗ (no word boundary)
```

### Deployment

```bash
# Place files in custom-signatures folder
cp my-hashes.txt /path/to/thor/custom-signatures/

# For YARA rules, use yara subfolder
cp my-rules.yar /path/to/thor/custom-signatures/yara/

# Encrypt sensitive IOCs (optional)
thor-util encrypt --file my-c2-domains.txt
# Creates my-c2-domains.dat
```

### Testing

```bash
# Run with custom signatures only
./thor-macosx --customonly -p /target/path

# Verify IOC loading in startup
./thor-macosx 2>&1 | grep -i "custom\|ioc\|signature"
```

Related Skills

thor-troubleshooting

8
from NextronSystems/thor-skill

Troubleshoot THOR runs that are stuck, slow, failing to start, stopping early, or produce missing output. Use when the user reports freezes, long runtimes, high CPU pauses, scan aborts, or licensing/update issues.

thor-scan

8
from NextronSystems/thor-skill

Run THOR scans and propose the exact command line for Windows, Linux, or macOS. Use when the user wants to scan a host, a directory, a mounted image, or a memory dump with THOR v10/v11.

thor-plugins

8
from NextronSystems/thor-skill

Write, package, and use THOR plugins to extend scanner functionality. THOR v11+ only.

thor-maintenance

8
from NextronSystems/thor-skill

Maintain THOR installs using thor-util: update signatures, upgrade versions, download offline packs, generate reports, manage YARA-Forge. Use when the user asks about updating/upgrading/report generation.

thor-log-analysis

8
from NextronSystems/thor-skill

Interpret THOR scan results and explain what findings mean. Use when the user pastes THOR log lines, shares a log file, or asks how to triage Notices/Warnings/Alerts.

THOR Lite Skill

8
from NextronSystems/thor-skill

THOR Lite is a free scanner with reduced features compared to full THOR. This skill handles Lite-specific guidance, limitations, and workarounds.

thor-skills

8
from NextronSystems/thor-skill

Entry point and router for THOR-related work: running scans, analyzing THOR logs, troubleshooting THOR behavior, maintaining THOR installs, THOR Lens workflows, writing THOR plugins (v11+), and creating custom signatures/IOCs.

custom-signatures

9
from Nextron-Labs/thor-skill

Create and deploy custom IOCs, YARA rules, Sigma rules, and STIX indicators for THOR scans.

implementing-semgrep-for-custom-sast-rules

9
from killvxk/cybersecurity-skills-zh

使用 YAML 编写自定义 Semgrep SAST 规则,以检测应用程序特定漏洞、执行编码标准并集成到 CI/CD 管道中。

implementing-digital-signatures-with-ed25519

9
from killvxk/cybersecurity-skills-zh

Ed25519 是一种使用 Edwards 曲线 Curve25519 的高性能数字签名算法。它以 64 字节签名和 32 字节密钥提供 128 位安全性,相比 RSA 和 ECDSA 具有显著优势,包括确定性签名(无需随机 nonce)、抗侧信道攻击以及快速验证。

detecting-network-scanning-with-ids-signatures

9
from killvxk/cybersecurity-skills-zh

使用 Suricata 和 Snort IDS 签名、基于阈值的检测规则和流量异常分析,检测网络侦察和端口扫描,识别 Nmap、Masscan 及自定义扫描活动。

custom-durable-agent

9
from andrelandgraf/fullstackrecipes

Build a custom durable AI agent with full control over streamText options, provider configs, and tool loops. Compatible with the Workflow Development Kit.