{"id":16747,"date":"2023-05-04T17:13:08","date_gmt":"2023-05-04T15:13:08","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=16747"},"modified":"2024-08-02T11:35:29","modified_gmt":"2024-08-02T09:35:29","slug":"how-to-scan-docker-images-using-thor-part-1","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/","title":{"rendered":"How to scan Docker images using THOR &#8211; Part 1"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; da_disable_devices=&#8221;off|off|off&#8221; global_colors_info=&#8221;{}&#8221; da_is_popup=&#8221;off&#8221; da_exit_intent=&#8221;off&#8221; da_has_close=&#8221;on&#8221; da_alt_close=&#8221;off&#8221; da_dark_close=&#8221;off&#8221; da_not_modal=&#8221;on&#8221; da_is_singular=&#8221;off&#8221; da_with_loader=&#8221;off&#8221; da_has_shadow=&#8221;on&#8221;][et_pb_row _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]<\/p>\n<p>In this blog article, we will talk about how you can use THOR to scan Docker images. Consider the following use case:\u00a0 Before using an upstream Docker image, you want to precheck it for known IOCs and backdoors. THOR can help you with this!<\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]<\/p>\n<h2>Prerequisites<\/h2>\n<ul>\n<li>Docker image with a shell installed (e.g. sh, bash, etc.)\n<ul>\n<li>In this example we will use <a href=\"https:\/\/hub.docker.com\/_\/alpine\" title=\"Alpine Linux\">Alpine Linux<\/a><\/li>\n<\/ul>\n<\/li>\n<li>THOR \ud83d\ude42\n<ul>\n<li>In this example we will use Thor-Lite. However, for a real-world usecase you should consider using the full Thor version (<a href=\"https:\/\/www.nextron-systems.com\/thor-lite\/\">Thor vs Thor-lite<\/a>).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>[\/et_pb_text][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]<\/p>\n<h2>Running THOR in a Docker container<\/h2>\n<p>In your THOR folder run: <code>docker run --rm -it -v ${PWD}:\/thor alpine \/bin\/sh<\/code>. This will create a Docker container based on Alpine Linux, mount your working directory (where THOR is stored) to <code>\/thor<\/code> in the container, and will drop you into the <code>sh<\/code> shell. Inside the Docker container you can <code>cd \/thor<\/code> and start THOR: <code>.\/thor-lite-linux<\/code>. You can exchange <code>alpine<\/code> with any Docker image, as long as it includes a shell.[\/et_pb_text][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/run_thor_nice.png&#8221; title_text=&#8221;run_thor_nice&#8221; _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][\/et_pb_image][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]After the THOR scan is finished you can exit the shell (the Docker container) and you will find the following files:<\/p>\n<ul>\n<li><code>{docker-id}_files_md5s.csv<\/code><\/li>\n<li><code>{docker-id}_thor_{date}.html<\/code><\/li>\n<li><code>{docker-id}_thor_{date}.txt<\/code><\/li>\n<\/ul>\n<p>These files contain all findings of the THOR scan.[\/et_pb_text][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/finishes_thor_nice.png&#8221; title_text=&#8221;finishes_thor_nice&#8221; _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][\/et_pb_image][et_pb_text _builder_version=&#8221;4.20.4&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]<\/p>\n<p>By using THOR to scan Docker images, you do not have to blindly trust the author of an upstream Docker image &#8211; you can see for yourself!<\/p>\n<p>In <a href=\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-containers-using-thor-part-2\/\">part 2<\/a> of this series we explain how to scan Docker containers using THOR.\u00a0<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog article, we will talk about how you can use THOR to scan Docker images. Consider the following use case:\u00a0 Before using an upstream Docker image, you want to precheck it for known IOCs and backdoors. THOR can help you with this!Prerequisites Docker image with a shell installed (e.g. sh, bash, etc.) In this example we will use Alpine Linux THOR \ud83d\ude42 In this example we will use Thor-Lite. However, for a real-world usecase you should consider using the full Thor version (Thor vs Thor-lite). Running THOR in a Docker container In your THOR folder run: docker run &#8211;rm -it -v ${PWD}:\/thor alpine \/bin\/sh. This will create a Docker container based on Alpine Linux, mount your working directory (where THOR is stored) to \/thor in the container, and will drop you into the sh shell. Inside the Docker container you can cd \/thor and start THOR: .\/thor-lite-linux. You can exchange alpine with any Docker image, as long as it includes a shell.After the THOR scan is finished you can exit the shell (the Docker container) and you will find the following files: {docker-id}_files_md5s.csv {docker-id}_thor_{date}.html {docker-id}_thor_{date}.txt These files contain all findings of the THOR scan.By using THOR to scan [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":16739,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[749,1,760,32,248,269],"tags":[713,711,712,118,124,117,5,607,12,48],"class_list":["post-16747","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-homepage","category-nextron","category-recommended","category-thor","category-thor-lite","category-tutorial","tag-container","tag-docker","tag-images","tag-iocs","tag-malware","tag-scan","tag-thor","tag-thor-lite","tag-threat","tag-yara"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to scan Docker images using THOR - Part 1 - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/\"},\"author\":{\"name\":\"Paul Hager\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/cda3539ca95e549d45316b14bea853eb\"},\"headline\":\"How to scan Docker images using THOR &#8211; Part 1\",\"datePublished\":\"2023-05-04T15:13:08+00:00\",\"dateModified\":\"2024-08-02T09:35:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/\"},\"wordCount\":448,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png\",\"keywords\":[\"container\",\"docker\",\"images\",\"IOCs\",\"malware\",\"scan\",\"thor\",\"THOR Lite\",\"threat\",\"YARA\"],\"articleSection\":[\"Homepage\",\"Nextron\",\"Recommended\",\"THOR\",\"THOR Lite\",\"Tutorial\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/\",\"name\":\"How to scan Docker images using THOR - Part 1 - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png\",\"datePublished\":\"2023-05-04T15:13:08+00:00\",\"dateModified\":\"2024-08-02T09:35:29+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#primaryimage\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png\",\"width\":1536,\"height\":768},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/cda3539ca95e549d45316b14bea853eb\",\"name\":\"Paul Hager\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/e6adba4e18061540f4e1aa40fd7aa12d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/e6adba4e18061540f4e1aa40fd7aa12d?s=96&d=mm&r=g\",\"caption\":\"Paul Hager\"},\"description\":\"Threat Researcher &amp; Detection Engineer @nextronsystems | @TUVienna Graduate\",\"sameAs\":[\"https:\/\/x.com\/pH_T__\"],\"url\":\"https:\/\/www.nextron-systems.com\/author\/paul\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to scan Docker images using THOR - Part 1 - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/"},"author":{"name":"Paul Hager","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/cda3539ca95e549d45316b14bea853eb"},"headline":"How to scan Docker images using THOR &#8211; Part 1","datePublished":"2023-05-04T15:13:08+00:00","dateModified":"2024-08-02T09:35:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/"},"wordCount":448,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png","keywords":["container","docker","images","IOCs","malware","scan","thor","THOR Lite","threat","YARA"],"articleSection":["Homepage","Nextron","Recommended","THOR","THOR Lite","Tutorial"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/","url":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/","name":"How to scan Docker images using THOR - Part 1 - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#primaryimage"},"image":{"@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#primaryimage"},"thumbnailUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png","datePublished":"2023-05-04T15:13:08+00:00","dateModified":"2024-08-02T09:35:29+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/2023\/05\/04\/how-to-scan-docker-images-using-thor-part-1\/#primaryimage","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2023\/04\/cyb3rops_Illustration_of_Thor_investigating_the_contents_of_a_c_ae851954-4000-48da-83ea-684b4ac92db8.png","width":1536,"height":768},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/cda3539ca95e549d45316b14bea853eb","name":"Paul Hager","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/e6adba4e18061540f4e1aa40fd7aa12d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e6adba4e18061540f4e1aa40fd7aa12d?s=96&d=mm&r=g","caption":"Paul Hager"},"description":"Threat Researcher &amp; Detection Engineer @nextronsystems | @TUVienna Graduate","sameAs":["https:\/\/x.com\/pH_T__"],"url":"https:\/\/www.nextron-systems.com\/author\/paul\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/16747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=16747"}],"version-history":[{"count":25,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/16747\/revisions"}],"predecessor-version":[{"id":16875,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/16747\/revisions\/16875"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media\/16739"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=16747"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=16747"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=16747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}