Obfuscation is a technique widely used by cybercriminals, Advanced Persistent Threat (APT) groups, and even red-teaming operations. APTs, in particular, rely on obfuscation to remain undetected within networks for extended periods. However, modern malware, ransomware, and Living-off-the-Land (LotL) attacks also employ obfuscation techniques to evade conventional detection systems. Understanding how to detect these obfuscated threats is critical to modern threat hunting and incident response.

Real-World Example: Obfuscation in Cyber Attacks

A recent attack highlights how obfuscation is strategically used to bypass security measures. Cybercriminals leveraged invoice-themed phishing emails to distribute malware such as Venom RAT, Remcos RAT, XWorm, and NanoCore RAT through a multi-stage infection chain:

1. Phishing Email with Malicious SVG Attachment: The email contained an attachment that, when clicked, initiated the attack.
2. Use of BatCloak and ScrubCrypt: These tools obscure the malware, preventing detection by signature-based security systems.
3. Execution of Venom RAT and Additional Malware: The malware deploys persistence mechanisms to anchor itself within the system while bypassing security protections like AMSI and ETW.
4. Data Theft and System Control: Venom RAT grants attackers remote access to the infected system, loads additional plugins, and exfiltrates sensitive data, including cryptocurrency wallet information.

This case demonstrates how modern cyberattacks leverage obfuscation to infiltrate IT environments undetected.

Common Obfuscation Techniques

Threat actors use various techniques to disguise malware and malicious activities:

• Code Obfuscation: Encrypting or scrambling malicious code to evade signature-based detection.
• Packing & Encoding: Using packers and crypters (e.g., ScrubCrypt) to obscure malware.
• Steganography: Concealing malicious code within seemingly benign files.
• Living-off-the-Land (LotL) Attacks: Exploiting legitimate system tools such as PowerShell and WMI for malicious purposes.
• Traffic Obfuscation: Concealing malicious communication within legitimate cloud services or encrypted tunnels.

Why Traditional Security Tools Fail

Many Endpoint Detection and Response (EDR) and Antivirus (AV) solutions rely on signatures or heuristic algorithms to detect threats. However, modern obfuscation techniques are designed specifically to circumvent these mechanisms. The major weaknesses of conventional security tools include:

• Polymorphic Malware: Constantly changes its code with each infection, rendering signature-based detection ineffective. Attackers use this technique to bypass antivirus solutions and distribute new malware variants continuously.
• Obfuscation via Legitimate Tools: Threat actors abuse trusted system tools such as PowerShell and WMI to execute malicious code. Since these tools are essential components of modern operating systems, their activity often appears benign, allowing them to bypass traditional security measures.
• Memory-Only Malware: Some threats reside exclusively in memory without leaving traces on disk. Many security solutions primarily scan files rather than analyzing volatile memory or process behavior, making it extremely difficult to detect such attacks.
• Multi-Stage Infection Chains: Cyberattacks increasingly use multi-stage installations, where an initially harmless file is executed to later retrieve and deploy additional malicious payloads. This strategy complicates detection since the actual malware may only activate after several steps.
• Bypassing Security Mechanisms: Many modern malware families are engineered to disable or evade security features such as AMSI (Antimalware Scan Interface) and ETW (Event Tracing for Windows), allowing them to operate stealthily even on systems protected by advanced EDR solutions.

How THOR Uncovers Hidden Cyber Threats

Understanding how to detect obfuscated threats requires more than reactive detection or simple IOC matching. While traditional EDR and AV solutions rely on recognizing known signatures, THOR leverages YARA-, Sigma-, and anomaly-based detection methods to identify hidden attacks and trace their origins. With that, Nextron’s THOR employs cutting-edge threat-hunting techniques to expose even the most sophisticated obfuscated threats. These advanced techniques go beyond static signature recognition and actively identify behavioral anomalies, suspicious patterns, and hidden attack indicators that would otherwise remain undetected.

As an on-demand forensic scanner, THOR inspects file systems, memory, logs, and system artifacts during scheduled or manually triggered scans. Its detection capabilities rely on a combination of YARA rules, Sigma rules, and anomaly detection techniques designed to uncover obfuscated activity and behavioral deviations indicative of compromise. Unlike conventional tools that depend solely on predefined threat intelligence, THOR applies a curated set of generic detection rules that surface suspicious patterns—even those associated with novel or previously unknown threats—by highlighting inconsistencies, misuse of legitimate tools, and traces typically missed by AV or EDR solutions.

Why THOR Is the Ultimate Threat Hunting Solution

• Identifies hacker tools, malware outputs, and customized threats that evade traditional signature-based detection.
• Requires no installation – runs portably, remotely, or through the ASGARD Management Center.
• Uses anomaly-based detection to uncover even unknown threats.

Gaining Visibility: The Key to Defeating Obfuscated Threats

Obfuscation is one of the most powerful techniques employed by modern attackers. However, with THOR, even well-hidden threats can be exposed. By combining YARA, Sigma, and behavioral anomaly analysis, Nextron provides a robust cybersecurity solution for rapidly identifying compromised systems.

Have you checked your IT environment for hidden threats? Try THOR now! 🚀

Security strategies often assume that systems can be patched, upgraded, or replaced. In reality, many critical environments operate on legacy platforms where these options are impractical. Industrial control networks, healthcare systems, and government infrastructure frequently rely on outdated operating systems and specialized hardware that remain essential despite lacking vendor support or security updates.

Patching? Not always possible. Upgrading? Too risky or too expensive. Replacing? Out of scope. These systems persist because they must, and attackers know it. Legacy systems become low-hanging fruit—under-protected, overlooked, and vulnerable.

When traditional security solutions fall short, forensic-level detection and compromise assessment become essential. Nextron Systems provides these capabilities with THOR and THOR Thunderstorm, enabling organizations to analyze and secure legacy systems without requiring software installations or real-time monitoring.

Why Legacy Systems Persist (And Why Attackers Love Them)

If you’re reading this, you probably know why legacy systems are still around. But for context, let’s clarify why they’re still in production:

• Regulatory or Compliance Needs – Industries like finance, healthcare, and critical infrastructure must often stick with certified, validated software. Moving to new versions is slow, expensive, and bureaucratically painful.
• Operational Dependencies – Some systems are mission-critical and only function on specific OS versions. Changing them risks breaking core operations.
• Cost Constraints – Replacing legacy systems can be prohibitively expensive, particularly for bespoke or embedded systems.
• Hardware Limitations – Older industrial machines and embedded devices simply can’t run modern software.
• Security Tool Incompatibility – Most EDRs and antivirus tools have abandoned support for systems like Windows XP, Server 2003, or IBM AIX.

These outdated systems and isolated networks become prime targets for attackers, offering the path of least resistance. They, often neglected by traditional security tools, present significant security gaps that attackers are quick to exploit. As a result, organizations struggle to find effective ways to secure them, leaving critical infrastructure vulnerable to compromise.

Why Patching Isn’t Always an Option

Security experts love saying, “Just patch it.” But in the real world, that’s not always an option. Here’s why:

• End-of-Life Software – The vendor isn’t issuing patches. The system is on its own.
• Operational Risk – A failed patch could take down a critical system, with impacts ranging from financial loss to public safety risks.
• Isolated Environments – Air-gapped systems and IOT networks don’t have an easy patch path.

Since patching isn’t always an option, organizations need alternative security strategies that provide threat detection and forensic investigation capabilities – without requiring an agent or software installation.

How THOR & THOR Thunderstorm Secure Legacy Systems

Nextron Systems’ forensic security tools provide powerful detection and compromise assessment capabilities, even for outdated, unsupported, or isolated platforms:

1. THOR – Portable Compromise Assessment & Malware Detection

• Agentless scanning – No installation required.
• Compatible with legacy OS – Supports Windows XP, Server 2003, IBM AIX, UNIX-based systems, and more.
• Deep forensic detection – Finds dual-use tools, web shells, backdoors, credential theft, and system anomalies.
• Independent of EDR support – Operates also in environments where traditional tools fail.
• Best for: Offline scanning, forensic analysis, and post-breach investigations.

2. THOR Thunderstorm – Live Forensic Scanning for Air-Gapped & Isolated Systems

• Minimalist scanning – Uses built-in system tools like find and curl to collect artifacts.
• No dependencies – Works without agents, software installations, or kernel access.
• Flexible deployment – Supports scanning industrial control systems (ICS), embedded devices, and IOT environments.
• Customizable detection – Leverages YARA and Sigma rules to detect hidden threats.
• Best for: Securing air-gapped networks, industrial control systems (ICS), and legacy UNIX/Linux environments.

Real-World Use Cases

• Windows XP & Legacy Systems – Many enterprises still run Windows XP or Server 2003 due to software dependencies. THOR can scan these systems where modern security tools no longer function.
• IBM AIX & UNIX Environments – Traditional security tools don’t cover AIX or legacy UNIX. THOR scans these systems to detect malware, backdoors, and system anomalies.
• Air-Gapped and IOT Networks – Industrial environments and air-gapped systems cannot use traditional security tools. THOR Thunderstorm enables agent-less forensic scanning, even in isolated environments.
• Critical Infrastructure & ICS Security – Industrial control systems (ICS) cannot be patched frequently. THOR provides forensic detection without impacting system uptime.

Protecting Systems Others Ignore

Legacy systems won’t disappear overnight, but that doesn’t mean they have to remain unprotected. Nextron Systems’ THOR and THOR Thunderstorm provide the forensic visibility organizations need to detect and analyze threats – across outdated, unsupported, and isolated systems.

Need to secure an outdated IT environment? Contact us today to learn how THOR can help.

The NIS2 Directive not only expands the scope of cybersecurity regulations but also introduces stricter penalties for non-compliance, including fines and liability risks for management. Unlike its predecessor, NIS2 mandates clear accountability and requires organizations to demonstrate ongoing risk assessments, incident reporting, and security improvements. Failing to prepare in time could lead to operational disruptions and legal consequences. How can businesses efficiently meet these new obligations while enhancing their cyber resilience?

According to recent reports, cyberattacks rose by 75% in the third quarter of 2024 compared to the same period in the previous year and by 15% compared to the second quarter of 2024. This alarming trend clearly shows that companies are more than ever required to protect their intellectual property, customer data, and reputation.

In today’s interview, Frank Oster, Senior Security Advisor at Nextron Systems, explains why a second line of defense is essential and how companies can benefit from it.

How do you define the first and second line of defense in IT security? 

Frank Oster: The threat landscape has changed significantly. Cybercriminals are becoming more sophisticated and increasingly bypass traditional security mechanisms. The first line of defense consists of technologies such as firewalls, antivirus software, and Endpoint Detection and Response (EDR) systems. These solutions block known threats and prevent unauthorized access.
But what happens when attackers gradually and almost imperceptibly overcome these barriers? This is where the second line of defense comes into play. It detects attackers who have already infiltrated a system and may have been active for an extended period. This approach serves as an additional protective measure and does not replace the solutions of the first line of defense.

What measures are part of the second line of defense?

Frank Oster: The second line of defense includes APT scanners, forensic analysis, and intrusion detection systems. The key difference lies in their approach: While the first line is designed to prevent attacks, the second line focuses on detecting and analyzing threats that have already infiltrated the system. It ensures that no attack goes unnoticed and can be contained quickly. In other words, companies gain crucial time to identify and combat even highly specialized, targeted attacks conducted with significant financial resources.

What role do APT scanners play in this context?

Frank Oster: APT-scanners like THOR are key technologies of the second line of defense. Advanced Persistent Threats (APTs) and other sophisticated attacks intentionally evade traditional security mechanisms and remain undetected for long periods.

An APT scanner searches for indicators of such threats—suspicious log files, obfuscation techniques, or hidden malware. It not only detects known threats using Indicators of Compromise (IOCs) but also identifies suspicious behavior based on YARA and Sigma rules, which may indicate deeply embedded attacks.

Are APT scanners specifically designed to detect targeted attacks?

Frank Oster: Exactly. These scanners identify IOCs and use various techniques to make hidden threats visible. They analyze how deeply an attack has already penetrated the system. This is crucial because the longer a threat remains undetected, the harder it becomes to recognize and eliminate.

Would you recommend integrating APT scanners into a company’s security framework?

Frank Oster: Absolutely. These scanners enable targeted and periodic security assessments to determine whether a company has been compromised.

THOR can be seamlessly integrated with SIEMs, Threat Intelligence platforms (e.g., MISP), and the ASGARD Management Center, enabling centralized management and analysis of results.

These systems identify suspicious activities and document them, allowing incident response teams to react quickly. However, it is important to note that THOR does not provide real-time detection or response like EDR solutions. Instead, it facilitates in-depth forensic analysis, making attacks visible and enabling effective investigations.

What is your ideal security approach?

Frank Oster: A multi-layered security approach is ideal. The first line of defense – including antivirus software, firewalls, and EDR solutions – is essential. However, the second line of defense is just as crucial, as it detects what the first line may have missed. As mentioned earlier, it has become more important than ever for companies to detect and contain attacks before they cause significant damage. Last but not least: Employee awareness remains a critical success factor in the fight against cybercrime.

Is the second line of defense also a tool for damage mitigation?

Frank Oster:  Definitely: It functions like an emergency response team that intervenes when an attack has occurred. Technologies like THOR enable incident response teams to systematically search for attack traces and reconstruct the attack chain. This allows for a faster response and more precise countermeasures.

However, THOR does not stop attacks in real-time but provides valuable insights for damage mitigation and post-attack analysis. In today’s threat landscape, this forensic capability is indispensable for developing robust and resilient security strategies.

Thank you for your insights, Frank Oster.

We are excited to announce that THOR 10.7 will become the new default scanner version for ASGARD users starting Thursday, November 28th, 2024.

This update introduces significant performance enhancements, including faster scan times, improved archive handling, and refined resource management. ASGARD-managed scans initiated after this date will default to THOR 10.7 unless configured otherwise, ensuring that all customers benefit from the latest detection capabilities and optimizations. Existing scheduled group scans will continue using their previously configured scanner versions (typically THOR 10.6), with clear warnings and options to update to the new version.

Key Features in THOR 10.7

• Memory-Mapped File Scanning: Enhanced speed and reduced I/O bottlenecks.
• Improved JSON Reporting: More detailed and structured output. (details)
• Selective Initialization: Advanced selectors and filters to streamline scans. (details)
• Email Parsing: Scans email formats like .eml and .msg for embedded threats.
• Enhanced Archive Scanning: Support for .cab, .7z, .gzip, and recursive nested archive scanning.
• Bulk Scanning Optimization: Improved throughput for large-scale scanning.
• Refined HTML Report Generation: Lower memory usage and reduced CPU load during processing.
• Unified YARA Rule Sets: A single rule set with namespaces for higher performance.
• Configurable Color Schemes and Output Encryption: Enhanced customization and security. (details)
• Output Encryption at Runtime (details)

New Features in THOR 10.7: Enhancements and Flexibility

Enhancing Detection and Efficiency with Memory-Mapped Scanning

One of the most impactful improvements in THOR 10.7 is the introduction of memory-mapped file scanning, which significantly accelerates scans and reduces disk I/O. This new approach improves overall performance by leveraging memory for file access, allowing scans to complete faster while decreasing wear on disks. For most environments, these improvements will result in more efficient scanning with minimal configuration changes.

To ensure that THOR 10.7 operates reliably across diverse environments, users have options to tailor memory usage:

• Disable memory mapping with the --nommap flag, which may be useful for systems with strict memory limitations, though this comes at the cost of slower scans.
• Fine-tune resource control: ASGARD adjusts THOR’s resource settings dynamically, optimizing scan reliability for both high-performance and resource-constrained systems.

Initialization Filters and Selectors

With THOR 10.7, the Init Selector and Init Filter functionalities offer unparalleled flexibility in customizing scans. These options enable users to focus on specific threat campaigns or exclude less relevant rules for tailored scanning workflows.

For example:

• Use --init-selector to target specific threats or campaigns:

  --init-selector MOVEit
  --init-selector RANSOM,Lockbit
  

• Use --init-filter to exclude rules you don’t need:

  --init-filter PUA_TeamViewer

These filters apply to rule names, tags, and descriptions, offering granular control over signature selection. Combined with the --print-signatures or --print-signatures-json flags, users can verify selected or excluded rules, ensuring precision in their scans. This feature is particularly useful for targeted threat investigations, optimizing performance while maintaining detection accuracy.

JSON Enhancements and the Road Ahead

THOR 10.7 introduces the JSON format version 2, offering significant improvements to the structure and usability of scan outputs. This new format enhances compatibility with modern forensic tools and workflows, making it easier to extract and analyze critical information. Users can activate JSON version 2 with the following flags:

--jsonfile --jsonv2

While JSON version 2 represents a major step forward, it is also a transitional format. The upcoming release of THOR 11 will feature an even more comprehensive JSON format version 3 (or version 2.1). This future iteration will incorporate fully nested structures and lists, ensuring seamless integration with advanced tools like SIEM systems and Cribl configurations. These enhancements will provide greater detail and flexibility for in-depth investigations and automated workflows.

Organizations adopting JSON version 2 in THOR 10.7 will benefit immediately from its improvements and find the transition to the next version in THOR 11 straightforward, ensuring continuous compatibility and advanced functionality.

Email Parsing and Enhanced Archive Scanning

THOR 10.7 expands its capabilities with improved support for email and archive scanning:

• Email Parsing: THOR can now scan .eml and .msg email formats, detecting malicious attachments and embedded threats. This feature ensures more thorough coverage of phishing-related attacks and email-borne threats.
• Enhanced Archive Handling: Support for .cab, .7z, and .gzip files, as well as recursive scanning of nested archives, allows users to detect threats hidden in complex compressed file structures. These improvements streamline the process of analyzing large datasets or artifact collections, ensuring no malicious content is overlooked.

Together, these features strengthen THOR’s ability to detect threats hidden in commonly abused file formats, making it a powerful tool in comprehensive compromise assessments and incident investigations.

Effects of Changes for ASGARD Customers

THOR 10.7 introduces a more adaptive resource management approach in ASGARD to reduce scan failures caused by memory constraints. Previously, ASGARD enforced a strict 2GB memory cap, which occasionally caused scan interruptions even on systems with ample available memory.

With the updated mechanism:

• ASGARD evaluates memory usage dynamically, terminating THOR scans only if the process exceeds 2GB and uses more than 50% of the system’s total memory. This ensures scans proceed smoothly on high-memory systems while protecting systems with limited resources.
• The “Ignore Memory Limit” option allows customers to completely bypass these checks, enabling scans to continue regardless of memory usage.

Existing group scans will retain their current THOR versions (e.g., 10.6) but can be updated to 10.7. Starting November 28th, all new scans—including single and group scans—will default to THOR 10.7, ensuring customers benefit from the latest features and optimizations.

Configuring THOR 10.7 for Limited Hardware Resources

For systems operating under tight hardware constraints, users can disable memory mapping with the --nommap flag. While this option reduces memory usage, it may lead to slower scan speeds and increased disk activity. For most ASGARD-managed environments, we recommend keeping memory mapping enabled to fully leverage THOR 10.7’s performance improvements. This flexibility allows users to adapt the scanner to diverse operational requirements without compromising its core functionality.

End-of-Support Announcements

• THOR 10.6: The current stable version will reach its end-of-life (EOL) on April 30, 2025. Users are encouraged to upgrade to THOR 10.7 to ensure continued support and access to the latest features.
• Legacy Systems Support: The upcoming THOR 11 TechPreview will discontinue support for older operating systems, including Windows 7, Windows 8, Windows 2008 R2, and Windows 2012. Customers relying on these platforms can continue using THOR Legacy with a legacy license to maintain scanning capabilities.

Conclusion

The release of THOR 10.7 as the default version for ASGARD represents a significant step forward in detection capabilities, efficiency, and reliability. With faster scans, reduced disk I/O, and customizable resource controls, THOR 10.7 is designed to perform optimally across diverse environments. While existing group scans will continue using their configured scanner versions, we recommend upgrading to THOR 10.7 to take full advantage of its advanced detection capabilities and optimizations.

Starting November 28th, all new scans will default to THOR 10.7, ensuring your organization is equipped with the latest and most robust scanner available. Embrace this opportunity to enhance your detection workflows and strengthen your security posture with THOR 10.7.

In an era where cyberattacks are escalating in both frequency and complexity, establishing robust networks of technology partners and clients is essential for achieving success in cybersecurity. At it-sa Expo&Congress 2024, Europe’s leading cybersecurity industry event, we had the opportunity to showcase our commitment to this collaborative approach with our very own booth for the first time. This significant step has allowed us to elevate our engagement with partners, existing customers, and new contacts to new heights.

Learning from Intelligence Services: Unmasking APTs like the Pros

One of the highlights for me was the opportunity to present to an audience at it-sa. I discussed the serious risks Advanced Persistent Threats (APTs) pose to organizations, in my talk titled “Learning from Intelligence Services: Unmasking APTs Like the Pros”. (The presentation was delivered in German and can be found here on our Youtube Channel.) I also outlined strategies for the detection of these threats, which can be applied across various industries. It was encouraging to see many attendees express interest after the presentation, visiting our booth to learn more about our solutions and their advantages. 

Meet THOR: Detecting the Undetected

THOR is an advanced compromise assessment scanner designed to uncover traces of malicious activity across corporate networks. By automating forensic analysis, it identifies and neutralizes threats before they escalate, ensuring swift detection of malicious artifacts and providing security teams with the insights needed to mitigate potential damage. THOR enables organizations to enhance their security posture and respond effectively to both known and unknown threats.

Effective Cybersecurity extends beyond mere technological solutions

Conversations with customers, partners, and industry experts at it-sa reaffirmed our conviction that cybersecurity success relies on more than just technology. It calls for a collaborative mindset – one that values knowledge exchange, shared experiences, and expert insights.  

We are excited to continue this journey alongside our partners and clients. By working together, we aim to build a security framework that is both resilient and sustainable. The insights we gained at it-sa will be integrated into our daily operations, ensuring our clients’ defenses stay strong in an ever-evolving landscape. 

Since the launch of THOR Cloud Lite in September, our team has been dedicated to developing a more powerful version of THOR Cloud that incorporates the full scanner with its extensive suite of forensic modules and expansive detection signature database. Today, we are excited to announce the general availability of THOR Cloud, which offers a streamlined method for conducting automated compromise assessments on your endpoints.

Like its predecessor, THOR Cloud does not require the installation of agents on the endpoint or the deployment of servers or services within your network. Setting up is straightforward: create an account, and you can start scanning immediately. The platform is designed for ease of use with an intuitive interface that allows new users to get started in minutes—no need for navigating through Windows command lines, and no extensive training or user manuals necessary.

After a scan is completed, the launcher automatically cleans up by removing itself along with the downloaded scanner, ensuring that nothing resides on the local hard drive. Additionally, reports can be encrypted with your public RSA key, providing robust end-to-end encryption for maximum security. Whether it’s for targeted compromise assessments, speeding up forensic analysis, or enabling your SOC team to verify alerts from your EDR, THOR Cloud offers a lightweight, efficient, and highly effective solution focused on detecting and analyzing hacking activities.

Key Differences Between THOR Cloud and THOR Cloud Lite

THOR Cloud is engineered for organizations and professional services that demand deep, comprehensive forensic capabilities with extensive coverage. It provides a complete suite of forensic modules and access to a broad database of over 32,000 detection rules for detailed security assessments.

Conversely, THOR Cloud Lite is better suited for individuals, non-profits, and organizations that maintain their own set of detection rules and require very targeted and specific scans for a narrow range of threats. This makes it ideal for users who perform specialized, less comprehensive security checks.

Expanded Scanning Capabilities

THOR Cloud:

• Equipped with the full version of the THOR scanner, including all 31 forensic modules.
• Utilizes a vast signature database with over 30,000 YARA rules, 2,000 Sigma rules, and thousands of IOCs, ensuring thorough detection and analysis of security threats.

THOR Cloud Lite:

• Operates with a basic version, THOR Lite, featuring a limited set of open-source YARA rules and IOCs.

Licensing and Usage Flexibility

THOR Cloud:

• Provides a scan- and host-based licensing model that supports unlimited scans on specified endpoints within a subscription period, ideal for enterprises needing extensive, regular scanning.
• Allows commercial use for service providers.

THOR Cloud Lite:

• Offers only a scan-based licensing model, which is suitable for organizations with infrequent scanning needs.
• Restricted to non-commercial use, primarily intended for educational or personal exploration.

Data Retention and Security

THOR Cloud:

• Supports storing encrypted scan reports for up to one year, aiding in compliance and long-term security analysis.

THOR Cloud Lite:

• Retains reports for up to three months, suitable for less stringent retention needs.
• Does not support encrypted reports, which may limit its use in environments requiring high data confidentiality.

Highlights

New HTML Report (coming in Q4/2024)

THOR Cloud’s latest update introduces enhanced HTML reports, designed to improve readability and interactivity for a streamlined user experience. These reports leverage the sophisticated JSON output of the forthcoming THOR v11, set for a TechPreview in Q4/2024, ensuring detailed and actionable security insights.

Key features include optimized UX for better navigation, interactive elements such as report-based and global filter management, which allow users to apply filters across various reports within a campaign. Important aspects of findings are automatically highlighted, drawing immediate focus to critical data points.

Additionally, the integration of ChatGPT introduces conversational AI capabilities, enabling dynamic interactions with report data for deeper analytical insights. This suite of enhancements transforms the HTML reports into a more interactive and user-centric tool, facilitating efficient threat assessment and management.

Planned Upgrades and Features in THOR Cloud

THOR Cloud is preparing to implement several enhancements aimed at extending its capabilities and refining the user experience. These updates focus on technical improvements and functionality expansions:

Enhanced HTML Reports: Pending the deployment of THOR v11 and its refined JSON output, THOR Cloud plans to introduce upgraded HTML reports. These reports will incorporate enhanced user interfaces for improved navigation and readability, along with new filter management features that will allow users to apply and manage filters within individual reports or across multiple campaign reports.

Filter Creation and Application: Alongside improvements to HTML reports, THOR Cloud will enable users to create and manage filters on both a campaign-specific and a global level. 

User Management Enhancements: Updates to the user management system are expected to improve administrative control over user roles and access rights.

SIEM Forwarding Management: Currently, THOR Cloud enables the direct transmission of logs from endpoint scans to any accessible SIEM or log management system via SYSLOG/JSON data streams. Building on this capability, future updates will introduce an API-managed SIEM forwarding feature. This enhancement will allow users to configure THOR Cloud to automatically forward events to a cloud-based SIEM of their choice, streamlining the integration and management of SIEM data streams within the THOR Cloud environment.

AI Integration: The integration of AI technologies is planned to introduce event clustering and automated event assessment. These AI-driven features are designed to improve the accuracy and efficiency of the platform’s threat detection processes.

Legacy Operating System Support: To accommodate a broader range of user environments, THOR Cloud will extend its support to older Windows operating systems through THOR Legacy, allowing the platform to cover systems back to Windows XP and Windows 2003.

THOR Thunderstorm Integration: Future integration with THOR Thunderstorm will enable the THOR launcher to function as a sample collector. This feature will facilitate the transmission of samples to a Thunderstorm service hosted in the cloud, enhancing the platform’s analytical capabilities.

In Conclusion

As THOR Cloud continues to evolve, we’re excited to roll out new features that enhance the capabilities and usability of our platform. With upcoming enhancements like advanced SIEM integration and improved HTML reports, we aim to further streamline the security processes for our users.

We are gearing up to offer THOR Cloud to our existing customer base and to those prospects who have already expressed interest. We will continue to accept and welcome further requests for access as we expand our services.

Stay tuned for these updates, and please reach out to our sales team or visit the product page for more information.

We are excited to announce the release of ASGARD Analysis Cockpit v4.1, a substantial upgrade from version 4.0. This latest version introduces significant improvements and new features designed to enhance performance, usability, and stability. 
ASGARD Analysis Cockpit v4.1 strives to provide a more efficient and robust user experience, addressing the evolving technical requirements of our users. Read on for detailed information about the latest updates learn how these changes can enhance your workflow.

Major Changes

• Custom Event Dashboards: Create personalized dashboards in the Baselining and All Events sections.  

• Event Insights by ChatGPT: Automatically analyze THOR events with assessments and recommendations and ask ChatGPT to explain THOR events or terms within an event.  

• Matched Signatures Section: View all matched signatures chronologically in the new ‘Matched Signatures’ section.  

• File Collection via Management Center: Collect files from an asset through the Management Center.  

• Data Retention Policy: Retain events for a specified period and automatically delete them afterwards.  

• Graphs and Statistics: Added to the Overview Dashboard for enhanced data visualization.  

Improvements

• Bug Fixes
  Addressed and resolved various bugs to improve overall system performance. 

• UI Enhancements
  A fresh, improved look and feel, making the UI more intuitive and user-friendly. 

• Elastic search Indexing Overhaul
  The indexing structure for events in Elasticsearch has been completely revamped, significantly improving performance.  

• Case Sensitivity Adjustment
  Conditions in cases are now case-insensitive, and existing conditions will be converted automatically. 

Stability in Key Areas

• API Communication
  The API interface remains unchanged for seamless integration. 

Elasticsearch: Enhanced Performance and New Indexing Structure

We have changed the way events are indexed in Elasticsearch. The new index structure significantly improves performance but increases disk space usage by 30%-40%.
After the upgrade, all events will be reindexed, which can take several hours depending on the number of events in your system. The system remains usable during this process, but we recommend performing the upgrade during off-peak hours.
If the Analysis Cockpit reaches its disk space limit during reindexing, the process will pause until more disk space is available. The Analysis Cockpit will guide you on how to free up or increase disk space, and the reindexing process will automatically resume once enough disk space is available.

FAQs

How long does the update take? 

The update itself only takes a few minutes. The analytics cockpit needs additional time to re-index the events, which can take hours to days depending on the number of events. We recommend performing the upgrade outside of peak business hours. 

Will the system restart during the update process?  

The system does not restart during the update. Once the first update is complete, you will need to log in again. 

Can I continue to work during the restructuring? 

Yes, you can continue to work during this time, as the latest events will be re-indexed first and will be available immediately. The status of the re-indexing can be tracked on the system status page. Re-indexing gives the ASGARD Analysis Cockpit an immense performance boost. This speeds up queries and makes work more efficient. 

Further Information

For more details, please refer to our manual or our ASGARD Analysis Cockpit Youtube-Playlist, which provides comprehensive guidance on all the new features and changes. You can also contact our support for further assistance.

If you cannot see the embedded video, here is a direct link. 

When it comes to cyber-attacks, web shells play a critical role in the arsenal of cyber criminals. They can provide persistent, stealthy access to compromised systems, making them a favored tool for maintaining long-term control over infected networks. In the following blog post, we will explain how our APT scanner THOR ensures that such threats are detected and why this is essential for maintaining robust cybersecurity defenses.

Understanding the Role of Web Shells

Web shells are versatile tools used for a variety of malicious activities, including data exfiltration, privilege escalation, lateral movement within networks, and launching further attacks. Their stealthy nature, often hidden within legitimate web traffic, makes them difficult to detect with traditional security measures, complicating incident response and cleanup.

In the hands of cyber criminals, web shells act as a gateway to exploitation. They enable attackers to establish a foothold in compromised systems, allowing for remote access and control. This foothold can then be leveraged to execute a multitude of malicious actions, from stealing sensitive data to deploying ransomware or conducting reconnaissance for future attacks.

Moreover, web shells are not limited to a specific type of attack or target. They are highly adaptable and can be deployed across various platforms and environments, making them a persistent threat in today’s interconnected digital landscape.

The Limitations of Antivirus Solutions

While traditional antivirus (AV) solutions play a crucial role in cybersecurity by identifying and removing known malware, they often fall short when it comes to detecting web shells. Unlike conventional malware, which operates as standalone executables or scripts, web shells are sometimes embedded within legitimate web applications or files, making them harder to detect using signature-based detection methods.

Furthermore, cyber criminals are constantly evolving their tactics to evade detection by AV solutions. They employ obfuscation techniques or encryption, and polymorphism to disguise their web shells, rendering traditional AV ineffective against these advanced threats.

The Importance of Specialized Tools

To effectively combat web shell attacks, organizations need to supplement their existing security solutions with specialized tools designed to detect and mitigate these threats. Solutions like our APT scanner THOR utilize a large set of generic rules that combine the tiniest patterns found in common web shells to detect new, modified or embedded web shells and has specific rules to detect the obfuscation itself.

To showcase the effectiveness of THOR in detecting web shells, we recently conducted a comparison study. We compared the web shell detection coverage between THOR and 70 antivirus solutions on VirusTotal. The study utilized the largest and most respected web shell repository on GitHub, curated by Tencent. By analyzing files identified as web shells by either THOR or any of the antivirus solutions on VirusTotal, we found that THOR consistently outperformed other solutions in detecting web shells.

Methodology: A Fair and Neutral Comparison

To ensure an unbiased comparison, we utilized the largest and most popular web shell repository on GitHub, curated by Tencent. This repository is highly respected and widely used, providing a reliable basis for our analysis.

Key Points:

• Neutral Basis: We deliberately chose not to use our own web shell collection. Instead, we relied on Tencent’s repository to prevent any bias.
• Detection Criteria: Only files identified as web shells by either THOR or any of the 70 antivirus solutions on VirusTotal were included. This approach eliminated non-relevant files such as READMEs, libraries, images, and CSS files.
• Current Data: All files were uploaded and reanalyzed on VirusTotal on May 13th, 2024, ensuring the antivirus detections were up-to-date.
• Versions Used
  • THOR: Version 10.7.15, Build: c114b1893902 (2024-03-25 10:29:36)
  • Signature Database: 2024/05/06-133122
• The data files from our analysis are available for review:
  • THORcsv: THOR’s CSV output, counting duplicate MD5 hashes only once
  • webshell-vt-hash-db.json: Munin’s output from the VirusTotal search

Key Takeaways

• Superior Detection: THOR detects web shells better than any other solution on the market.
• Comprehensive Security: Our findings highlight the need for more than just AV for a resilient security architecture.