Endpoint-Driven Log Forwarding

One of the most important architectural aspects of this feature is where the forwarding occurs. It’s not the THOR Cloud platform that pushes logs to your SIEM—it’s the THOR scanner on each endpoint that performs this action. Once a scan completes, the local scanner connects to the configured destination and transmits the logs directly.

This offers significant advantages:

• Confidentiality: Logs remain inside your environment and do not pass through the cloud.
• Immediate availability: Data reaches your SIEM or analysis system as soon as the scan finishes.
• Reduced cloud dependencies: Ideal for regulated, segmented, or air-gapped environments.

However, there are trade-offs. Since forwarding occurs per endpoint, every host must be able to reach the destination (host, port, protocol). If delivery fails—due to firewall rules, DNS resolution issues, or TLS misconfiguration—the error will appear in the local scan log. There is no centralized retry mechanism: delivery success is per-endpoint and per-scan.

Profile Configuration and Use

Forwarding Profiles are configured in the THOR Cloud portal, under the dedicated “Forwarding” section. Each profile defines:

• One or more destination hosts (FQDN or IP)
• Port and protocol (TCP or UDP, with optional TLS)
• Log format: Syslog, JSON, or CEF
• (Optional) Root CA certificate for TLS-secured connections

You can maintain multiple profiles, each tailored to a specific use case—such as production vs. staging, or by region, business unit, or sensitivity level.

When launching a scan campaign, you’ll find a forwarding profile dropdown in the campaign configuration screen. If a default profile has been defined, it will be pre-selected automatically. This integration ensures that logs are consistently forwarded without requiring manual selection—though it’s easy to override if necessary.

Optional Log Storage Bypass

Every forwarding profile also supports an optional setting to disable cloud-based log storage. When enabled, THOR Cloud does not retain the results of a scan—the logs are forwarded only to the specified external systems. This is useful for scenarios in which data must not leave the local network or be retained in third-party environments.

Summary

Forwarding Profiles in THOR Cloud Enterprise offer a practical, secure, and flexible way to integrate forensic scan results into your centralized workflows. By pushing logs directly from the endpoint to your internal systems, you retain control over your data and reduce operational overhead. For distributed or compliance-focused environments, this change supports secure autonomy at scale—without compromising on visibility or traceability.

The feature is available now to all THOR Cloud Enterprise users. Please reach out to your Nextron contact if you require profile-based forwarding without THOR Cloud storage, or if you need guidance on setting up your internal receivers.

Security Operations Centers (SOCs) face increasing challenges in defending against sophisticated cyber threats, often compounded by resource limitations. Analyzing large volumes of forensic data to detect indicators of compromise (IoCs) can be a labor-intensive task. Nextron’s THOR Cloud transforms forensic analysis through its cloud-hosted, agentless scanning platform, streamlining endpoint scanning and forensic investigations to enable SOC teams to efficiently identify and address threats.

Advanced Endpoint Analysis for Modern SOC Needs

THOR Cloud offers exceptional forensic analysis capabilities for endpoint systems running standard operating systems such as Windows, Linux, and macOS. Its cloud-hosted, agentless architecture empowers SOC teams to perform targeted scans across infrastructures without the need for on-premise systems or agent installations.

Key Features:

• Agentless Deployment: Scans endpoints without the need for pre-installed agents, reducing setup time and minimizing system disruptions.
• Centralized Management: Offers a unified cloud interface to schedule scans, analyze results, and generate actionable forensic reports.
• Comprehensive Platform Support: Ensures compatibility with diverse operating environments.

Actionable Insights for Incident Response:

THOR Cloud equips SOC teams with actionable forensic data to assess and respond to potential threats efficiently. It identifies key compromise indicators, such as:

• Traces of hacking tools and their outputs.
• Misused legitimate tools and configuration backdoors.
• Obfuscated malware designed for stealth.
• Anomalies, including misplaced system files and renamed executables.

Streamlined Workflow for Enhanced Efficiency

Traditional forensic tools can be cumbersome, requiring endpoint agents and resource-intensive configurations. THOR Cloud’s agentless architecture eliminates these challenges by enabling immediate deployment and execution of lightweight scans directly on endpoints, designed to minimize any noticeable impact on system performance, with results seamlessly uploaded to the cloud for analysis.

Benefits of the Agentless Approach:

• Quick Deployment: Avoids delays typically associated with software installations.
• System Stability: Operates with minimal impact on endpoint operations.
• Flexibility: Suits hybrid environments, including cloud-hosted endpoints and traditional infrastructure.

Empowering Detection Through Nextron’s Advanced Rule Sets

• YARA Rules: To identify known threats, unusual behaviors, and anomalies such as uncommon file placements or tool usage.
• Sigma Rules: To detect log-based anomalies and unusual behaviors.

THOR Cloud provides SOC teams with an edge in identifying threats that traditional tools may overlook, particularly in complex or evasive attack scenarios.

Special Offer: Limited-Time Discount

Until December 20, 2024, Nextron is offering a 50% discount on THOR Cloud Professional Scan Packs. This provides an opportunity to integrate a highly effective forensic analysis platform into your SOC toolkit at a competitive rate. Contact us today for a personalized demo and to explore how THOR Cloud can transform your forensic workflows.

Are you looking for an efficient, cloud-managed solution to streamline your threat detection and compromise assessments? This Black Friday, we’re offering 50% off all THOR Cloud scan packages.

Why THOR Cloud?

• No Setup Hassle: Start scanning within minutes—no agents or servers required.
• Proven Detection Power: Leverage 30,000+ YARA rules, 2,000 Sigma rules, and thousands of IOCs to identify threats traditional tools miss.
• Flexibility: Automate daily, weekly, or custom scan schedules to ensure ongoing coverage.

Whether you’re conducting forensic investigations, validating alerts, or scanning for compliance, THOR Cloud delivers a powerful, easy-to-use solution for every environment.

📅 Offer Valid Until December 20, 2024

👉 Explore the Deal and Save 50% Today

Don’t miss this chance to enhance your threat detection capabilities at half the cost.

Since the launch of THOR Cloud Lite in September, our team has been dedicated to developing a more powerful version of THOR Cloud that incorporates the full scanner with its extensive suite of forensic modules and expansive detection signature database. Today, we are excited to announce the general availability of THOR Cloud, which offers a streamlined method for conducting automated compromise assessments on your endpoints.

Like its predecessor, THOR Cloud does not require the installation of agents on the endpoint or the deployment of servers or services within your network. Setting up is straightforward: create an account, and you can start scanning immediately. The platform is designed for ease of use with an intuitive interface that allows new users to get started in minutes—no need for navigating through Windows command lines, and no extensive training or user manuals necessary.

After a scan is completed, the launcher automatically cleans up by removing itself along with the downloaded scanner, ensuring that nothing resides on the local hard drive. Additionally, reports can be encrypted with your public RSA key, providing robust end-to-end encryption for maximum security. Whether it’s for targeted compromise assessments, speeding up forensic analysis, or enabling your SOC team to verify alerts from your EDR, THOR Cloud offers a lightweight, efficient, and highly effective solution focused on detecting and analyzing hacking activities.

Key Differences Between THOR Cloud and THOR Cloud Lite

THOR Cloud is engineered for organizations and professional services that demand deep, comprehensive forensic capabilities with extensive coverage. It provides a complete suite of forensic modules and access to a broad database of over 32,000 detection rules for detailed security assessments.

Conversely, THOR Cloud Lite is better suited for individuals, non-profits, and organizations that maintain their own set of detection rules and require very targeted and specific scans for a narrow range of threats. This makes it ideal for users who perform specialized, less comprehensive security checks.

Expanded Scanning Capabilities

THOR Cloud:

• Equipped with the full version of the THOR scanner, including all 31 forensic modules.
• Utilizes a vast signature database with over 30,000 YARA rules, 2,000 Sigma rules, and thousands of IOCs, ensuring thorough detection and analysis of security threats.

THOR Cloud Lite:

• Operates with a basic version, THOR Lite, featuring a limited set of open-source YARA rules and IOCs.

Licensing and Usage Flexibility

THOR Cloud:

• Provides a scan- and host-based licensing model that supports unlimited scans on specified endpoints within a subscription period, ideal for enterprises needing extensive, regular scanning.
• Allows commercial use for service providers.

THOR Cloud Lite:

• Offers only a scan-based licensing model, which is suitable for organizations with infrequent scanning needs.
• Restricted to non-commercial use, primarily intended for educational or personal exploration.

Data Retention and Security

THOR Cloud:

• Supports storing encrypted scan reports for up to one year, aiding in compliance and long-term security analysis.

THOR Cloud Lite:

• Retains reports for up to three months, suitable for less stringent retention needs.
• Does not support encrypted reports, which may limit its use in environments requiring high data confidentiality.

Highlights

New HTML Report (coming in Q4/2024)

THOR Cloud’s latest update introduces enhanced HTML reports, designed to improve readability and interactivity for a streamlined user experience. These reports leverage the sophisticated JSON output of the forthcoming THOR v11, set for a TechPreview in Q4/2024, ensuring detailed and actionable security insights.

Key features include optimized UX for better navigation, interactive elements such as report-based and global filter management, which allow users to apply filters across various reports within a campaign. Important aspects of findings are automatically highlighted, drawing immediate focus to critical data points.

Additionally, the integration of ChatGPT introduces conversational AI capabilities, enabling dynamic interactions with report data for deeper analytical insights. This suite of enhancements transforms the HTML reports into a more interactive and user-centric tool, facilitating efficient threat assessment and management.

Planned Upgrades and Features in THOR Cloud

THOR Cloud is preparing to implement several enhancements aimed at extending its capabilities and refining the user experience. These updates focus on technical improvements and functionality expansions:

Enhanced HTML Reports: Pending the deployment of THOR v11 and its refined JSON output, THOR Cloud plans to introduce upgraded HTML reports. These reports will incorporate enhanced user interfaces for improved navigation and readability, along with new filter management features that will allow users to apply and manage filters within individual reports or across multiple campaign reports.

Filter Creation and Application: Alongside improvements to HTML reports, THOR Cloud will enable users to create and manage filters on both a campaign-specific and a global level. 

User Management Enhancements: Updates to the user management system are expected to improve administrative control over user roles and access rights.

SIEM Forwarding Management: Currently, THOR Cloud enables the direct transmission of logs from endpoint scans to any accessible SIEM or log management system via SYSLOG/JSON data streams. Building on this capability, future updates will introduce an API-managed SIEM forwarding feature. This enhancement will allow users to configure THOR Cloud to automatically forward events to a cloud-based SIEM of their choice, streamlining the integration and management of SIEM data streams within the THOR Cloud environment.

AI Integration: The integration of AI technologies is planned to introduce event clustering and automated event assessment. These AI-driven features are designed to improve the accuracy and efficiency of the platform’s threat detection processes.

Legacy Operating System Support: To accommodate a broader range of user environments, THOR Cloud will extend its support to older Windows operating systems through THOR Legacy, allowing the platform to cover systems back to Windows XP and Windows 2003.

THOR Thunderstorm Integration: Future integration with THOR Thunderstorm will enable the THOR launcher to function as a sample collector. This feature will facilitate the transmission of samples to a Thunderstorm service hosted in the cloud, enhancing the platform’s analytical capabilities.

In Conclusion

As THOR Cloud continues to evolve, we’re excited to roll out new features that enhance the capabilities and usability of our platform. With upcoming enhancements like advanced SIEM integration and improved HTML reports, we aim to further streamline the security processes for our users.

We are gearing up to offer THOR Cloud to our existing customer base and to those prospects who have already expressed interest. We will continue to accept and welcome further requests for access as we expand our services.

Stay tuned for these updates, and please reach out to our sales team or visit the product page for more information.

The German BSI Alert: A Critical Warning

The BSI’s alert brings to light the precarious state of Microsoft Exchange servers across Germany, with around 37% of systems found to be critically vulnerable. This includes outdated versions such as Exchange 2010 and 2013, which make up 12% of the installations and have not been updated since October 2020 and April 2023, respectively. Additionally, nearly 28% of the servers running newer versions like Exchange 2016 and 2019 are missing essential patches for critical security flaws that could be exploited in remote code execution attacks.

The BSI’s warning about the vulnerabilities in Microsoft Exchange servers in Germany highlights a crucial aspect of cybersecurity: the inadequacy of relying solely on patching, especially for systems that have been exposed online. The alert reveals that a significant percentage of these systems remain critically vulnerable due to outdated versions or missing patches for known security flaws. This situation indicates that, while patching is a necessary step in cybersecurity maintenance, it is not sufficient on its own. For systems that have been exposed to the internet and potentially compromised before the application of patches, conducting a thorough compromise assessment is an essential next step. This assessment determines the extent of any breach and the presence of attackers within the network, guiding the necessary response to secure the compromised systems.

We just launched THOR-Cloud Lite our new free, lightweight and easy to deploy on-demand compromise assessment scanner. Allowing you to access your scans and reports from everywhere at any time. Licensing, scan campaigns and reports everything is conveniently managed in the new web-based user interface.

Easy Setup – Powerful Features

Previously scanning with THOR required manual setup and additional on premise systems. With THOR Cloud we completely eliminated the need for on premise systems and additional agents. The entire client setup is handled by the new THOR Cloud launcher, a single application to setup the THOR scanner on your devices.

The THOR scanner includes over 20,000 pre-built signatures designed to detect various traces of hacking activity, THOR ensures thorough analysis and the identification of potential security threats. THOR and the THOR Cloud launcher support Windows, Linux and MacOS, to ensure coverage for all kinds of environments.

Campaigns are managed through our web-based interface, allowing for easy configuration and convenient management from a centralized location. The campaign overview shows scan status, results for current and previous scans allowing for quick initial assessment. Campaigns offer a variety of options like setting up one-time or recurring scans.

THOR Cloud’s scans offer in-depth insights, serving as a valuable second opinion on security events. Each scan generates various output files, including an HTML report that provides a prioritized view of the scan log.

This helps analysts quickly investigate and qualify security events, which can expedite analysis, reduce the need for further manual investigations, and optimize resource allocation. Thereby making it an ideal extension to support your SIEM or EDR analysts.

Easy To Use And Integrate

THOR Cloud is built with usability and accessibility in mind, offering step by step guides and extensive documentation for end users and developers. With the guided setup you can simply follow along to deploy THOR Cloud in your environment without any prior knowledge.

All features present in the interface are easily accessible via an API, ensuring seamless integration with your existing solutions, whether you want to automate workflows, integrate with existing systems (SIEM/EDR), or build custom applications. Everything is possible with our powerful API.

Video

In the following recorded video session, we delve into the essence of THOR Cloud and offer a concise demonstration of the platform:

(if you can’t see the embedded video, here is a direct link)

Conclusion & Get Started

In conclusion, THOR Cloud is a game-changer for on-demand security scans and compromise assessments. It offers simplicity, accuracy, and ease of integration, while reducing management and deployment efforts.

Sign up for a free THOR Cloud Lite account here.

The free version of THOR Cloud includes the THOR Lite scanner and the open source signature set. A full version including the enterprise-grade THOR scanner with our full signature set will be launching in Q1 2024.

Check out the THOR Cloud product page for more information.

On June 1st, the vendor of MOVEit Transfer, previously known as Ipswitch but now called Progress, announced the discovery of a critical security vulnerability that has been exploited. MOVEit is an enterprise software utilized by numerous organizations globally for secure managed file transfer. According to Shodan, an internet search engine, there are currently over 2,500 servers publicly accessible on the open Internet running MOVEit.

You can find more information on the threat in the vendor’s advisory and the following articles by TrustedSec, Huntress Labs and Mandiant:

Upon initial awareness of the compromise, we initiated our own investigation and promptly released a series of detection rules to our public repositories. These Indicators of Compromise (IOCs) and YARA rules were immediately accessible to users of THOR Lite.

While having detection mechanisms in place is a positive step, assessing the situation and ensuring that no system in the network has been impacted by the threat is often a challenging task.

To facilitate this process and perform a rapid scan of your own environment at no cost, one option is to utilize the THOR Lite scanner. By employing this tool, you can leverage the rules mentioned earlier and swiftly evaluate your network for potential threats.

Email content:

Flags to Consider

If you are scanning virtual machines or systems that experience constant high load from other processes, it can be beneficial to utilize the “–nosoft” and “–nolowprio” flags. These flags allow THOR to run with the same process priority as any regular process, helping to ensure that the scan operates smoothly alongside other ongoing processes.

If you are interested in scanning recently created files and log entries, these flags direct THOR to exclusively scan elements that have been created or modified within the past 150 days. Any file or event log entry older than that timeframe will be ignored, resulting in a significantly smaller set of elements being scanned.

To minimize the impact on end users working on a system during the scanning process, you have the option to reduce the CPU usage of the scanner to, for example, 30%. By doing so, you can prevent them from noticing the scan by decreasing the overall system load and fan noise.

Recommended CommandLine Flags for this Use Case

If a regular scan takes an excessive amount of time, we recommend utilizing the following command line flags to expedite the scan process by limiting it to the changes that have occurred within the last 150 days:

thor64-lite.exe --nolowprio --lookback 150 --global-lookback

To minimize CPU usage and make it as inconspicuous as possible for end users working on the scanned systems, employ the following command:

thor64-lite.exe --lookback 150 --global-lookback --cpulimit 35

Update the Signatures

To ensure that THOR always operates with the latest set of signatures related to the MOVEit exploitation, we are continuously working on enhancing and updating them. To incorporate the newest signatures, utilize the following command:

thor-lite-util.exe upgrade

Interpreting the Scan Results

During the scan you’ll see several messages in green and blue colours. Warning and alert messages use a yellow or red color. But don’t worry when you notice a message of that color. Remember that THOR is a scanner that highlights malicious and suspicious elements for review by an administrator or forensic analyst. Not everything shown as a “warning” message has to be a real threat.

After the scan finishes, users can find an HTML report in the program folder that lists all findings. 

We recommend searching the HTML report for the “MOVEit” keyword and only review matches with the specific IOCs and YARA rules related to this activity.

THOR Lite is able to detect various forensic artefacts:

• The dropped ASPX web shell
• The compiled ASPX web shell in caches (even if attackers removed the .aspx file)
• Exploitation in the web server log files
• Access to webshell in web server log files
• Suspicious file types or extensions in the reported staging directories

Signatures 

The subsequent listings display all the publicly available signatures that we have created and implemented in THOR Lite to identify malicious activity.

YARA (public)

WEBSHELL_ASPX_MOVEit_Jun23_1
WEBSHELL_ASPX_DLL_MOVEit_Jun23_1
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_1
LOG_EXPL_MOVEit_Exploitation_Indicator_Jun23_2

SIGMA (public)

Emerging Threat Folder: CVE-2023-34362-MOVEit-Transfer-Exploit

Rule Title: Potential MOVEit Transfer CVE-2023-34362 Exploitation
UUID: c3b2a774-3152-4989-83c1-7afc48fd1599

Rule Title: MOVEit CVE-2023-34362 Exploitation Attempt – Potential Web Shell Request
UUID: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b

IOCs

Filename IOCs
filename-iocs.txt @ signature-base

Hash IOCs
hash-iocs.txt @ signature-base

C2 IOCs
c2-iocs.txt @ signature-base

A new version of THOR Seed improves the integration with Microsoft Defender ATP by handling the script termination caused by exceeded timeouts. Due to a runtime limit for all scripts in the Live Response library we had to configure previous versions of THOR Seed to perform a reduced scan that tried to finish within that runtime limit.

This lead to two major issues:

• Only a reduced set of modules could be activate and a limited set of elements could be scanned
• Some script runs were terminated before completion

THOR Seed version 0.18 is now able to handle this situation and provides guidance on how to proceed. 

While resolving this issue we noticed that only the script run gets terminated but not the sub process, which is the actual THOR scan. So, the execution of “thor-seed.ps” gets interrupted but the sub process “thor64.exe” keeps on running in the background. 

The following slides contain information on changes and new feature in several of our products.