Endpoint-Driven Log Forwarding

One of the most important architectural aspects of this feature is where the forwarding occurs. It’s not the THOR Cloud platform that pushes logs to your SIEM—it’s the THOR scanner on each endpoint that performs this action. Once a scan completes, the local scanner connects to the configured destination and transmits the logs directly.

This offers significant advantages:

• Confidentiality: Logs remain inside your environment and do not pass through the cloud.
• Immediate availability: Data reaches your SIEM or analysis system as soon as the scan finishes.
• Reduced cloud dependencies: Ideal for regulated, segmented, or air-gapped environments.

However, there are trade-offs. Since forwarding occurs per endpoint, every host must be able to reach the destination (host, port, protocol). If delivery fails—due to firewall rules, DNS resolution issues, or TLS misconfiguration—the error will appear in the local scan log. There is no centralized retry mechanism: delivery success is per-endpoint and per-scan.

Profile Configuration and Use

Forwarding Profiles are configured in the THOR Cloud portal, under the dedicated “Forwarding” section. Each profile defines:

• One or more destination hosts (FQDN or IP)
• Port and protocol (TCP or UDP, with optional TLS)
• Log format: Syslog, JSON, or CEF
• (Optional) Root CA certificate for TLS-secured connections

You can maintain multiple profiles, each tailored to a specific use case—such as production vs. staging, or by region, business unit, or sensitivity level.

When launching a scan campaign, you’ll find a forwarding profile dropdown in the campaign configuration screen. If a default profile has been defined, it will be pre-selected automatically. This integration ensures that logs are consistently forwarded without requiring manual selection—though it’s easy to override if necessary.

Optional Log Storage Bypass

Every forwarding profile also supports an optional setting to disable cloud-based log storage. When enabled, THOR Cloud does not retain the results of a scan—the logs are forwarded only to the specified external systems. This is useful for scenarios in which data must not leave the local network or be retained in third-party environments.

Summary

Forwarding Profiles in THOR Cloud Enterprise offer a practical, secure, and flexible way to integrate forensic scan results into your centralized workflows. By pushing logs directly from the endpoint to your internal systems, you retain control over your data and reduce operational overhead. For distributed or compliance-focused environments, this change supports secure autonomy at scale—without compromising on visibility or traceability.

The feature is available now to all THOR Cloud Enterprise users. Please reach out to your Nextron contact if you require profile-based forwarding without THOR Cloud storage, or if you need guidance on setting up your internal receivers.

In my 2024 article, Cyber Security 2024: Key Trends Beyond the Hype, I aimed to stay rational and avoid hype—especially around AI—and pointed out that most real-world attacks still involved unpatched systems, weak credentials, and social engineering. Over the past year, that has largely remained true.

Now, as we move into 2025, I’m revisiting those same areas with updated examples. Supply chain attacks remain a key concern—especially for identity providers and open-source libraries. Token and cloud API abuse hasn’t slowed down, and attackers keep finding ways to bypass or disable EDR solutions, often hiding behind legitimate software. Meanwhile, basic security missteps still leave many organizations open to recurring threats.

Although I was skeptical about AI-based attacks last year, we do see attackers using AI to automate tasks like scripting or generating phishing emails. There’s still no proof of a fully AI-driven breach from start to finish—it’s more of an efficiency boost than a total game-changer. My goal here is to remain as sober and factual as possible, highlighting what’s genuinely evolving in these trends and where we should pay close attention going into 2025.

1. Supply Chain Attacks

Supply chain attacks continue to pose a serious threat to organizations of all sizes, even those with sophisticated security measures. While these attacks often target software providers or trusted third-party vendors, recent events show that Identity and Access Management (IAM) service providers themselves can become single points of failure. A single breach at a major identity platform can compromise thousands of companies at once, exposing credentials, tokens, and other valuable data.

Okta: A Breach That Shook Customer Trust

Okta’s late-2023 breach is a prime example of how quickly an incident can escalate. Initially, the company reported that only 1% of customers were affected. Weeks later, it revealed that its entire customer base was impacted. To an outside observer, it seems Okta was overwhelmed by the attack’s sophistication and remained cautious in what it disclosed. As more details emerged, the root cause turned out to be surprisingly mundane – an Okta employee logged into a personal Google account on a corporate laptop, opening the door for a massive data exposure. For organizations depending on IAM services, it’s a stark reminder that even top-tier providers have blind spots, and if they’re compromised, the implications can be extremely severe.

Microsoft: The Underrated Damage of a Compromised Key

Shortly after the Okta breach, another incident at Microsoft highlighted just how powerful stolen signing keys can be. In an attack attributed to a Chinese threat actor (Storm-0558), a private encryption key for Microsoft’s identity services was taken.

While Microsoft initially stated the attack impacted only Outlook.com and Exchange Online, independent research suggests the key could have theoretically been used to forge tokens for services like SharePoint, OneDrive, Teams, or even third-party apps using “Login with Microsoft.” Because identity provider keys can grant access to a huge number of services, this breach may be more significant than Microsoft’s public statements suggest.

In reality, organizations have little direct control over how a major cloud provider safeguards its signing keys, so transparency from the provider after any compromise is crucial. Without clear information about the nature and scope of a breach, customers can’t accurately assess their exposure or respond effectively.

Open Source Supply Chain Risks

Open source ecosystems also continue to be a prime target. Malicious actors tamper with NPM packages, PyPi modules, GitHub repositories, or other code libraries, embedding backdoors in widely used dependencies. A notable example involves XZ Utils, a Linux compression library, which was briefly taken over by a suspicious contributor who shipped malicious updates aimed at undermining SSH authentication. Luckily, the rogue versions (5.6.0 and 5.6.1) weren’t widely adopted, limiting real-world impact. However, if they had been broadly deployed—especially in embedded or firmware environments—the fallout could have been much worse. As the reliance on open source only grows, so does the importance of continuous monitoring, code signing, and stricter vendor risk assessment.

These incidents show how quickly a single supplier or identity service compromise can affect thousands of organizations. Sometimes, more details only emerge after weeks, revealing a bigger problem than originally reported. When widely used vendors or open-source libraries are attacked, the damage often extends far beyond one victim. Because so many companies rely on the same tools and providers, supply chain attacks remain one of the most serious threats in cybersecurity today.

2. Token and Cloud API Abuse

Session tokens have become a critical part of modern authentication flows. They let users stay logged in to web apps, cloud consoles, and enterprise services without repeatedly entering credentials. While this feels convenient, it also introduces new ways for attackers to slip through defenses—even in setups that use multi-factor authentication (MFA). If a token is stolen or forged, someone with malicious intent can bypass many security checks and move laterally with little friction.

Below are some practical points worth highlighting:

Token Forging (Lessons from High-Profile Breaches)

The Microsoft Storm-0558 incident showed that losing control of a signing key can be more damaging than a typical credential leak. If attackers can forge their own tokens, they’re suddenly able to impersonate users in multiple cloud services. For any organization relying on a major cloud or identity provider, it’s important to understand how those critical signing keys are protected—because if they’re compromised, you’ll want to detect and respond immediately.

Third-Party Integrations and Code Repositories

Many organizations rely on services like Slack, Teams, or analytics platforms, which connect via tokens or API keys. These secrets often end up in code repositories, config files, or logs. Attackers systematically comb through public GitHub repos to find them. Integrating scanning tools (e.g., GitGuardian or truffleHog) into your CI/CD pipeline can help detect these tokens before they become a liability.

Beyond Web Browsers

Token theft isn’t limited to standard web sessions. Many Office 365–integrated apps, mobile apps, backend microservices, or serverless functions rely on tokens that can offer broader network access than a local user account. Although LSASS (Local Security Authority Subsystem Service) is also a user-mode process, it often has stronger protections (for example, Credential Guard or Protected Process Light) that make direct memory access more difficult. In contrast, Office 365–integrated apps and other cloud-connected processes may not have those same security measures, which can make token extraction easier. Worse yet, these tokens can have privileges that extend into various cloud services, potentially causing greater damage than a compromised local account.

At a minimum, turning on logging or anomaly detection for internal API calls can help reveal suspicious token usage—meaning you’d track typical patterns of API calls (who calls what, how often, at what times, etc.) and flag any outliers. For instance, if a token with standard user permissions starts performing admin-like actions on backend systems, or if an unusual volume of calls occurs outside normal work hours, that could trigger an alert for further investigation.

Zero Trust Increases Token Value

In a zero-trust setup, every request is authenticated—usually via a token. When those tokens become the primary way of granting access, attackers will prioritize stealing or forging them. Requiring continuous validation, checking for abnormal IP addresses or login times, and limiting privileges to the bare essentials can mitigate some of these risks.

User Education & MFA

Even robust technical defenses can fail if employees share their tokens or accept rogue MFA prompts. Attackers keep finding new ways to trick users into handing over access, including real-time phishing tactics that intercept session cookies. Regularly updating security training—and emphasizing the changing face of phishing—is crucial.

By keeping an eye on token usage, scanning for accidental leaks, and teaching employees to question unusual login prompts, organizations can make token abuse more difficult for attackers. It’s not an all-encompassing fix, but it helps curb the most common ways threat actors leverage stolen or forged tokens.

3. Evading EDR in Heavily Monitored Environments

As Endpoint Detection and Response (EDR) solutions become more common on workstations and servers, attackers have adapted. Instead of dropping obvious malware onto well-monitored endpoints, they’ll often store malicious tools on older or unmonitored systems (e.g., network appliances, print servers, exotic systems, outdated embedded devices) and later pivot into the EDR-guarded zone. However, not all attackers stop there—some actively disable EDR agents on highly monitored endpoints to move about undetected.

Below are some recurring tactics we’re observing:

Relying on Legitimate Accounts

Attackers often hijack compromised user or admin accounts to access files, internal apps, or cloud services. Because these actions seem normal on the surface, they frequently slip past rule-based detections. Baselines of typical user behavior or alerting on suspicious account usage can help spot these scenarios.

Direct Attacks on EDR Agents

Some adversaries go beyond evasion and deliberately disable the EDR’s visibility on a targeted system. They may load a known vulnerable driver, gaining kernel privileges to unhook or kill the security agent altogether. Once the agent is neutralized, attackers can deploy tools or tamper with the OS without detection. 

Minimizing Additional Tools

Rather than dropping custom executables (which EDR might flag), attackers use existing OS utilities (e.g., PowerShell, WMI) to escalate privileges, move laterally, or exfiltrate data. These “living off the land” techniques leave fewer artifacts and require closer scrutiny of standard processes to detect anomalies.

Staging Tools on Under-Protected Systems

Attackers often target devices that aren’t covered by modern EDR solutions—like older servers, virtual appliances, or networking appliances from vendors such as Fortinet, Ivanti, and Cisco. These devices not only suffer from recurring critical vulnerabilities but also offer limited logging and a restricted shell, making them hard to investigate thoroughly. By focusing on these “blind spots,” attackers can store malicious tools, launch deeper intrusions, and exfiltrate data without triggering the usual EDR alarms. If these systems aren’t regularly patched and closely watched, they remain a constant weak point in the network.

Layered Social Engineering

Gaining higher privileges often starts with subtle phishing or manipulation tactics. By impersonating help desk personnel, building rapport with employees, or sprinkling in accurate technical details, attackers trick people into revealing credentials. Once they have elevated access, they keep their actions low-key to avoid raising alarms.

Reconnaissance for Weak Spots

Attackers frequently scope out which endpoints are guarded by EDR or similar monitoring tools. They might read internal documentation or test quiet scans to see what triggers alerts. This reconnaissance phase is marked by caution—any loud move could blow their cover.

Stealthy Persistence

To avoid leaving clear IOCs, attackers combine Windows Registry modifications, scheduled tasks, or WMI event subscriptions with stolen tokens from valid sessions. A valid token may allow them to continuously re-authenticate without dropping any new binaries. In a large environment, this can linger for weeks if there are no specific checks for reused or anomalous tokens. Organizations need continuous, behavior-based monitoring to detect unexpected processes, modified configurations, and suspicious token usage.

4. Abuse of Legitimate Software

Attackers are increasingly swapping out traditional malware for legitimate software to evade detection. Whereas classic remote access trojans (RATs) often trigger antivirus and EDR alerts, legitimate tools like ConnectWise Control, Anydesk, NetSupport, TeamViewer, Atera, LogMeIn, or Splashtop usually fly under the radar because they’re widely used by IT teams. The same goes for built-in utilities and common third-party applications that aren’t inherently malicious. When adversaries exploit these, it’s harder for security products to flag the activity as unusual – especially in large organizations.

For a comprehensive list of remote monitoring and management (RMM) software that can be abused, check out LOLRMM.io. It’s a curated catalog of legitimate RMM tools that threat actors might leverage. Use it to inform your threat hunting, detection rules, and policy creation.

Here are some key trends we’re seeing:

Persistence Without Malware

Instead of deploying custom binaries, attackers install legitimate remote access software with benign-sounding names. Because these tools aren’t flagged as malicious, they help attackers remain on the network longer without triggering the usual alarms.

Lateral Movement with Built-in Tools

Beyond remote access, attackers also rely on built-in OS utilities (like net.exe, sc.exe, WMI, or even scheduled tasks) to explore and pivot across the environment. This strategy further masks their presence since they’re only using functionality that system administrators use daily.

Hiding in Plain Sight

Many threat actors register or reuse official-looking certificates and domain names (for example, connecting to “support.yourcompany.com”) to blend into real admin traffic. Security teams might notice some suspicious command sequences if they’re watching closely, but the software itself often goes unnoticed.

Configuration Backdoors

Some attackers don’t even need to run a process continuously. They alter configurations or schedules in existing tools. For instance, a legitimate remote management solution might be set to launch after hours, connecting back to an attacker-controlled server. Without a baseline of normal usage, it can be tough to see these modifications.

“Malware-less” Attacks

Because this approach doesn’t rely on a discrete piece of malware, it sidesteps many classic detection methods. Alerting on suspicious behaviors or unexpected connections becomes essential. Tools and processes that appear valid at first glance can still be used to exfiltrate data or execute commands silently.

5. AI-Aided Attacks – What’s Really Happening

For years, experts have debated the potential for game-changing AI-driven cyberattacks. While AI can streamline malicious operations, we’re not yet seeing radically new exploits. Instead, threat actors mostly use AI to speed up or automate tasks they already do—like writing scripts, debugging code, or crafting phishing lures.

Our findings align with recent analysis by the Google Threat Intelligence Group, who break down AI misuse into four broad categories:

Research & Reconnaissance

Attackers use AI to gather intelligence on target organizations, look up vulnerabilities, and sift through large data sets or open-source reports. This makes it easier for them to pinpoint weak spots and refine future exploits without manually combing through dense documentation.

Phishing & Social Engineering

AI-driven text generation helps create believable phishing messages in any language and can even spin up fake personas for social engineering or disinformation campaigns. The grammar is better, and the phrasing can be tailored to specific targets, reducing red flags.

Malware Development & Scripting

From coding new tools to obfuscating existing scripts, AI can automate much of the grunt work. Attackers—especially those with limited coding skills—gain the ability to produce or refine malicious software more quickly and with fewer errors.

Automation & Evasion

AI can assist with scripting tasks that bypass security measures, escalate privileges, and evade detection. It also lets attackers rapidly generate variants of known attacks, forcing defenders to react faster and update signatures or detections more often.

No Revolutionary Shift—Yet

Even with these AI-enabled efficiencies, there’s no sign of “AI-only” attacks or groundbreaking new exploits driven purely by machine learning. Most of the advantage lies in speed and scale: Threat actors spend less time writing or localizing content and more time on actual infiltration. The real concern going forward is the proliferation of powerful open-source AI models with minimal guardrails, which could further accelerate malicious automation and make these categories of misuse more accessible to a wider range of adversaries.

Conclusion

From supply chain attacks and token abuse to advanced evasion and the misuse of legitimate software, attackers are still relying on familiar methods—just with new twists and a growing interest in AI. Despite these evolving trends, unpatched appliances and missing MFA remain the most common pathways into an organization. While AI speeds up certain steps for attackers, it doesn’t turn breaches into an entirely new game. Instead, it’s an additional tool that defenders also need to adopt—otherwise, they risk falling behind.

Nextron’s Approach to Advanced Threat Detection

Nextron provides specialized digital forensics solutions designed to detect threats that traditional security tools often overlook. Our technology identifies unusual system behavior, hidden malicious activity, and sophisticated attacks that evade conventional antivirus and EDR products.

Our comprehensive signature set detects a broad spectrum of threats, including attacker toolkits, forensic traces, abuse of legitimate applications, and supply chain-based compromises. This extends to identifying “malware-free” intrusions, where adversaries operate without deploying conventional malware, making them difficult to detect.

Additionally, Nextron’s solutions support flexible scanning for unsupported or legacy systems that standard EDR platforms cannot monitor. This allows organizations to expand their detection coverage, ensuring a more comprehensive and actionable security posture across their entire environment.

Are you looking for an efficient, cloud-managed solution to streamline your threat detection and compromise assessments? This Black Friday, we’re offering 50% off all THOR Cloud scan packages.

Why THOR Cloud?

• No Setup Hassle: Start scanning within minutes—no agents or servers required.
• Proven Detection Power: Leverage 30,000+ YARA rules, 2,000 Sigma rules, and thousands of IOCs to identify threats traditional tools miss.
• Flexibility: Automate daily, weekly, or custom scan schedules to ensure ongoing coverage.

Whether you’re conducting forensic investigations, validating alerts, or scanning for compliance, THOR Cloud delivers a powerful, easy-to-use solution for every environment.

📅 Offer Valid Until December 20, 2024

👉 Explore the Deal and Save 50% Today

Don’t miss this chance to enhance your threat detection capabilities at half the cost.

We are excited to announce that THOR 10.7 will become the new default scanner version for ASGARD users starting Thursday, November 28th, 2024.

This update introduces significant performance enhancements, including faster scan times, improved archive handling, and refined resource management. ASGARD-managed scans initiated after this date will default to THOR 10.7 unless configured otherwise, ensuring that all customers benefit from the latest detection capabilities and optimizations. Existing scheduled group scans will continue using their previously configured scanner versions (typically THOR 10.6), with clear warnings and options to update to the new version.

Key Features in THOR 10.7

• Memory-Mapped File Scanning: Enhanced speed and reduced I/O bottlenecks.
• Improved JSON Reporting: More detailed and structured output. (details)
• Selective Initialization: Advanced selectors and filters to streamline scans. (details)
• Email Parsing: Scans email formats like .eml and .msg for embedded threats.
• Enhanced Archive Scanning: Support for .cab, .7z, .gzip, and recursive nested archive scanning.
• Bulk Scanning Optimization: Improved throughput for large-scale scanning.
• Refined HTML Report Generation: Lower memory usage and reduced CPU load during processing.
• Unified YARA Rule Sets: A single rule set with namespaces for higher performance.
• Configurable Color Schemes and Output Encryption: Enhanced customization and security. (details)
• Output Encryption at Runtime (details)

New Features in THOR 10.7: Enhancements and Flexibility

Enhancing Detection and Efficiency with Memory-Mapped Scanning

One of the most impactful improvements in THOR 10.7 is the introduction of memory-mapped file scanning, which significantly accelerates scans and reduces disk I/O. This new approach improves overall performance by leveraging memory for file access, allowing scans to complete faster while decreasing wear on disks. For most environments, these improvements will result in more efficient scanning with minimal configuration changes.

To ensure that THOR 10.7 operates reliably across diverse environments, users have options to tailor memory usage:

• Disable memory mapping with the --nommap flag, which may be useful for systems with strict memory limitations, though this comes at the cost of slower scans.
• Fine-tune resource control: ASGARD adjusts THOR’s resource settings dynamically, optimizing scan reliability for both high-performance and resource-constrained systems.

Initialization Filters and Selectors

With THOR 10.7, the Init Selector and Init Filter functionalities offer unparalleled flexibility in customizing scans. These options enable users to focus on specific threat campaigns or exclude less relevant rules for tailored scanning workflows.

For example:

• Use --init-selector to target specific threats or campaigns:

  --init-selector MOVEit
  --init-selector RANSOM,Lockbit
  

• Use --init-filter to exclude rules you don’t need:

  --init-filter PUA_TeamViewer

These filters apply to rule names, tags, and descriptions, offering granular control over signature selection. Combined with the --print-signatures or --print-signatures-json flags, users can verify selected or excluded rules, ensuring precision in their scans. This feature is particularly useful for targeted threat investigations, optimizing performance while maintaining detection accuracy.

JSON Enhancements and the Road Ahead

THOR 10.7 introduces the JSON format version 2, offering significant improvements to the structure and usability of scan outputs. This new format enhances compatibility with modern forensic tools and workflows, making it easier to extract and analyze critical information. Users can activate JSON version 2 with the following flags:

--jsonfile --jsonv2

While JSON version 2 represents a major step forward, it is also a transitional format. The upcoming release of THOR 11 will feature an even more comprehensive JSON format version 3 (or version 2.1). This future iteration will incorporate fully nested structures and lists, ensuring seamless integration with advanced tools like SIEM systems and Cribl configurations. These enhancements will provide greater detail and flexibility for in-depth investigations and automated workflows.

Organizations adopting JSON version 2 in THOR 10.7 will benefit immediately from its improvements and find the transition to the next version in THOR 11 straightforward, ensuring continuous compatibility and advanced functionality.

Email Parsing and Enhanced Archive Scanning

THOR 10.7 expands its capabilities with improved support for email and archive scanning:

• Email Parsing: THOR can now scan .eml and .msg email formats, detecting malicious attachments and embedded threats. This feature ensures more thorough coverage of phishing-related attacks and email-borne threats.
• Enhanced Archive Handling: Support for .cab, .7z, and .gzip files, as well as recursive scanning of nested archives, allows users to detect threats hidden in complex compressed file structures. These improvements streamline the process of analyzing large datasets or artifact collections, ensuring no malicious content is overlooked.

Together, these features strengthen THOR’s ability to detect threats hidden in commonly abused file formats, making it a powerful tool in comprehensive compromise assessments and incident investigations.

Effects of Changes for ASGARD Customers

THOR 10.7 introduces a more adaptive resource management approach in ASGARD to reduce scan failures caused by memory constraints. Previously, ASGARD enforced a strict 2GB memory cap, which occasionally caused scan interruptions even on systems with ample available memory.

With the updated mechanism:

• ASGARD evaluates memory usage dynamically, terminating THOR scans only if the process exceeds 2GB and uses more than 50% of the system’s total memory. This ensures scans proceed smoothly on high-memory systems while protecting systems with limited resources.
• The “Ignore Memory Limit” option allows customers to completely bypass these checks, enabling scans to continue regardless of memory usage.

Existing group scans will retain their current THOR versions (e.g., 10.6) but can be updated to 10.7. Starting November 28th, all new scans—including single and group scans—will default to THOR 10.7, ensuring customers benefit from the latest features and optimizations.

Configuring THOR 10.7 for Limited Hardware Resources

For systems operating under tight hardware constraints, users can disable memory mapping with the --nommap flag. While this option reduces memory usage, it may lead to slower scan speeds and increased disk activity. For most ASGARD-managed environments, we recommend keeping memory mapping enabled to fully leverage THOR 10.7’s performance improvements. This flexibility allows users to adapt the scanner to diverse operational requirements without compromising its core functionality.

End-of-Support Announcements

• THOR 10.6: The current stable version will reach its end-of-life (EOL) on April 30, 2025. Users are encouraged to upgrade to THOR 10.7 to ensure continued support and access to the latest features.
• Legacy Systems Support: The upcoming THOR 11 TechPreview will discontinue support for older operating systems, including Windows 7, Windows 8, Windows 2008 R2, and Windows 2012. Customers relying on these platforms can continue using THOR Legacy with a legacy license to maintain scanning capabilities.

Conclusion

The release of THOR 10.7 as the default version for ASGARD represents a significant step forward in detection capabilities, efficiency, and reliability. With faster scans, reduced disk I/O, and customizable resource controls, THOR 10.7 is designed to perform optimally across diverse environments. While existing group scans will continue using their configured scanner versions, we recommend upgrading to THOR 10.7 to take full advantage of its advanced detection capabilities and optimizations.

Starting November 28th, all new scans will default to THOR 10.7, ensuring your organization is equipped with the latest and most robust scanner available. Embrace this opportunity to enhance your detection workflows and strengthen your security posture with THOR 10.7.

As part of our commitment to sharing valuable threat intelligence and detection insights, we’re excited to announce the launch of a dedicated Twitter account for Nextron Research: @nextronresearch. This account will be our team’s platform for sharing detailed findings, detection rules, and analyses of interesting samples that might be too niche or technical for general audiences.

Why a Separate Account?

For some time, we’ve been sharing detection updates and sample insights from personal accounts and the @nextronsystems account, but we realized that this might be too much for followers who are more interested in general security discussions. By creating a dedicated space, we’re able to focus on technical content without overwhelming those looking for a broader mix of topics.

What to Expect

On @nextronresearch, our team will regularly post about:

• Detection rule updates – New or updated rules for identifying threats.
• Sample analyses – Breakdowns of noteworthy malware samples.
• Threat intelligence insights – Observations on emerging threats, TTPs, and more.

This channel will be a direct line from our research team to you, giving you the latest on what we’re working on and the threats we’re tracking. And don’t worry — key updates will still be shared on our personal accounts and retweeted here, so you won’t miss anything crucial.

Join Us on This New Journey

If you’re passionate about threat intelligence, malware analysis, and detection engineering follow us at @nextronresearch to stay in the loop. We’re looking forward to sharing our insights and engaging with the community in this dedicated space.

Since the launch of THOR Cloud Lite in September, our team has been dedicated to developing a more powerful version of THOR Cloud that incorporates the full scanner with its extensive suite of forensic modules and expansive detection signature database. Today, we are excited to announce the general availability of THOR Cloud, which offers a streamlined method for conducting automated compromise assessments on your endpoints.

Like its predecessor, THOR Cloud does not require the installation of agents on the endpoint or the deployment of servers or services within your network. Setting up is straightforward: create an account, and you can start scanning immediately. The platform is designed for ease of use with an intuitive interface that allows new users to get started in minutes—no need for navigating through Windows command lines, and no extensive training or user manuals necessary.

After a scan is completed, the launcher automatically cleans up by removing itself along with the downloaded scanner, ensuring that nothing resides on the local hard drive. Additionally, reports can be encrypted with your public RSA key, providing robust end-to-end encryption for maximum security. Whether it’s for targeted compromise assessments, speeding up forensic analysis, or enabling your SOC team to verify alerts from your EDR, THOR Cloud offers a lightweight, efficient, and highly effective solution focused on detecting and analyzing hacking activities.

Key Differences Between THOR Cloud and THOR Cloud Lite

THOR Cloud is engineered for organizations and professional services that demand deep, comprehensive forensic capabilities with extensive coverage. It provides a complete suite of forensic modules and access to a broad database of over 32,000 detection rules for detailed security assessments.

Conversely, THOR Cloud Lite is better suited for individuals, non-profits, and organizations that maintain their own set of detection rules and require very targeted and specific scans for a narrow range of threats. This makes it ideal for users who perform specialized, less comprehensive security checks.

Expanded Scanning Capabilities

THOR Cloud:

• Equipped with the full version of the THOR scanner, including all 31 forensic modules.
• Utilizes a vast signature database with over 30,000 YARA rules, 2,000 Sigma rules, and thousands of IOCs, ensuring thorough detection and analysis of security threats.

THOR Cloud Lite:

• Operates with a basic version, THOR Lite, featuring a limited set of open-source YARA rules and IOCs.

Licensing and Usage Flexibility

THOR Cloud:

• Provides a scan- and host-based licensing model that supports unlimited scans on specified endpoints within a subscription period, ideal for enterprises needing extensive, regular scanning.
• Allows commercial use for service providers.

THOR Cloud Lite:

• Offers only a scan-based licensing model, which is suitable for organizations with infrequent scanning needs.
• Restricted to non-commercial use, primarily intended for educational or personal exploration.

Data Retention and Security

THOR Cloud:

• Supports storing encrypted scan reports for up to one year, aiding in compliance and long-term security analysis.

THOR Cloud Lite:

• Retains reports for up to three months, suitable for less stringent retention needs.
• Does not support encrypted reports, which may limit its use in environments requiring high data confidentiality.

Highlights

New HTML Report (coming in Q4/2024)

THOR Cloud’s latest update introduces enhanced HTML reports, designed to improve readability and interactivity for a streamlined user experience. These reports leverage the sophisticated JSON output of the forthcoming THOR v11, set for a TechPreview in Q4/2024, ensuring detailed and actionable security insights.

Key features include optimized UX for better navigation, interactive elements such as report-based and global filter management, which allow users to apply filters across various reports within a campaign. Important aspects of findings are automatically highlighted, drawing immediate focus to critical data points.

Additionally, the integration of ChatGPT introduces conversational AI capabilities, enabling dynamic interactions with report data for deeper analytical insights. This suite of enhancements transforms the HTML reports into a more interactive and user-centric tool, facilitating efficient threat assessment and management.

Planned Upgrades and Features in THOR Cloud

THOR Cloud is preparing to implement several enhancements aimed at extending its capabilities and refining the user experience. These updates focus on technical improvements and functionality expansions:

Enhanced HTML Reports: Pending the deployment of THOR v11 and its refined JSON output, THOR Cloud plans to introduce upgraded HTML reports. These reports will incorporate enhanced user interfaces for improved navigation and readability, along with new filter management features that will allow users to apply and manage filters within individual reports or across multiple campaign reports.

Filter Creation and Application: Alongside improvements to HTML reports, THOR Cloud will enable users to create and manage filters on both a campaign-specific and a global level. 

User Management Enhancements: Updates to the user management system are expected to improve administrative control over user roles and access rights.

SIEM Forwarding Management: Currently, THOR Cloud enables the direct transmission of logs from endpoint scans to any accessible SIEM or log management system via SYSLOG/JSON data streams. Building on this capability, future updates will introduce an API-managed SIEM forwarding feature. This enhancement will allow users to configure THOR Cloud to automatically forward events to a cloud-based SIEM of their choice, streamlining the integration and management of SIEM data streams within the THOR Cloud environment.

AI Integration: The integration of AI technologies is planned to introduce event clustering and automated event assessment. These AI-driven features are designed to improve the accuracy and efficiency of the platform’s threat detection processes.

Legacy Operating System Support: To accommodate a broader range of user environments, THOR Cloud will extend its support to older Windows operating systems through THOR Legacy, allowing the platform to cover systems back to Windows XP and Windows 2003.

THOR Thunderstorm Integration: Future integration with THOR Thunderstorm will enable the THOR launcher to function as a sample collector. This feature will facilitate the transmission of samples to a Thunderstorm service hosted in the cloud, enhancing the platform’s analytical capabilities.

In Conclusion

As THOR Cloud continues to evolve, we’re excited to roll out new features that enhance the capabilities and usability of our platform. With upcoming enhancements like advanced SIEM integration and improved HTML reports, we aim to further streamline the security processes for our users.

We are gearing up to offer THOR Cloud to our existing customer base and to those prospects who have already expressed interest. We will continue to accept and welcome further requests for access as we expand our services.

Stay tuned for these updates, and please reach out to our sales team or visit the product page for more information.

We’re excited to announce a significant update to THOR, our comprehensive digital forensic scanner, which now extends multi-threading capabilities to both the standard version and THOR Lite. Previously exclusive to our forensic lab license holders, this enhancement allows users across all versions to leverage multiple CPU cores to expedite their scans.

Multi-threaded scanning is now available in THOR TechPreview 10.7.15 and THOR Lite 10.7.15 for both standard and free licenses.

Adjusting the number of threads in THOR is straightforward and adaptable. By default, THOR operates with a single thread—a decision made to prioritize system load and stability over scan speed. Users can specify the number of threads using the --threads flag; for example, --threads 2 sets it to two threads.

However, two other options may prove more practical, considering the actual number of CPU cores available.

Using --threads 0 configures THOR to utilize all available cores. Note that this setting can significantly load the system, potentially affecting other applications or services.

Alternatively, setting the number of threads to a negative value lets users reserve some cores for other tasks. For instance, --threads -4 would use all cores except four. If a system has only four cores, then only one core would be used for THOR.

New Lab License Feature: Audit Trail

We’re pleased to introduce a new feature for our lab license holders, with more exciting updates on the horizon. The feature, called “Audit Trail,” can be activated during a scan using the --audit-trail flag. This generates a comprehensive log file in JSON format, capturing detailed output for each module and documenting every element that THOR interacts with during a scan.

The Audit Trail feature is currently available in TechPreview version 10.7. The output format isn’t finalized yet, as it will be refined for THOR v11, but this early version allows you to explore the kinds of elements it includes. The audit trail is ideal for forensic analysts conducting manual investigations, providing a detailed record of the scan process.

We’re also developing tools to further enhance the audit trail’s utility. These tools will help transform the data for use with your preferred timeline tools and enable correlations within its contents. For example, you can analyze whether a file was created within a relevant time frame, executed shortly after, and is still running as a process.

The German BSI Alert: A Critical Warning

The BSI’s alert brings to light the precarious state of Microsoft Exchange servers across Germany, with around 37% of systems found to be critically vulnerable. This includes outdated versions such as Exchange 2010 and 2013, which make up 12% of the installations and have not been updated since October 2020 and April 2023, respectively. Additionally, nearly 28% of the servers running newer versions like Exchange 2016 and 2019 are missing essential patches for critical security flaws that could be exploited in remote code execution attacks.

The BSI’s warning about the vulnerabilities in Microsoft Exchange servers in Germany highlights a crucial aspect of cybersecurity: the inadequacy of relying solely on patching, especially for systems that have been exposed online. The alert reveals that a significant percentage of these systems remain critically vulnerable due to outdated versions or missing patches for known security flaws. This situation indicates that, while patching is a necessary step in cybersecurity maintenance, it is not sufficient on its own. For systems that have been exposed to the internet and potentially compromised before the application of patches, conducting a thorough compromise assessment is an essential next step. This assessment determines the extent of any breach and the presence of attackers within the network, guiding the necessary response to secure the compromised systems.