In this blog post, we address a critical security concern and explore methods for evaluating potential compromises on devices like Ivanti Endpoint Manager Mobile (EPMM) / MobileIron Core using THOR or the free THOR Lite YARA and IOC scanners. Recently, a severe remote...
How to Perform Compromise Assessments on NetScaler / Citrix ADC Appliances Using THOR
In today's interconnected world, cyber adversaries are increasingly targeting and exploiting Internet-facing appliances and devices with unconventional or restricted operating systems. A pressing concern for users is whether it's possible to perform a compromise...
How to scan Docker images using THOR – Part 1
In this blog article, we will talk about how you can use THOR to scan Docker images. Consider the following use case: Before using an upstream Docker image, you want to precheck it for known IOCs and backdoors. THOR can help you with this!Prerequisites Docker image...
Silent Scanning – Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server
The following video shows a compromise assessment with our free THOR Lite scanner on a Microsoft Exchange 2019 server detecting ProxyShell and ProxyToken exploitation. We've done no post-editing in this video. You can jump to all findings using the video chapters....
Analyze VMware ESX Systems with THOR Thunderstorm
Since the release of THOR Thunderstorm in the summer of 2020, our customers used it to analyse a variety of systems that are usually considered as "out of scope". In some cases the EULA prevents the installation of Antivirus scanners or EDR agents. In other cases the...
Scan for HAFNIUM Exploitation Evidence with THOR Lite
Since we've heard from partners and friends about many non-profit organisations affected by the Exchange server vulnerability, we've decided to transfer many detection rules from our commercial scanner into the free community version. If you haven't heard of THOR or...
New Features: Progress Bar and HTML Report Filter Functions
We would like to inform you about three new comfort features that will be available in the upcoming THOR versions including THOR Lite. Improved HTML ReportsThe new HTML reports allow analysts to filter elements that turn out to be false positives and remove them from...
Performance Refactoring in THOR v10.5.9 and THOR TechPreview v10.6.2
We are glad to announce significant performance improvements in the latest versions of THOR. We've refactored several processing units to bulk scan elements that have previously been checked each at a time. These changes affect the modules "Eventlog", "Registry",...
Use THOR in CrowdStrike Falcon Real Time Response
One of our customers has successfully deployed THOR using CrowdStrike's Falcon Real Time Response. Falcon's Real Time Response provides a remote shell that is very similar to Microsoft Defenders ATP's Live Response, which we've already combined with THOR Cloud...
Upcoming ASGARD Version 2
The last five months we've been working on a shiny new version of our ASGARD platform that overcomes previous limitations and includes exciting new features. ASGARD 2 is a completely rewritten management platform, featuring a new interface, load balancing options, a...
Automated Citrix Netscaler Forensic Analysis with THOR
--- Update 14.02.2023 The information in this blog post is outdated. For more information on how to scan appliances remotely using SSH see this newer blog post. ----- In this blog post I'd like to outline an idea on how to perform an automated compromise assessment on...
Not All IOC Scanning Is The Same
People often tell us that EDR product X already does IOC scanning and that they don’t have to check for these indicators a second time using our scanners. Especially when it comes to network wide sweeps for traces of activity due to an ongoing incident I recommend...