Have you already heard about THOR Thunderstorm, a self-hosted THOR as a service? In this blog post, we will show how you can leverage THOR Thunderstorm to level up your email infrastructure security.THOR Thunderstorm is a web API wrapped around THOR, which accepts...
Integration of THOR in Velociraptor: Supercharging Digital Forensics and Incident Response
Digital forensics and incident response (DFIR) are critical components in the cybersecurity landscape. Evolving threats and complex cyber-attacks make it vital for organizations to have efficient and powerful tools available. If you are not already enjoying the...
How to Perform Compromise Assessments on NetScaler / Citrix ADC Appliances Using THOR
In today's interconnected world, cyber adversaries are increasingly targeting and exploiting Internet-facing appliances and devices with unconventional or restricted operating systems. A pressing concern for users is whether it's possible to perform a compromise...
Scanning for Indications of MOVEit Transfer Exploitation with THOR Lite
On June 1st, the vendor of MOVEit Transfer, previously known as Ipswitch but now called Progress, announced the discovery of a critical security vulnerability that has been exploited. MOVEit is an enterprise software utilized by numerous organizations globally for...
Reasons Why to Use THOR instead of THOR Lite
We have received reports from customers that were approached by service providers that offered compromise assessments with our scanner THOR. Subsequently, it appeared, however, that these providers used THOR Lite in their engagements and, when asked about this, argued...
THOR 10.6.11 with Support for Apple M1 Architecture
The newest version 10.6.11 of THOR for macOS now has support for Apple's M1 platform. The THOR scanner binary is now a "universal" binary that runs on both supported platforms. You can find a list of supported architectures and operating systems in the respective...
Silent Scanning – Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server
The following video shows a compromise assessment with our free THOR Lite scanner on a Microsoft Exchange 2019 server detecting ProxyShell and ProxyToken exploitation. We've done no post-editing in this video. You can jump to all findings using the video chapters....
Use YARA math Module Extension in THOR TechPreview and THOR Lite
Not long ago, we've created a pull request for the official YARA repository on Github, that would introduce new functions in the `math` module to improve the flexibility in cases in which a sample is heavily scrambled or obfuscated. These cases require further...
Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity
Microsoft as well as Volexity pubslihed reports on activity of an actor named HAFNIUM by Microsoft exploiting at least four zero-day vulnerabilities in Microsoft Exchange services. In this blog post we would like to outline the coverage provided by THOR regarding...
Introduction THOR TechPreview
Since its early days, THOR has always been focused on stability and detection rate. With the early module and feature set, we never had to make a compromise. However, during the last 1-2 years, we had to make some decisions on the integration of new features and...
Sigma Scanning with THOR
Our compromise assessment scanner THOR is able to apply Sigma rules during the local Eventlog analysis. This can help any customer that has no central SIEM system or performs a live forensic analysis on a system group that does not report to central monitoring. By...
Automated Citrix Netscaler Forensic Analysis with THOR
--- Update 14.02.2023 The information in this blog post is outdated. For more information on how to scan appliances remotely using SSH see this newer blog post. ----- In this blog post I'd like to outline an idea on how to perform an automated compromise assessment on...