Thunderstorm Archives - Nextron Systems https://www.nextron-systems.com/category/thunderstorm/ We Detect Hackers Fri, 11 Apr 2025 12:53:00 +0000 en-US hourly 1 https://www.nextron-systems.com/wp-content/uploads/2017/11/cropped-Nextron_0.2s_inv_symbol_only-32x32.png Thunderstorm Archives - Nextron Systems https://www.nextron-systems.com/category/thunderstorm/ 32 32 Protecting Outdated and Unsupported Systems https://www.nextron-systems.com/2025/03/25/protecting-outdated-and-unsupported-systems/ Tue, 25 Mar 2025 13:21:52 +0000 https://www.nextron-systems.com/?p=25118 The post Protecting Outdated and Unsupported Systems appeared first on Nextron Systems.

]]>

Security strategies often assume that systems can be patched, upgraded, or replaced. In reality, many critical environments operate on legacy platforms where these options are impractical. Industrial control networks, healthcare systems, and government infrastructure frequently rely on outdated operating systems and specialized hardware that remain essential despite lacking vendor support or security updates.

Patching? Not always possible. Upgrading? Too risky or too expensive. Replacing? Out of scope. These systems persist because they must, and attackers know it. Legacy systems become low-hanging fruit—under-protected, overlooked, and vulnerable.

When traditional security solutions fall short, forensic-level detection and compromise assessment become essential. Nextron Systems provides these capabilities with THOR and THOR Thunderstorm, enabling organizations to analyze and secure legacy systems without requiring software installations or real-time monitoring.

Why Legacy Systems Persist (And Why Attackers Love Them)

If you’re reading this, you probably know why legacy systems are still around. But for context, let’s clarify why they’re still in production:

  • Regulatory or Compliance Needs – Industries like finance, healthcare, and critical infrastructure must often stick with certified, validated software. Moving to new versions is slow, expensive, and bureaucratically painful.
  • Operational Dependencies – Some systems are mission-critical and only function on specific OS versions. Changing them risks breaking core operations.
  • Cost Constraints – Replacing legacy systems can be prohibitively expensive, particularly for bespoke or embedded systems.
  • Hardware Limitations – Older industrial machines and embedded devices simply can’t run modern software.
  • Security Tool Incompatibility – Most EDRs and antivirus tools have abandoned support for systems like Windows XP, Server 2003, or IBM AIX.

These outdated systems and isolated networks become prime targets for attackers, offering the path of least resistance. They, often neglected by traditional security tools, present significant security gaps that attackers are quick to exploit. As a result, organizations struggle to find effective ways to secure them, leaving critical infrastructure vulnerable to compromise.

Why Patching Isn’t Always an Option

Security experts love saying, “Just patch it.” But in the real world, that’s not always an option. Here’s why:

  • End-of-Life Software – The vendor isn’t issuing patches. The system is on its own.
  • Operational Risk – A failed patch could take down a critical system, with impacts ranging from financial loss to public safety risks.
  • Isolated Environments – Air-gapped systems and IOT networks don’t have an easy patch path.

Since patching isn’t always an option, organizations need alternative security strategies that provide threat detection and forensic investigation capabilities – without requiring an agent or software installation.

How THOR & THOR Thunderstorm Secure Legacy Systems

Nextron Systems’ forensic security tools provide powerful detection and compromise assessment capabilities, even for outdated, unsupported, or isolated platforms:

1. THOR – Portable Compromise Assessment & Malware Detection

  • Agentless scanning – No installation required.
  • Compatible with legacy OS – Supports Windows XP, Server 2003, IBM AIX, UNIX-based systems, and more.
  • Deep forensic detection – Finds dual-use tools, web shells, backdoors, credential theft, and system anomalies.
  • Independent of EDR support – Operates also in environments where traditional tools fail.
  • Best for: Offline scanning, forensic analysis, and post-breach investigations.

2. THOR Thunderstorm – Live Forensic Scanning for Air-Gapped & Isolated Systems

  • Minimalist scanning – Uses built-in system tools like find and curl to collect artifacts.
  • No dependencies – Works without agents, software installations, or kernel access.
  • Flexible deployment – Supports scanning industrial control systems (ICS), embedded devices, and IOT environments.
  • Customizable detection – Leverages YARA and Sigma rules to detect hidden threats.
  • Best for: Securing air-gapped networks, industrial control systems (ICS), and legacy UNIX/Linux environments.

Real-World Use Cases

  • Windows XP & Legacy Systems – Many enterprises still run Windows XP or Server 2003 due to software dependencies. THOR can scan these systems where modern security tools no longer function.
  • IBM AIX & UNIX Environments – Traditional security tools don’t cover AIX or legacy UNIX. THOR scans these systems to detect malware, backdoors, and system anomalies.
  • Air-Gapped and IOT Networks – Industrial environments and air-gapped systems cannot use traditional security tools. THOR Thunderstorm enables agent-less forensic scanning, even in isolated environments.
  • Critical Infrastructure & ICS Security – Industrial control systems (ICS) cannot be patched frequently. THOR provides forensic detection without impacting system uptime.

Protecting Systems Others Ignore

Legacy systems won’t disappear overnight, but that doesn’t mean they have to remain unprotected. Nextron Systems’ THOR and THOR Thunderstorm provide the forensic visibility organizations need to detect and analyze threats – across outdated, unsupported, and isolated systems.

Need to secure an outdated IT environment? Contact us today to learn how THOR can help.

The post Protecting Outdated and Unsupported Systems appeared first on Nextron Systems.

]]>
Patching is Not Enough: Why You Must Search for Hidden Intrusions https://www.nextron-systems.com/2025/03/11/patching-is-not-enough/ Tue, 11 Mar 2025 13:59:45 +0000 https://www.nextron-systems.com/?p=25074 The post Patching is Not Enough: Why You Must Search for Hidden Intrusions appeared first on Nextron Systems.

]]>

Many organizations make a critical mistake when responding to actively exploited zero-day vulnerabilities: they patch but don’t investigate.

Think about it this way: If your front door was left wide open for weeks, would you just lock it and walk away? If attackers had unrestricted access to your environment, simply closing the door won’t undo the damage. The real problem isn’t the vulnerability itself – it’s what happened while your systems were exposed.

The Real Threat is What You Don’t See

VMware recently just confirmed three newly exploited zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) affecting ESXi products. As expected, VMware has released patches. But patching alone won’t tell you if attackers already breached your systems.

The right question at this stage should be: Did attackers already gain access to your IT environments?

If your ESXi hosts were vulnerable, you must be able to answer the following:

  • Were attackers already inside?
  • Did they steal credentials, sensitive configurations, or data?
  • Have they installed backdoors or persistence mechanisms?
  • Did they move laterally and escalate privileges?
  • Are there hidden scripts, tools, or logs covering their tracks?

A patch prevents future exploitation, but it doesn’t reveal what happened before. If you don’t investigate, you’re operating on blind trust. Simply locking the door doesn’t undo what might have already happened inside. If you rely on patching alone, you’re leaving the hardest question unanswered: Are they still inside?

Compromise Assessments: The Missing Piece in Zero-Day Response

compromise assessment is not a routine security scan—it’s a deep forensic analysis designed to uncover hidden intrusions. Unlike traditional EDRs or antivirus tools, it searches for traces of past exploitation, persistence, and lateral movement.

With a compromise assessment, you can:

  • Identify attacker tools and backdoors– Hidden scripts, web shells, or credential dumps
  • Detect lateral movement– Signs of compromised accounts or unusual connections
  • Uncover persistence mechanisms– Registry changes, scheduled tasks, or rogue services
  • Analyze system integrity– Detect data exfiltration, file modifications, or deleted logs

Simply put: A compromise assessment answers the questions that patching ignores.

How to Investigate ESXi Compromises with THOR

VMware ESXi hosts are high-value targets for attackers due to their central role in virtualized environments and lack of built-in security tooling. Since traditional endpoint detection solutions cannot be deployed directly on ESXi, a specialized approach is required for forensic investigation and compromise assessment. THOR provides two effective methods for this purpose.

1. THOR Thunderstorm: File-Based Live Scanning on ESXi

THOR Thunderstorm enables agentless forensic scanning by collecting and analyzing forensic artifacts from ESXi hosts.

  • One-time assessments: The Python-based Thunderstorm Collector is deployed to an ESXi system and executed locally to collect relevant files, such as configuration files and logs. The collector applies default filtering criteria but can be customized to collect files based on parameters like modification date, size, and type (e.g., all files modified within the last 30 days).
  • Periodic compromise assessments: If Secure Boot is disabled, a persistent job can be configured to regularly collect artifacts from the ESXi host. If Secure Boot is enabled, periodic collection must be configured using Ansible, following Nextron’s implementation guidelines.
  • Forensic analysis: Collected files are automatically uploaded to THOR Thunderstorm for real-time analysis, leveraging YARA and Sigma rules to detect hidden attacker activity, unauthorized changes, and persistence mechanisms.

Best for:

  • Agent-less, forensic collection from ESXi hosts.
  • Environments requiring continuous or scheduled compromise assessments.
  • Situations where Secure Boot settings impact persistent collection methods.

2. THOR with SSHFS: Remote File System Scanning

THOR can be used to scan an ESXi system remotely by mounting its file system via SSHFS and analyzing files from a separate scanning host.

  • Setup: The scanning host requires a direct and permanent SSH connection to the ESXi system.
  • File transfer overhead: Unlike Thunderstorm, where only selected forensic artifacts are uploaded for analysis, SSHFS scanning transfers all files over SSH, resulting in higher network load.
  • Deep forensic analysis: THOR is used to scan logs, binaries, and other suspicious files with custom YARA and Sigma rules, providing a comprehensive compromise assessment.

Best for:

  • Thorough post-compromise forensic investigations.
  • Cases where SSH access to ESXi is available and sustained network load is acceptable.
  • Advanced hunting for persistence mechanisms and hidden threats.

For more details on ESXi compromise assessments using THOR, refer to: How to Scan ESXi Systems Using THOR.

Patching Alone Won’t Tell You If You’ve Been Breached – THOR Will

Patching is essential, but it must be combined with a compromise assessment to ensure your environment is truly secure. Instead of assuming you’re safe just because a patch is applied, leverage a deep forensic investigation to uncover any traces of an attacker’s presence.

If your security plan relies solely on waiting for patches, you’re always reacting too late – plus, you may already have an active breach.

Don’t leave your security to chance. Contact us to learn how THOR can help you verify whether attackers have already compromised your infrastructure.

The post Patching is Not Enough: Why You Must Search for Hidden Intrusions appeared first on Nextron Systems.

]]>
Supercharging Postfix With THOR Thunderstorm https://www.nextron-systems.com/2023/11/14/supercharged-postfix/ Tue, 14 Nov 2023 13:16:10 +0000 https://www.nextron-systems.com/?p=18106 The post Supercharging Postfix With THOR Thunderstorm appeared first on Nextron Systems.

]]>

Have you already heard about THOR Thunderstorm,  a self-hosted THOR as a service? In this blog post, we will show how you can leverage THOR Thunderstorm to level up your email infrastructure security.

THOR Thunderstorm

THOR Thunderstorm is a web API wrapped around THOR, which accepts file uploads and returns matches in JSON format. It can process thousands of samples per minute sent from any device within the network. The abilities are seemingly endless, from scanning exotic OSs to integrating custom services (e.g., mail server). Check out this introduction blog for a taste of the many use cases of THOR Thunderstrom. Lets get started with some background on Postfix and Milter.

Background: Postfix and Milter

The Postfix mail server is a popular and highly configurable Mail Transfer Agent (MTA) used for routing and delivering email messages within a network or across the Internet. Similar to the Sendmail MTA, it can use Milter (protocol) to scan incoming emails for spam or malware. On incoming emails, compatible MTAs use the Milter protocol to communicate with an extra service, which also speaks the Milter protocol. This extra service scans the email and responds with its findings. Based on the response of the extra service the MTA can filter, discard, or quarantine the email. In this blog post, we are releasing an open-source implementation of a Milter Service called “postfix2thunderstorm” which allows you to scan emails using THOR Thunderstorm: https://github.com/NextronSystems/postfix2thunderstorm .

Bring Postfix To The Next Level

Supercharging your Postfix involves three things:

First, you need to set up THOR Thunderstorm – our manual will help you here. Make sure that there are the appropriate firewall rules in place to allow communication between the Milter service and THOR Thunderstrom.

Second, you need the “postfix2thunderstorm” service itself. You can find setup and usage instructions in the GitHub repo. Make sure that Postfix is able to reach this service via the network.

Last, you need to configure Postfix to “speak” to the “postfix2thunderstorm” service. To do this, add the following to your Postfix config (/etc/postfix/main.cf) and restart it:

# See https://www.postfix.org/MILTER_README.html for more information
# IP/Port of host where the postfix2thunderstorm service is running  
# (might be a good idea to make it the localhost (or use TLS)) 
smtpd_milters = inet:<IP>:<Port> 
# default action in case of error/timeout/... 
milter_default_action = accept  
Using this config, every email received by Postfix via SMTP will be forwarded to the “postfix2thunderstorm” service. Based on the response, the email will be quarantined or accepted – see the “postfix2thunderstorm” instructions regarding when emails should be quarantined.
The “postfix2thunderstorm” service can also be run in the “non-active mode” where all emails are accepted but it is logged if a mail would be quarantined.
Forward the log lines into your SIEM (or similar) and alert on “warning” level messages to bring your email security to the next level.

Elevating Any Mail Server

There are many different mail servers out there. However, almost all of them have some similar mechanism as Postfix with Milter. Based on the informations in this blog post, you should be able to integrate THOR Thunderstorm into any mail server.
The following links might help as well:

In case you need additional help, drop us a line.

The post Supercharging Postfix With THOR Thunderstorm appeared first on Nextron Systems.

]]>
Analyze VMware ESX Systems with THOR Thunderstorm https://www.nextron-systems.com/2021/06/07/analyze-vmware-esx-systems-with-thor-thunderstorm/ Mon, 07 Jun 2021 15:32:55 +0000 https://www.nextron-systems.com/?p=10001 The post Analyze VMware ESX Systems with THOR Thunderstorm appeared first on Nextron Systems.

]]>

Since the release of THOR Thunderstorm in the summer of 2020, our customers used it to analyse a variety of systems that are usually considered as “out of scope”. In some cases the EULA prevents the installation of Antivirus scanners or EDR agents. In other cases the used platforms are simply outdated, customised or unsupported. 

A use case that we would like to highlight in this blog post is the analysis of VMWare ESXi systems.

In the past, our customers frequently asked if the Linux version of THOR would run on Photon OS used by ESX/ESXi. The need to analyse these systems is well justified. ESX/ESXi systems and the services running on these systems have vulnerabilities and are definitely in scope of an attack. Therefore they should also be in the scope of a compromise assessment.    

 However, VMware writes on its website:

With THOR Thunderstorm, we can simply copy the thunderstorm-collector.sh bash script to an ESXi appliance and start the collection to a THOR Thunderstorm service running in a local network.

Using a blank Debian system and the installer script, this only takes a few minutes.

In our case, we simply watched the log file written by THOR Thunderstorm with “tail -f” for incoming alert messages to showcase the use case for our customer. By default, the collector submits all files created or modified during the last 14 days and smaller 2 MB.

In our demo, we’ve detected a webshell named “shell.jsp” in the “/tmp” folder and a command that indicates a back connect shell using Linux sockets in the “.bash_history” of the root account. 

You can add the collector script run to the local crontab or execute it using Ansible to perform frequent collection runs once a day. 

If you’re interested in a test setup, please contact us using the “Get Started” button. 

The post Analyze VMware ESX Systems with THOR Thunderstorm appeared first on Nextron Systems.

]]>
There’s a Thunderstorm Coming https://www.nextron-systems.com/2020/10/01/theres-a-thunderstorm-coming/ Thu, 01 Oct 2020 13:50:57 +0000 https://www.nextron-systems.com/?p=8475 The post There’s a Thunderstorm Coming appeared first on Nextron Systems.

]]>

We are proud to announce a groundbreaking new scan mode named “Thunderstorm” that we’ve integrated into preview builds of the upcoming THOR version 10.6.

This mode of operation turns THOR into a RESTful web service that is able to process thousands of samples per minute sent from any device within the network.

Think of it as your ultra-fast on-premise scan service, wich is bundled with more than 13,000 hand-crafted YARA rules focusing on persistent threats and forensic artefacts.

Collect files and submit them for analysis from any operating system and any hardware platform. The possibilities are limitless.

With this blog post, we’d like to highlight some of these new possibilities.

Thunder rolls, lightning strikes & the hammer flies across the sky.
God of the weather,
chariot of the storm,
master of rain & torrents.
Son of the strength
of Mother Earth,
I ask you to grant me that strength for myself.

Norse Poem

What is THOR Thunderstorm?

A RESTful web service that receives samples and returns a scan result. It is feature-rich and very fast.

Use Cases

Use Case 1 – Remote File Collection

During forensic investigations, automated file collection (ESI) from one or multiple remote systems can be combined with THOR Thunderstorm to improve the forensic anylsis.

Alerts and warnings produced by THOR Thunderstorm highlight interesting elements in file data, registry hives, eventlog files and more.

Use Case 2 – ICS Networks

ICS networks are mission critical, requiring immediate and high-availability. The installation of an endpoint agent or running a portable scanner is often out of question.

With THOR Thunderstorm, you just have to collect and submit the files.

Use Case 3 – Out of Reach Devices

Since file collection is a lot easier than endpoint scanning, all you need is way to export the remote system’s files or directly send them to THOR Thunderstorm.

Imagine that you can collect and submit files from network devices, telephone systems or embedded devices.

Use Case 4 – Out of Reach Operating Systems

File collection scripts for many old or usually unsupported operating systems allow you to upload samples for analysis.

Select files based on size, age or type and schedule frequent upload tasks to analyze only new or modified files. 

Use Case 5 – S3 Bucket Scanning

We’ve been working with our partner Adolus to showcase a tuned version of AirBnb’s BinaryAlert in which the standard YARA analyzer has been replaced by THOR Thunderstorm.

By using it in a container that scales with the demand, you can process millions of files in a few minutes.

Flexibility

Most operating system provide tools to walk the file system and submit files via HTTP. The following examples are intentionally short and compact to inspire you with their simplicity. Think of all devices that you could analyze this way. No agent, no portable scanner, just simple file submission via HTTP.

Windows 10 Batch

This example shows a simple batch file that walks recursively over a given folder an submits all files. You could extend it to the whole disk and reduce the submission to certain file extensions (e.g. exe, bat, ps1, js).

Linux Web Server

This examples shows how easy it is to get all files in a web server root checked by THOR Thunderstorm just by using bash, find and curl.

 

Thunderstorm Components

The following slide lists the different components that can be used with THOR Thunderstorm. We provide a server installer script, collectors, a Python API client and update scripts. 

In addition to the Thunderstorm server we provide a set of simple sample collection tools called Thunderstorm Collectors, a Python-based API library with command line client and a set of helper scripts

Thunderstorm Collectors

The Thunderstorm Collector repository contains a Go based collector, precompiled for many different operating systems and architectures as well as collectors scripts (Batch, Bash, PowerShell).

We have pre-build collectors for Windows, Linux, macOS, AIX, Solaris on x86, x64, Arm, PowerPC, MIPS, RISC-V, Plan9, S390x (IBM Z) architectures.

These collectors allow you select files based on age, size and type for submission to a Thunderstorm server.

It is easy to set up a task like: 

“Select all files that have been created or modified within the last 24 hours and submit them to Thunderstorm for analysis. Run this task daily.”

Low CPU and RAM Usage

A collection task requires 0.75-2% of the CPU and 20MB memory. 

Any OS, Any Arch

Our collectors run on any operating system and processor architecture

High Speed

It allows ultra fast collection runs. (Our tests: Win 10, collect last 3 days, any type, full disk = 3 minutes run)

Thunderstorm API Client

We provide a Python module and Python based API client that supports multi-threaded submission to the THOR Thunderstorm service.

Modes of Operation

Service Mode

The service can be started in two scan modes:

  • Pure YARA
  • Full-Featured

Pure YARA

In the pure YARA mode (–pure-yara) THOR Thunderstorm only applies the 13,000 internal and all custom YARA rules to the submitted samples. It’s leightweight and super fast.

Full-Featured

The full-featured mode is the default. In this mode Thunderstorm also parses and analyses Windows Eventlogs (EVTX), registry hives, memory dumps, Windows error reports (WER) and more. It’s not just a YARA scan, but a full forensic processing.

More Features

Completely On Premise

THOR Thunderstorm can be installed on any internal system and runs as a service within your network

Sample Storage

Store suspicious or all transmitted samples with a reference to the source system to facilitate the deeper analysis

Forensic Modules

THOR Thunderstorm supports the analysis of different file types that get collected for forensic analysis purposes (e.g. EVTX files, Registry Hives)

Custom Signatures and IOCs

Add you own YARA signatures, Sigma rules, hash and filename IOCs and apply them to incoming samples

SIEM Integration

THOR Thunderstorm offers many ways to output information (Text, JSON, Syslog), which makes it easy to integrate the findings into your favorite SIEM system

Web GUI and API Documentation

The API documentation is embedded into the web service itself. You can even send requests right from the browser to test it live.

The Web GUI contains important information about the service like the signature set version, uptime, number of processed and queued samples and much more. 

It contains some graphs that help you to assess the actual server load and processing speed. 

It also contains links to the API documentation, the Python API library and the Thunderstorm Collectors for your convenience. 

 

On The Roadmap

The following tasks are on our roadmap for THOR Thunderstorm

  • Collector service that uses file system notifications to submit new files in real-time
  • Cortex Analyzer
  • ICAP Support (allows interfacing with Web Proxies)
  • File format support: PCAP, MFT
  • Recursive extraction of nested archives
  • Docker setup guide

Getting Started

Please use the “GET STARTED” button in the upper right corner or this link to request more information.

The release slide deck contains more detailed information on some of the mentioned aspects.

 

The post There’s a Thunderstorm Coming appeared first on Nextron Systems.

]]>
THOR v10.6 TechPreview https://www.nextron-systems.com/2020/10/01/thor-v10-6-techpreview/ Thu, 01 Oct 2020 13:47:44 +0000 https://www.nextron-systems.com/?p=8661 The post THOR v10.6 TechPreview appeared first on Nextron Systems.

]]>

We are proud do announce the version 10.6 of THOR, which is the first one that gets released as a TechPreview. We’ve discussed the split-up into THOR and THOR TechPreview in a previous post.  

The following post describes the most important new feature of the THOR v10.6 TechPreview version.

THOR Thunderstorm

THOR 10.6 is the first version that support a new mode of operation – a RESTful web API service named THOR Thunderstorm. THOR Thunderstorm is able to receive thousands of samples per minute via web requests, scans them and returns a scan result. 

We’ve outlined many use cases and features of THOR Thunderstorm in a separate blog post

THOR Thunderstorm requires a separate license named “service license” to run. 

 

Multi-Threaded Scanning

Especially the customers with a lab license should be happy to hear that we’ve implemented multi-threaded scanning. 

From now on, THOR can use multiple threads to process elements (files, registry keys, events in eventlog etc.). 

This can boost the scan speed on mounted images significantly. Our tests on a 16 Core system showed a scan speed improvement of 1400%. 

Reworked Quick Scan

Quick scan (–quick) is used when fast scan results are crucial. It usually takes less than 25 minutes to complete. This is achieved by skipping elements in the scan. Quick in versions previous to 10.6 do the following: they skip the Eventlog scan and scan only a set of 40+ highly relevant folders on disk. 

The new quick scan doesn’t skip whole modules or directories anymore. For all previously skipped elements the new quick scan evaluates if they have been modified or created within the last 72 hours and scans only these elements. 

This way the new quick scan is much more intense but should  be only slightly slower. 

Other Changes

  • We’ve changed the ambigious “–fsonly” flag to “–lab” to indicate the best settings for scanning in a forensic lab (the old flag is still usable but hidden in the usage description)
  • Virtual drive name mapping (used in lab scans to map the actual mount point to the original one)
  • Minor changes to some log lines (extended field values) 

Getting Started

Customers can download the THOR TechPreview version 10.6 in the Downloads section of the customer portal or use thor-util in it’s newest version to download that version with the flag “–techpreview”. ASGARD version 2.5.3 also supports scan runs with THOR TechPreview. 

The post THOR v10.6 TechPreview appeared first on Nextron Systems.

]]>