Nextron Systems Solutions

Compromise Assessments

Short Term Compromise Assessments

Do you need to perform a short-term compromise assessment on your infrastructure?

We offer several options to perform short-term compromise assessments:

The Incident Response License Pack (for large infrastructures)

  • This License Pack contains an unlimited THOR Scanner license valid for 30 days upon creation. With this license, you are able to scan an unlimited number of endpoints for a period of 30 days.
  • It also contains 5 Host-based licenses. These licenses will allow you to fine tune the THOR Scanner parameters to match your requirements.

The Compromise Assessment License Pack (for smaller infrastructures)

  • This License Pack contains an unlimited THOR Scanner license valid for 8 days upon creation. With this license, you are able to scan an unlimited number of endpoints for a period of 8 days.
  • It also contains 5 Host-based licenses. These licenses will allow you to fine tune the THOR Scanner parameters to match your requirements.

Continuous Compromise Assessment

We offer our Enterprise License model to provide you the ability to perform continuous compromise assessments on your entire infrastructure.

By installing our ASGARD Management Center, you have the ability to “Plan individual as well as group scans, perform Ad-hoc scanning on individual or groups of endpoints and perform “Response Control” as well as “Evidence Collection”.

With our Midgard Analysis Cockpit, we provide you with the power to perform baselining as well as case management in the event that a hacker has obtained access to your infrastructure. This will assist your SOC team in analyzing the THOR Scanner log files.

Our Enterprise License model is based on a price per Server / Workstation per year.

The more licenses you purchase, the cheaper it becomes per Server / Workstation.

Agentless Compromise Assessment

THOR’s flexibility has always impressed our customers. Its portable design allows using it selectively without the need for a permanently running agent. You can just copy it to a remote system, use portable media or a network share and run it from there.

Some customers developed short PowerShell scripts to copy and execute THOR on target systems. Others used their available software management solution to build, drop, run and remove a custom THOR package on thousands of end systems.

A new feature named THOR Remote allows you to perform a distributed scan from a single privileged Windows machine by providing a list of scan targets.

Digital Forensics

Incident response engagements often begin with a group of compromised systems and an even bigger group of systems that are possibly be affected. The manual analysis of many forensic images can be challenging.

THOR speeds up your forensic analysis with more than 10,000 handcrafted YARA signatures, 400 Sigma rules, numerous anomaly detection rules and thousands of IOCs.

THOR processes not just files but also registry hives, eventlogs, crash dumps, Windows error reports, the MFT, the disks free space and much more using so-called modules.

Scan multiple forensic images at the same time and review the reports to identify malicious activity much faster than before. It is easy to include custom IOCs and YARA rules to extend THOR’s ruleset with your case-related indicators and get even better results.

THOR is the perfect tool to highlight suspicious elements, reduce the workload and speed up forensic analysis in moments in which getting quick results is crucial.

THOR as Plugin

The flexible and portable character of THOR allows deploying it in many different ways. Our customers have integrated THOR as an additional scanner in their malware analysis pipeline, use it in their EDR to scan collected samples and deploy it in live response sessions.

A very compelling integration is the one that extends the live response of Microsoft Defender ATP. While Microsoft Defender ATP fully plays off its strength in detecting live attacks, suspicious processes and network connections, THOR shines as a live forensic scanner that scans the local filesystem, registry, logs and other elements for traces of hacking activity. THOR extends Microsoft Defender ATP’s real-time monitoring by intense local scans to allow a full on-demand compromise assessment.

Supercharge Your Detection

Apart from our flexible scanner THOR, which can be integrated into many different detection pipelines, we offer parts of our ruleset in a subscribable feed named VALHALLA.

VALHALLA boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules. Our team curates more than 9000 quality tested YARA rules in 8 different categories: APT, Hack Tools, Malware, Web Shells, Exploits, Threat Hunting, Anomalies and 3rd Party. Valhalla’s database grows by 1500 YARA rules every year.

With access to Valhalla, you can supercharge your detection by adding most of our highly successful THOR scanners’ signatures to your scan engines. All rules are performance-optimized and quality tested against Terabytes of goodware and other data.