THOR by Nextron Systems: Compromise Assessment Without Agent

6 min read

Most endpoint security solutions detect known malware in real time. But what about attacks that have already occurred? According to Mandiant’s M-Trends 2025 report, Advanced Persistent Threats remain undetected in corporate networks for an average of eleven days-up to 26 days when relying solely on external detection methods. THOR by Nextron Systems is a portable forensic scanner designed to retrospectively examine systems for signs of compromise: it leverages over 30,000 YARA rules and signatures, requires no agent or installer, and operates entirely offline without any cloud connectivity.

Key Takeaways

• THOR is a portable compromise assessment scanner from Nextron Systems (Dietzenbach). No installation or agent required-just run it from a USB stick.
• On average, attackers remain undetected for 11 days. If detected externally, that time extends to 26 days (Mandiant M-Trends 2025).
• Over 30,000 YARA rules and approximately 2,000 Sigma rules scan files, process memory, the registry, and event logs.
• CTO Florian Roth (@cyb3rops) is one of the most renowned security researchers globally: co-creator of Sigma, developer of LOKI, and yarGen.
• THOR Lite is available free of charge for individual analysts, including archive scanning and YARA Forge integration.

What is Compromise assessment without agent?

Compromise assessment without agent is a concrete priority for companies in 2023 because it directly shapes cyber resilience, security operations and regulatory duties. This article uses synaforce as an example to show which requirements, figures and operational steps matter in practice.

The Problem: What EDR Doesn’t Detect

Endpoint Detection and Response provides real-time protection. However, APT groups operate deliberately below the detection threshold. They employ Living-off-the-Land techniques, compromise legitimate tools, and leave behind traces that antivirus scanners do not classify as suspicious. A compromised system can run unnoticed for months or even years while attackers exfiltrate data.

In 2014, the median dwell time of attackers was still 205 days. Today, according to Mandiant M-Trends 2025, it is eleven days. However, this figure is skewed by ransomware attacks, in which the attackers reveal themselves. For espionage-driven APTs, the dwell times are significantly longer. This is precisely where Compromise Assessment comes into play: the systematic search for traces that already exist within the system.

– Endpoint Detection and Response offers real-time protection but struggles with APTs operating below the detection threshold.
– APT groups use Living-off-the-Land techniques and compromise legitimate tools, leaving subtle traces that go undetected.
– The median dwell time of attackers has decreased to eleven days, but this is influenced by ransomware activities. Espionage-driven APTs often remain undetected for much longer.
– Compromise Assessment focuses on identifying existing threats within a system that traditional security measures might miss.

What is Living-off-the-Land?

Living-off-the-Land refers to a technique used by attackers where they leverage existing tools and resources on a victim’s system to carry out malicious activities without leaving obvious traces.

Why is the median dwell time important?

The median dwell time indicates how long an attacker remains undetected within a system. Shorter dwell times suggest more effective threat detection and response mechanisms, while longer dwell times highlight vulnerabilities in current security practices.

How does Compromise Assessment differ from traditional EDR solutions?

While EDR focuses on real-time monitoring and response, Compromise Assessment involves a thorough, systematic investigation to uncover hidden threats that may have been present for an extended period.

What Makes THOR Different

THOR is neither real-time protection nor a replacement for EDR. It is a forensic scanner that retrospectively examines systems for signs of compromise. The key advantage: THOR runs as a portable application. No agent, no installer, no dependencies. This makes it ideal for:

• Incident Response following a suspected breach
• Regular Compromise Assessments in critical infrastructure environments
• Due-Diligence Reviews during acquisitions and mergers
• Forensic Investigations in air-gapped networks

A concrete example of its effectiveness: When analyzing a compromised sample, THOR produced three distinct YARA matches, while VirusTotal reported zero detections. Its strength lies in the handcrafted, curated rules specifically tailored to APT tools and tactics.

“We tested one of the compromised samples. Zero detections on VirusTotal. Detected by THOR with three different YARA rules.”
Florian Roth, CTO Nextron Systems (@cyb3rops, 2025)

Frequently Asked Questions

What is THOR?

THOR is a portable forensic scanner used to analyze systems for signs of compromise after an incident has occurred. It does not provide real-time protection or replace traditional endpoint detection and response (EDR) solutions.

How does THOR differ from other forensic tools?

Unlike many forensic tools, THOR is lightweight and portable, requiring no installation or additional dependencies. Its custom YARA rules are specifically designed to detect advanced persistent threat (APT) techniques and tools, making it particularly effective in identifying sophisticated attacks that may go unnoticed by other solutions.

When should I use THOR?

THOR is best suited for incident response teams investigating potential breaches, organizations conducting regular security assessments, companies performing due-diligence checks during mergers or acquisitions, and cybersecurity professionals working in air-gapped or highly sensitive environments.

Can THOR be used alongside existing security tools?

Yes, THOR can complement existing security measures such as EDR solutions, SIEM systems, and other endpoint protection platforms. It provides an additional layer of analysis by focusing on post-compromise indicators that may not be captured by real-time monitoring tools.

Is THOR suitable for small businesses?

Absolutely. While THOR is particularly valuable for large enterprises and critical infrastructure operators, its simplicity and portability make it accessible and useful for organizations of all sizes looking to enhance their incident response capabilities.

Florian Roth: The Mind Behind THOR

To understand THOR, you need to know Florian Roth. As CTO and co-CEO of Nextron Systems, he is one of the most influential security researchers worldwide. On X (formerly Twitter), under @cyb3rops, over 30,000 professionals from the IT security community follow him. On GitHub, he maintains more than 155 repositories under @neo23x0.

Roth has been working in IT security since 2003. What sets him apart is that he doesn’t just build products-he also defines standards. Sigma, the open standard for SIEM-based detection rules, was co-founded by Roth together with Thomas Patzke. Today, Sigma operates under SigmaHQ and has become the de facto standard for log-based detection, recognized by MISP and used in virtually every SOC around the globe.

In addition, Roth has developed a range of open-source tools widely adopted by the community: LOKI (the free predecessor to THOR), yarGen (an automated YARA rule generator), FENRIR (a Bash-based IOC scanner), and Valhalla (Nextron’s curated YARA/Sigma rule feed containing over 23,000 YARA rules and 4,400 Sigma rules).

Florian Roth is a globally renowned security researcher and co-CEO of Nextron Systems.

He is known not only for building security tools but also for defining industry standards like Sigma, which is now used in SOCs worldwide.

Roth has created several widely used open-source tools, including LOKI, yarGen, FENRIR, and Valhalla.

These tools are integral to modern threat detection and response efforts across the IT security landscape.

What makes Florian Roth unique in the field of IT security?

Florian Roth stands out because he not only develops security products but also establishes key industry standards, such as Sigma, which is now a global benchmark for log-based detection systems.

What are some of Florian Roth’s notable contributions to the IT security community?

Besides founding Sigma, Roth has created numerous open-source tools like LOKI, yarGen, FENRIR, and Valhalla, all of which are widely used by security professionals worldwide.

How does Sigma differ from other detection standards?

Sigma is an open standard for SIEM-based detection rules, designed to be vendor-neutral and easily integrated into various security operations centers (SOCS) globally.

Technical Architecture of THOR

The current stable version, THOR 10.7 (November 2024), combines several detection mechanisms:

YARA Scanning: Over 30,000 hand-curated YARA rules examine files, process memory, and registry entries for known malware signatures and APT tools. These rules originate from Nextron’s own research and the Valhalla feed.

Sigma Rules: Approximately 2,000 Sigma rules analyze Windows Event Logs for suspicious patterns. Sigma is the open standard for log-based detection.

Anomaly Detection: THOR identifies suspicious patterns such as unusual file names in system directories, duplicate file extensions, or hidden Alternate Data Streams (ADS).

IOC Matching: Hashes, domain names, and IP addresses are compared against current threat intelligence feeds.

New in Version 10.7: Memory-mapped file scanning for faster scans with reduced I/O, JSON v2 output for improved SIEM integration, and init selectors for campaign-specific scans.

THOR Lite vs. THOR Full

Nextron offers THOR Lite, a free version for individual analysts. Since 2025, THOR Lite also includes archive scanning (docx, xlsx, jar, war) and integrates the YARA-Forge rule set with over 11,000 public rules.

The full version, THOR 10, is designed for enterprises and MSSPs. It provides centralized management via the ASGARD Management Center, automated scans, advanced rule sets, and integration with Velociraptor for parallel scanning across hundreds of systems. THOR results are output as JSON, CSV, or HTML reports and can be integrated into SIEM systems such as Splunk, Elastic, and QRadar.

Image source: Pexels / MART PRODUCTION

About the author: Tobias Massow

More articles by Tobias Massow