{"id":10402,"date":"2021-09-01T09:02:16","date_gmt":"2021-09-01T07:02:16","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=10402"},"modified":"2022-03-25T14:15:39","modified_gmt":"2022-03-25T13:15:39","slug":"silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/","title":{"rendered":"Silent Scanning &#8211; Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_row _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_text _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]<\/p>\n<p>The following video shows a compromise assessment with our <a href=\"https:\/\/www.nextron-systems.com\/thor-lite\/\">free THOR Lite<\/a> scanner on a Microsoft Exchange 2019 server detecting ProxyShell and ProxyToken exploitation.<\/p>\n<p>We&#8217;ve done no post-editing in this video. You can jump to all findings using the video chapters. You&#8217;ll see log entries, web shells and a modified IIS server configuration as <a href=\"https:\/\/www.huntress.com\/blog\/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit\">reported<\/a> by HuntressLabs in various reports. We added some Synth-wave tracks to create the right atmosphere. Enjoy.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_video src=&#8221;https:\/\/youtu.be\/kfeYFE9kD98&#8243; _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][\/et_pb_video][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;][et_pb_text _builder_version=&#8221;4.10.5&#8243; _module_preset=&#8221;default&#8221; global_colors_info=&#8221;{}&#8221;]<\/p>\n<p>By the way, we compiled a blog article regarding compromise assessments of Exchange servers with THOR Lite to detect ProxyLogon exploitation with some recommendations that still apply. You can find that blog post <a href=\"https:\/\/www.nextron-systems.com\/2021\/03\/06\/scan-for-hafnium-exploitation-evidence-with-thor-lite\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.\u00a0<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The following video shows a compromise assessment with our free THOR Lite scanner on a Microsoft Exchange 2019 server detecting ProxyShell and ProxyToken exploitation. We&#8217;ve done no post-editing in this video. You can jump to all findings using the video chapters. You&#8217;ll see log entries, web shells and a modified IIS server configuration as reported by HuntressLabs in various reports. We added some Synth-wave tracks to create the right atmosphere. Enjoy.By the way, we compiled a blog article regarding compromise assessments of Exchange servers with THOR Lite to detect ProxyLogon exploitation with some recommendations that still apply. You can find that blog post here.\u00a0<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"video","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[46,32,248,272],"tags":[69,603,638,608,636,637,117,7,5,137],"class_list":["post-10402","post","type-post","status-publish","format-video","hentry","category-newsletter","category-thor","category-thor-lite","category-video","tag-compromise-assessment","tag-exchange","tag-exploitation","tag-proxylogon","tag-proxyshell","tag-proxytoken","tag-scan","tag-scanner","tag-thor","tag-tool","post_format-post-format-video"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Silent Scanning - Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Silent Scanning &#8211; Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server\",\"datePublished\":\"2021-09-01T07:02:16+00:00\",\"dateModified\":\"2022-03-25T13:15:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/\"},\"wordCount\":270,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"compromise assessment\",\"Exchange\",\"exploitation\",\"ProxyLogon\",\"proxyshell\",\"proxytoken\",\"scan\",\"scanner\",\"thor\",\"tool\"],\"articleSection\":[\"Newsletter\",\"THOR\",\"THOR Lite\",\"Video\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/\",\"name\":\"Silent Scanning - Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2021-09-01T07:02:16+00:00\",\"dateModified\":\"2022-03-25T13:15:39+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Silent Scanning - Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Silent Scanning &#8211; Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server","datePublished":"2021-09-01T07:02:16+00:00","dateModified":"2022-03-25T13:15:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/"},"wordCount":270,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["compromise assessment","Exchange","exploitation","ProxyLogon","proxyshell","proxytoken","scan","scanner","thor","tool"],"articleSection":["Newsletter","THOR","THOR Lite","Video"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/","url":"https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/","name":"Silent Scanning - Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2021-09-01T07:02:16+00:00","dateModified":"2022-03-25T13:15:39+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2021\/09\/01\/silent-scanning-compromise-assessment-with-thor-lite-on-a-compromised-exchange-2019-server\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/10402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=10402"}],"version-history":[{"count":6,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/10402\/revisions"}],"predecessor-version":[{"id":10411,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/10402\/revisions\/10411"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=10402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=10402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=10402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}