The following video shows a compromise assessment with our free THOR Lite scanner on a Microsoft Exchange 2019 server detecting ProxyShell and ProxyToken exploitation.
We’ve done no post-editing in this video. You can jump to all findings using the video chapters. You’ll see log entries, web shells and a modified IIS server configuration as reported by HuntressLabs in various reports. We added some Synth-wave tracks to create the right atmosphere. Enjoy.
By the way, we compiled a blog article regarding compromise assessments of Exchange servers with THOR Lite to detect ProxyLogon exploitation with some recommendations that still apply. You can find that blog post here.