Silent Scanning – Compromise Assessment with THOR Lite on a Compromised Exchange 2019 Server

The following video shows a compromise assessment with our free THOR Lite scanner on a Microsoft Exchange 2019 server detecting ProxyShell and ProxyToken exploitation.

We’ve done no post-editing in this video. You can jump to all findings using the video chapters. You’ll see log entries, web shells and a modified IIS server configuration as reported by HuntressLabs in various reports. We added some Synth-wave tracks to create the right atmosphere. Enjoy.

By the way, we compiled a blog article regarding compromise assessments of Exchange servers with THOR Lite to detect ProxyLogon exploitation with some recommendations that still apply. You can find that blog post here

Update Service Maintenance

Today, on 26th of August, we upgrade our update service infrastructure to a completely new service.

What stays the same:

  • Server names and IPs
  • SSL/TLS Certificates

What gets changed:

  • We replace the service that handles requests and serves the update packages

Affected services:

  • THOR and THOR Lite updates via THOR Util
  • THOR and THOR Lite updates via ASGARD
  • THOR Cloud Packaging

If you encounter any issues or errors, please let us know.

Antivirus Event Analysis Cheat Sheet v1.8.2

The analysis of Antivirus events can be a tedious task in big organizations with hundreds of events per day. Usually security teams fall back to a mode of operation in which they only analyze events in which a cleanup process has failed or something went wrong. 

This is definitely the wrong approach for a security team. You should instead focus on highly relevant events. 

This cheat sheet helps you select these highly relevant Antivirus alerts.  

Download the Antivirus Event Analysis Cheat Sheet version 1.8.2 here.

Visit the New Online Manuals

We’ve converted all our PDF based user manuals into shiny new online versions.

The new online versions are hosted on Github and converted into web pages with the help of ReadTheDocs. 

This way we can update them with new information much faster than before and allow anyone to share and access them. 

 

 

We’ve added links to the user manuals to every product page and the footer of this website. The links in the customer portal have also been updated.

You can find the new manuals here:

We’ll replace the PDF manuals in the installation packages as soon as possible. Please let us know if you can still find outdated manuals anywhere in new update or download packages.

Use YARA math Module Extension in THOR TechPreview and THOR Lite

Not long ago, we’ve created a pull request for the official YARA repository on Github, that would introduce new functions in the `math` module to improve the flexibility in cases in which a sample is heavily scrambled or obfuscated. These cases require further statistical evaluations that go beyond the currently available “entropy”, “mean” or “deviation” functions.

The example on the right shows a heavily obfuscated PHP web shell, as used by a Chinese actor. 

You immediately notice the high amount of “%” characters, but since each of them is preceded and followed by different characters, it’s difficult to find atoms that are long enough to maintain an acceptable performance / stability of that rule. 

 

If you could, you would formulate a rule like this: “Detect files smaller 400 bytes, that begin with ‘<?’ and consist of at least 25 percent ‘%’ characters”. 

Well, the new module extension allows you to do exactly that.

Read the documentation provided with the pull request for details on all three new functions:

  • count(byte/string, offset, size)
  • percentage(byte, offset, size)
  • mode(offset, size)

While the first two functions are self-explanatory, the “mode” function isn’t. It is is a term used in statistics for the most common value.

For your convenience, we’ve already patched our versions of THOR TechPreview and THOR Lite to support these extensions of the “math” module. You need at least v10.6.6 to use the new function in your rules. 

We wish you good hunting. 

WordPress Cookie Plugin by Real Cookie Banner