11. VulnerabilityCheck
The VulnerabilityCheck
module is limited to a few vulnerabilities that are known
to be exploited by various threat groups. The vulnerability checks focus on vulnerabilities
that are used for lateral movement or weaknesses which allow an attacker to easily
achieve persistence without using any kind of software as backdoor.
Note: There are vulnerabilities covered by YARA rules and reported in other modules.
The YARA rules that detect vulnerabilities start with VUL_
.
11.1. Samples
Aug 29 10:06:58 server44.local.net/10.23.3.1
THOR: Warning: MODULE: VulnerabilityCheck
MESSAGE: Tomcat credential weakness
REASON: Password equals the user name
USER: tomcat
FILE: F:\\apache\\tomcat\\conf\\tomcat-users.xml
SCORE: 75
11.2. Typical False Positives
Weaknesses in inactive
tomcat-users.xml
files, e.g. in backup locations or tomcats that are only accessible on localhost
11.3. Attribute Evaluation
Attribute |
Question |
Answer |
Indication |
Weight |
---|---|---|---|---|
REASON |
Password equals the user name |
Yes |
Bad |
Medium |
REASON |
Password is a default password |
Yes |
Bad |
Medium |
FILE |
Tomcat Vulnerability: Does the folder look like a backup location or an inactive location, not used by a running tomcat process? (e.g. |
Yes |
Good |
High |
MESSAGE |
Does the message state |
Yes |
Bad |
High |