11. VulnerabilityCheck

The VulnerabilityCheck module is limited to a few vulnerabilities that are known to be exploited by various threat groups. The vulnerability checks focus on vulnerabilities that are used for lateral movement or weaknesses which allow an attacker to easily achieve persistence without using any kind of software as backdoor. Note: There are vulnerabilities covered by YARA rules and reported in other modules. The YARA rules that detect vulnerabilities start with VUL_.

11.1. Samples

Aug 29 10:06:58 server44.local.net/10.23.3.1
THOR: Warning: MODULE: VulnerabilityCheck
MESSAGE: Tomcat credential weakness
REASON: Password equals the user name
USER: tomcat
FILE: F:\\apache\\tomcat\\conf\\tomcat-users.xml
SCORE: 75

11.2. Typical False Positives

  • Weaknesses in inactive tomcat-users.xml files, e.g. in backup locations or tomcats that are only accessible on localhost

11.3. Attribute Evaluation

Attribute

Question

Answer

Indication

Weight

REASON

Password equals the user name

Yes

Bad

Medium

REASON

Password is a default password

Yes

Bad

Medium

FILE

Tomcat Vulnerability: Does the folder look like a backup location or an inactive location, not used by a running tomcat process? (e.g. H:\Backup\test_23\conf\tomcat-users.xml) Background: The vulnerability is only relevant if used by an active tomcat process. Local development installations or backups of a default config are not relevant.

Yes

Good

High

MESSAGE

Does the message state Domain Controller is running since before 11/17/2014

Yes

Bad

High