So, if an Exchange server gets hacked by Hafnium, what is the remediation process other than patching the server.
A/V software scanning has not found anything
Test-ProxyLogon.ps1 from github suggests suspicious activity in ECP and autodiscover areas
Restore from known good backup.
I am just posting to follow up, Make changes to how users access OWA this will happen again. O365 was not affected. The reason it was really bad this time was due to the fact unknown Zero-days and web shells were dropped on the actual server for persistence. So unless you were logging powershell transcripts to a SIEM most vendors or EDR solutions would have just seen weird not at all normal activity. See links below to scope your environment for activity.