Hi All,
Updated Coverage information, Refernce: https://community.mcafee.com/t5/Endpoint-Security-ENS/McAfee-coverage-for-July-2021-CVE-2021-36934-q...
McAfee is aware of the "HiveNightmare/SeriousSAM" vulnerability, CVE-2021-36934, and is investigating product countermeasures. This article will be updated as we learn more.
Article Reference here: https://kc.mcafee.com/corporate/index?page=content&id=KB94710
Workaround
Microsoft's Security Response Center recommends restricting access to the contents of %windir%\system32\config\ and deleting any Volume Shadow Copy Service (VSS) shadow copies that were created before restricting access. For more information, see: Microsoft update guide on CVE-2021-36934.
Solution via Expert rule:
| Rule Name |
Block CVE-2021-36934: 'HiveNightmare/SeriousSam' |
| Severity |
High |
| Action |
|
| Rule type |
Files |
| Rule content |
Rule {
Process {
Include AggregateMatch -xtype "ex1" {
Exclude VTP_PRIVILEGES -type BITMASK { -v 0x8 }
}
Include AggregateMatch -xtype "ex2" {
Exclude GROUP_SID { -v "S-1-16-16384" }
Exclude GROUP_SID { -v "S-1-16-12288" }
}
Include AggregateMatch -xtype "ex3" {
Exclude OBJECT_NAME { -v "vssadmin.exe" }
}
}
Target {
Match FILE {
Include OBJECT_NAME { -v "**\\windows\\system32\\config\\SAM" }
Include OBJECT_NAME { -v "**\\windows\\system32\\config\\SYSTEM" }
Include OBJECT_NAME { -v "**\\windows\\system32\\config\\SOFTWARE" }
Include OBJECT_NAME { -v "**\\windows\\system32\\config\\SECURITY" }
Include -access "READ"
}
}
} |
Edit: Edited the rule on 24 July 2021 to match the new rule updated on KBA.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Thanks and regards,
Adithyan T
