This repository has been archived by the owner on Nov 16, 2023. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #387 from YulelogPagoda/patch-3
Create CVE-2021-36934 usage detection.md
- Loading branch information
Showing
1 changed file
with
53 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
# CVE-2021-36934 usage detection | ||
|
||
Assuming that you have a machine that is properly BitLocker'ed, then | ||
the machine will need to be running to extract the SAM and SYSTEM | ||
files. | ||
|
||
This first query looks for any access to the HKLM that happens via a command | ||
or script that is not executed by system. | ||
|
||
The second query looks for usage of reg or regedit by anyone who is not system. | ||
|
||
## Query | ||
``` | ||
let startTime = now(-7d); | ||
let endTime = now(); | ||
DeviceProcessEvents | ||
| where ProcessCommandLine contains "HKLM" | ||
| where AccountName != "system" | ||
#This query just looks for usage of "reg" in processes that aren't ran by system. | ||
DeviceProcessEvents | ||
| where ProcessCommandLine contains "reg" | ||
| where AccountName != "system" | ||
``` | ||
## Category | ||
This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. | ||
| Technique, tactic, or state | Covered? (v=yes) | Notes | | ||
|------------------------|----------|-------| | ||
| Initial access | | | | ||
| Execution | | | | ||
| Persistence | | | | ||
| Privilege escalation | y | | | ||
| Privilege escalation | v | | | ||
| Defense evasion | | | | ||
| Credential Access | | | | ||
| Discovery | | | | ||
| Lateral movement | | | | ||
| Lateral movement | | | | ||
| Collection | | | | ||
| Command and control | | | | ||
| Exfiltration | | | | ||
| Impact | | | | ||
| Vulnerability | | | | ||
| Exploit | y | | | ||
| Exploit | v | | | ||
| Misconfiguration | | | | ||
| Malware, component | | | | ||
| Ransomware | | | | ||
## Contributor info | ||
**Contributor:** Carl Peter McCollough | ||
**GitHub alias:** YulelogPagoda | ||
**Contact info:** https://www.linkedin.com/in/petemccollough/ |