07-22-2021 10:20 AM
I wonder if there is any support from Cisco Secure Endpoint (AMP4E) to counter, at least in some measure, these 'weeknesses'?
How do we know there is some kind of active protection, until Microsoft comes-up with a real correction?
Any alternatives (besides the not very practical - in some cases - solutions, linke 'just disable the print spooler')?
07-23-2021 01:41 PM
The first thing that came to mind was detections for the various vulnerabilities as Orbital queries...
I haven't been able to get my head around them, but if one of the Cisco guys wants to toss it over to the SecureX Threat Hunting crew so they could add them to the library, that'd be awesome!
07-28-2021 12:16 PM
So... either someone saw my comment, or had the same thought.
There are articles here for both PrintNightmare and SAMNightmare.
07-28-2021 12:50 PM
In addition to the couple of articles on Orbital searches (I just posted a summary of the "orbital query corner" articles to date here
https://community.cisco.com/t5/security-blogs/orbital-query-corner-update/ba-p/4440510), also note that PrintNightmare is covered by the "Possible Print Spooler Exploitation" behavioral indicator, which you can find in the console under Analysis > Indicators.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: