Re: PrintNightmare, SeriousSAM/HiveNightmare, etc... any help from Cisco Secure Endpoint (AMP4E)?

00urb57x9u0O6CPE25d6 · ‎07-22-2021

I wonder if there is any support from Cisco Secure Endpoint (AMP4E) to counter, at least in some measure, these 'weeknesses'?

How do we know there is some kind of active protection, until Microsoft comes-up with a real correction?

Any alternatives (besides the not very practical - in some cases - solutions, linke 'just disable the print spooler')?

Ken Stieers · ‎07-23-2021

The first thing that came to mind was detections for the various vulnerabilities as Orbital queries...

I haven't been able to get my head around them, but if one of the Cisco guys wants to toss it over to the SecureX Threat Hunting crew so they could add them to the library, that'd be awesome!

Ken Stieers · ‎07-28-2021

So... either someone saw my comment, or had the same thought.

There are articles here for both PrintNightmare and SAMNightmare.

https://community.cisco.com/t5/security-documents/orbital-query-corner-checking-windows-acls-for-cve-2021-36934/ta-p/4437569

brmcmaho · ‎07-28-2021

In addition to the couple of articles on Orbital searches (I just posted a summary of the "orbital query corner" articles to date here

https://community.cisco.com/t5/security-blogs/orbital-query-corner-update/ba-p/4440510), also note that PrintNightmare is covered by the "Possible Print Spooler Exploitation" behavioral indicator, which you can find in the console under Analysis > Indicators.