Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1716
Views
0
Helpful
3
Replies

PrintNightmare, SeriousSAM/HiveNightmare, etc... any help from Cisco Secure Endpoint (AMP4E)?

00urb57x9u0O6CPE25d6
Level 1
Level 1

‎07-22-2021 10:20 AM

I wonder if there is any support from Cisco Secure Endpoint (AMP4E) to counter, at least in some measure, these 'weeknesses'?

How do we know there is some kind of active protection, until Microsoft comes-up with a real correction?

Any alternatives (besides the not very practical - in some cases - solutions, linke 'just disable the print spooler')?

Labels:
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎07-23-2021 01:41 PM

The first thing that came to mind was detections for the various vulnerabilities as Orbital queries... 

 

I haven't been able to get my head around them, but if one of the Cisco guys wants to toss it over to the SecureX Threat Hunting crew so they could add them to the library, that'd be awesome!

 

0 Helpful

Ken Stieers
VIP
VIP

‎07-28-2021 12:16 PM

So... either someone saw my comment, or had the same thought.

There are articles here for both PrintNightmare and SAMNightmare.

 

https://community.cisco.com/t5/security-documents/orbital-query-corner-checking-windows-acls-for-cve-2021-36934/ta-p/4437569

0 Helpful

brmcmaho
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎07-28-2021 12:50 PM

In addition to the couple of articles on Orbital searches (I just posted a summary of the "orbital query corner" articles to date here 

https://community.cisco.com/t5/security-blogs/orbital-query-corner-update/ba-p/4440510), also note that PrintNightmare is covered by the "Possible Print Spooler Exploitation" behavioral indicator, which you can find in the console under Analysis > Indicators.

0 Helpful
Customers Also Viewed These Support Documents