cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1122
Views
0
Helpful
3
Replies

PrintNightmare, SeriousSAM/HiveNightmare, etc... any help from Cisco Secure Endpoint (AMP4E)?

I wonder if there is any support from Cisco Secure Endpoint (AMP4E) to counter, at least in some measure, these 'weeknesses'?

How do we know there is some kind of active protection, until Microsoft comes-up with a real correction?

Any alternatives (besides the not very practical - in some cases - solutions, linke 'just disable the print spooler')?

3 Replies 3

Ken Stieers
VIP Advisor VIP Advisor
VIP Advisor

The first thing that came to mind was detections for the various vulnerabilities as Orbital queries... 

 

I haven't been able to get my head around them, but if one of the Cisco guys wants to toss it over to the SecureX Threat Hunting crew so they could add them to the library, that'd be awesome!

 

Ken Stieers
VIP Advisor VIP Advisor
VIP Advisor

So... either someone saw my comment, or had the same thought.

There are articles here for both PrintNightmare and SAMNightmare.

 

https://community.cisco.com/t5/security-documents/orbital-query-corner-checking-windows-acls-for-cve-2021-36934/ta-p/4437569

In addition to the couple of articles on Orbital searches (I just posted a summary of the "orbital query corner" articles to date here 

https://community.cisco.com/t5/security-blogs/orbital-query-corner-update/ba-p/4440510), also note that PrintNightmare is covered by the "Possible Print Spooler Exploitation" behavioral indicator, which you can find in the console under Analysis > Indicators.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers