cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1717
Views
0
Helpful
3
Replies

PrintNightmare, SeriousSAM/HiveNightmare, etc... any help from Cisco Secure Endpoint (AMP4E)?

I wonder if there is any support from Cisco Secure Endpoint (AMP4E) to counter, at least in some measure, these 'weeknesses'?

How do we know there is some kind of active protection, until Microsoft comes-up with a real correction?

Any alternatives (besides the not very practical - in some cases - solutions, linke 'just disable the print spooler')?

3 Replies 3

The first thing that came to mind was detections for the various vulnerabilities as Orbital queries... 

 

I haven't been able to get my head around them, but if one of the Cisco guys wants to toss it over to the SecureX Threat Hunting crew so they could add them to the library, that'd be awesome!

 

So... either someone saw my comment, or had the same thought.

There are articles here for both PrintNightmare and SAMNightmare.

 

https://community.cisco.com/t5/security-documents/orbital-query-corner-checking-windows-acls-for-cve-2021-36934/ta-p/4437569

In addition to the couple of articles on Orbital searches (I just posted a summary of the "orbital query corner" articles to date here 

https://community.cisco.com/t5/security-blogs/orbital-query-corner-update/ba-p/4440510), also note that PrintNightmare is covered by the "Possible Print Spooler Exploitation" behavioral indicator, which you can find in the console under Analysis > Indicators.