Microsoft has provided guidance for CVE-2021-36934, but if you’d like to use Azure Sentinel to monitor for this vulnerability detection queries are now also available.
Here’s two queries:
//Looks for any access to the HKLM that happens via a command or script that is not executed by system
let startTime = now(-7d);
let endTime = now();
DeviceProcessEvents
| where ProcessCommandLine contains "HKLM"
| where AccountName != "system"
//This query just looks for usage of "reg" in processes that aren't run by system.
DeviceProcessEvents
| where ProcessCommandLine contains "reg"
| where AccountName != "system"The most current versions of these queries will be located here: Microsoft-365-Defender-Hunting-Queries/CVE-2021-36934 usage detection.md at master ยท microsoft/Microsoft-365-Defender-Hunting-Queries (github.com)
To use these in Azure Sentinel, make sure that you have Microsoft Defender for Endpoint connected. This connection enables the DeviceProcessEvents table.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.