Microsoft has provided guidance for CVE-2021-36934, but if you’d like to use Azure Sentinel to monitor for this vulnerability detection queries are now also available.
Here’s two queries:
//Looks for any access to the HKLM that happens via a command or script that is not executed by system let startTime = now(-7d); let endTime = now(); DeviceProcessEvents | where ProcessCommandLine contains "HKLM" | where AccountName != "system" //This query just looks for usage of "reg" in processes that aren't run by system. DeviceProcessEvents | where ProcessCommandLine contains "reg" | where AccountName != "system"
The most current versions of these queries will be located here: Microsoft-365-Defender-Hunting-Queries/CVE-2021-36934 usage detection.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries (github.com)
To use these in Azure Sentinel, make sure that you have Microsoft Defender for Endpoint connected. This connection enables the DeviceProcessEvents table.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]