How to Use Azure Sentinel to Monitor for CVE-2021-36934

Microsoft has provided guidance for CVE-2021-36934, but if you’d like to use Azure Sentinel to monitor for this vulnerability detection queries are now also available.

Here’s two queries:

//Looks for any access to the HKLM that happens via a command or script that is not executed by system
let startTime = now(-7d);
let endTime = now();
DeviceProcessEvents
| where ProcessCommandLine contains "HKLM"
| where AccountName != "system"

//This query just looks for usage of "reg" in processes that aren't run by system.
DeviceProcessEvents
| where ProcessCommandLine contains "reg"
| where AccountName != "system"

The most current versions of these queries will be located here: Microsoft-365-Defender-Hunting-Queries/CVE-2021-36934 usage detection.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries (github.com)

To use these in Azure Sentinel, make sure that you have Microsoft Defender for Endpoint connected. This connection enables the DeviceProcessEvents table.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

Author