CVE-2021-36934 PoC — Microsoft Windows 访问控制错误漏洞

Source

Associated Vulnerability

Description

Detection and Mitigation script for CVE-2021-36934 (HiveNightmare aka. SeriousSam)

Readme

��# CVE-2021-36934



## Usage



### Detection



```

.\Get-HiveNightmareStatus.ps1

```



### Detection for management tools that need True/False output

```

.\Get-HiveNightmareStatus.ps1 -PostureCheck

```



### Remediation

```

# For initial SAM fixes and vss removal

.\Get-HiveNightmareStatus.ps1 -Remediate



# Remediate even if the checks say healthy or are partial

.\Get-HiveNightmareStatus.ps1 -Remediate -Force

```



### Exploitability Test

```

.\Get-HiveNightmareStatus.ps1 -Exploit

```



## SentinelOne customers



1. Apply the policy override in `sentinelone-policy-override.txt`

2. Make sure the policy is applied using `(.\sentinelctl.exe config | Select-String -Pattern "vssSnapshots|penetration")`



```powershell

$ (.\sentinelctl.exe config | Select-String -Pattern "vssSnapshots|penetration")



agent.enginesWantedState.penetration                                            off

agent.vssSnapshots                                                              false

```

File Snapshot

 [4.0K]  /data/pocs/f487f1d798bc7fcad7ddb8ec213f08829c819530
├── [1.1K]  CVE-2021-36934-pdq-check.xml
├── [7.2K]  Get-HiveNightmareStatus.ps1
├── [2.0K]  README.md
├── [ 123]  sentinelone-policy-override.txt
└── [ 275]  sign-script.ps1

0 directories, 5 files

Remarks