/CVE-2021-36934

Detection and Mitigation script for CVE-2021-36934 (HiveNightmare aka. SeriousSam)

Primary LanguagePowerShell

CVE-2021-36934

Usage

Detection

.\Get-HiveNightmareStatus.ps1

Detection for management tools that need True/False output

.\Get-HiveNightmareStatus.ps1 -PostureCheck

Remediation

# For initial SAM fixes and vss removal
.\Get-HiveNightmareStatus.ps1 -Remediate

# Remediate even if the checks say healthy or are partial
.\Get-HiveNightmareStatus.ps1 -Remediate -Force

Exploitability Test

.\Get-HiveNightmareStatus.ps1 -Exploit

SentinelOne customers

  1. Apply the policy override in sentinelone-policy-override.txt
  2. Make sure the policy is applied using (.\sentinelctl.exe config | Select-String -Pattern "vssSnapshots|penetration")
$ (.\sentinelctl.exe config | Select-String -Pattern "vssSnapshots|penetration")

agent.enginesWantedState.penetration                                            off
agent.vssSnapshots                                                              false