Detection and Mitigation script for CVE-2021-36934 (HiveNightmare aka. SeriousSam)
PowerShell
CVE-2021-36934
Usage
Detection
.\Get-HiveNightmareStatus.ps1
Detection for management tools that need True/False output
.\Get-HiveNightmareStatus.ps1 -PostureCheck
Remediation
# For initial SAM fixes and vss removal
.\Get-HiveNightmareStatus.ps1 -Remediate
# Remediate even if the checks say healthy or are partial
.\Get-HiveNightmareStatus.ps1 -Remediate -Force
Exploitability Test
.\Get-HiveNightmareStatus.ps1 -Exploit
SentinelOne customers
Apply the policy override in sentinelone-policy-override.txt
Make sure the policy is applied using (.\sentinelctl.exe config | Select-String -Pattern "vssSnapshots|penetration")
$ (.\sentinelctl.exe config |Select-String-Pattern "vssSnapshots|penetration")
agent.enginesWantedState.penetration off
agent.vssSnapshots false