Mitigating the exposure to HiveNightmare/SeriousSAM (CVE-2021-36934) with Capture Client
07/30/2021 0 1218
The recommended workaround from Microsoft to address "CVE-2021-36934: Windows Elevation of Privilege Vulnerability" (also known as HiveNightmare/SeriousSAM ) includes deleting all Volume Shadowcopy Service (VSS) snapshots from your endpoints. However, as part of ransomware protection, Capture Client prevents the deletion of VSS snapshots. This article provides the minimal steps needed to delete all snapshots without having to uninstall Capture Client.
In the steps below, the time elapsed between Step 2 and Step 4 should be as minimum as possible to minimise risk to your endpoints.
Step 5 is an important step to accelerate availability of a snapshot. Rollback by Capture Client is only feasible if a snapshot is available BEFORE the first event of any attack.
Snapshots are required to perform a rollback in the case of a targeted ransomware incident. It is recommended that these actions be performed only on the most critical endpoints until a permanent solution is made available.
Recommended Workaround Steps
On the endpoint, start cmd with Run as Administrator. cd c:\program files\sentinelone\sentinel agent <version>\
Disable VSS Snapshots and Snapshot protection via command-line sentinelctl unprotect -k <S1 Passphrase> sentinelctl config -p vssConfig.vssProtection -v false sentinelctl config -p agent.enginesWantedState.dataFiles -v off sentinelctl config -p agent.enginesWantedState.penetration -v off
Implement the workaround suggested by Microsoft as mentioned in their security update. This involves deletion of VSS Snapshots using the command vssadmin delete shadows /all
Re-enable VSS Snapshots and Snapshot protection via command-line sentinelctl config -p agent.enginesWantedState.dataFiles -v local sentinelctl config -p agent.enginesWantedState.penetration -v local sentinelctl config -p vssConfig.vssProtection -v true sentinelctl protect
Reboot all Windows endpoints to accelerate availability of a snapshot