Cybersecurity Project | CVE-2021-36934 Exploit & Prevention

In this group project, my team was to act as a security team recently hired by an SME to implement a security architecture in an organization. Each member of the team is to choose a CVE and simulate an attack by exploiting the vulnerability, as well as implementing a security solution to address the vulnerability.

I have chose CVE-2021-36934, also known as SeriousSAM or HiveNightmare, to work on as it is considered a recently discovered vulnerability in 2021. It is a Windows Elevation of Privilege Vulnerability, where an attacker exploits a VSS enabled machine with overly permissive built-in Access Control Lists (ACLs) to system registry files.

To simulate the attack, I made use of an executable file named HiveNightmare, which is publicly accessible on GitHub.

To address the vulnerability, I made use of ManageEngine Endpoint Central to ensure that machines in the attack scenario are routinely updated and checked for vulnerabilities.
Furthermore, I used the Script Repository in Endpoint Central to distribute a PowerShell Script written to delete vulnerable VSS shadow copies and issue an inheritance reset on the overly permissive ACLs.

However due to project constraints where each team member had to use unique solutions or tools, I found another solution to distribute the PowerShell Script, which is using a Group Policy Object (GPO) to deploy and distribute the script.

Lastly, I also used ManageEngine ADManager Plus to automated GPO backups locally.

What I have learnt/used:
- ManageEngine Endpoint Central
- ManageEngine ADManager Plus
- PowerShell
- GPO
- VMWare Workstation
- CVE-2021-36934 Vulnerability (via HiveNightmare vulnerability-testing executable file)