• Services
    • Mergers, Acquisitions and Divestitures (MAD): Know Before You Grow
    • Applications Packaging
    • Application Lifecycle Management
    • Professional Services
    • Road Map’s Asset Management Program (RAMP)
  • Experience
  • Partners & Products
  • About
    • Our Values
    • Our Focus
    • Leadership Team
    • Advisory Board
    • Philanthropy
  • News
  • Blog
  • Contact
  • News
  • Blog
  • Contact
Roadmap Technologies, LLC
Call Us! 314.222.0057
Roadmap Technologies, LLC
  • Home
  • Services
    • Discovery Assessments
    • Road Map’s Asset Management Program (RAMP)
    • Application Packaging
    • Application Lifecycle Management
    • Professional Services
    • Cyber Security Services
      • Technical Compliance Assessments
  • Experience
  • Partners & Products
  • About Us
    • Our Focus
    • Our Values
    • Testimonials
    • Leadership Team
    • Advisory Board
    • Philanthropy

CVE-2021-36934 and Splunk

published on July 27, 2021
tagged in cyber awareness training, Cyber Security, vulnerability

By Howard Magill, CEO at Road Map Technologies

As most know, the CVE-2021-36934 is regarding overly permissive Access Control Lists (ACLs) on multiple systems files.  One of these files is the Security Accounts Manager (SAM) Database.  Details on identifying the vulnerability as well as the fix can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934.

For the purpose of identifying this vulnerability, some have directed me to https://github.com/JoranSlingerland/CVE-2021-36934/commit/e976fb1be2734c318c2deaaec4f01d83b9cb497f.  I found this script not to find or return the correct information after some testing.  Also, this script only works if ran directly on the devices.

Issue:

The purpose of the github script is supposed to identify any or all permissions not inherited.  However, it is looking for specific accounts they may not exist or be affiliated with inherited permissions.  Also, as previously stated, the script has to be ran on the local device.

Proposed Solution:

Create a PowerShell script that can be ran via SCCM leveraging PSADTK.  Create an event log that can be picked up by Splunk and report in both SCCM and from Splunk.

Solution

Below is the PS script I put together.  We leveraged PSADTK for ease of returning failure codes to SCCM.   In this scenario, if the script fails due to client or other issues and does not run, it will not report in Splunk.  We are writing keys to the registry for nonvulnerable and vulnerable.  The SCCM detection method is set to be successful on nonvulnerable machines.  This will allow us to report with SCCM.  We are also writing to the System event log so Splunk will pick up vulnerable devices almost immediately.  The script will also write the accounts that are not inherited to the log file.  Keep in mind, if your SCCM client does not have access to read permissions on the file, it reports back as vulnerable.

The below script will identify any account that is not inherited and write it to the event log and to the PSADTK log.  Hope this helps someone.  Feel free to ping us if you do not agree.

Step 1 Script

$getInheritances = Get-childitem C:\Windows\System32\config\SAM -recurse |

Get-Acl | % {

$path = $_.Path

$_.Access | where { $_.IsInherited -eq $false } |  % {

New-Object PSObject -Property @{

Folder = $path.Replace(“Microsoft.PowerShell.Core\FileSystem::”, “”)

Access = $_.FileSystemRights

Control = $_.AccessControlType

User   = $_.IdentityReference

Inheritance = $_.IsInherited

}

}

}

if (![string]::IsNullOrEmpty($getInheritances))

{

$checkvulnerability = Get-ItemProperty -Path HKLM:\SOFTWARE\[NAME] -Name “CVE202136934Check”

If (($checkvulnerability.CVE202136934Check -ne “Vulnerable”) -or ($checkvulnerability.CVE202136934Check -ne “”))

{

if ([System.Diagnostics.EventLog]::SourceExists(“CVE-2021-36934”) -eq $False)

{

New-EventLog -LogName “System” -Source “CVE-2021-36934”

}

Write-EventLog -LogName “System” -Source “CVE-2021-36934” -EventID ‘1975’ -EntryType “Info” -Message “CVE-2021-36934 vulnerability Remediated” -Category 1 -RawData 10, 20

Write-Log -Message “CVE-2021-36934 vulnerability found: $getInheritances” -Source ‘CVE-2021-36934’ -LogType ‘Legacy’

Set-RegistryKey -Key ‘HKEY_LOCAL_MACHINE\SOFTWARE\[NAME]’ -Name ‘CVE202136934Check’ -Value “NotVulnerable” -Type String

}

}

Else

{

Write-Log -Message “CVE-2021-36934 vulnerability not found” -Source ‘CVE-2021-36934’ -LogType ‘Legacy’

Set-RegistryKey -Key ‘HKEY_LOCAL_MACHINE\SOFTWARE\[NAME]’ -Name ‘CVE202136934Check’ -Value “NotVulnerable” -Type String

}

Step 2 Create Dashboard in Splunk

 

 

 

 

Hope this helps.

Feel free to contact us here.

Ready To Simplify?

Road Map Technologies is your partner for reliable technology integration and managed services

Get Started

Recent Posts

  • Why Cybersecurity Insurance is Essential for Modern Businesses
  • The Hidden Costs of Cyber Attacks: How Insurance Can Help
  • Navigating Cybersecurity Insurance: Key Considerations for Business Leaders
  • Why ITSM is Critical for Modern Businesses
  • 5 Ways ITSM Can Boost Your Company’s Productivity

About Us

  • About
  • Contact
  • News
  • Blog

Services

  • Mergers, Acquisitions and Divestitures (MAD): Know Before You Grow
  • Road Map’s Asset Management Program (RAMP)
  • Applications Packaging
  • Application Lifecycle Management
  • Professional Services
  • Staff Augmentation

Partners & Products

  • Flexera
  • SentinelOne
  • RAMP (Road Map’s Asset Management Program)
  • RayNET

Road Map Technologies LLC

111 Wesport Plaza 6th Floor
Saint Louis, MO 63146

314.222.0057


Road Map Technologies

Application Remediation Management Group

Copyright © 2025. Road Map Technologies LLC. All Rights Reserved.