Merge pull request #387 from YulelogPagoda/patch-3

Create CVE-2021-36934 usage detection.md

Exploits/CVE-2021-36934 usage detection.md

@@ -0,0 +1,53 @@
+# CVE-2021-36934 usage detection
+ 
+ Assuming that you have a machine that is properly BitLocker'ed, then 
+ the machine will need to be running to extract the SAM and SYSTEM
+ files. 
+ 
+ This first query looks for any access to the HKLM that happens via a command
+ or script that is not executed by system. 
+ 
+ The second query looks for usage of reg or regedit by anyone who is not system.
+
+## Query
+```
+let startTime = now(-7d);
+let endTime = now();
+DeviceProcessEvents
+| where ProcessCommandLine contains "HKLM"
+| where AccountName != "system"
+
+#This query just looks for usage of "reg" in processes that aren't ran by system.
+DeviceProcessEvents
+| where ProcessCommandLine contains "reg"
+| where AccountName != "system"
+
+```
+## Category
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|------------------------|----------|-------|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  | 
+| Privilege escalation | y |  |
+| Privilege escalation | v |  |
+| Defense evasion |  |  | 
+| Credential Access |  |  | 
+| Discovery |  |  | 
+| Lateral movement |  |  | 
+| Lateral movement |  |  | 
+| Collection |  |  | 
+| Command and control |  |  | 
+| Exfiltration |  |  | 
+| Impact |  |  |
+| Vulnerability |  |  |
+| Exploit | y |  |
+| Exploit | v |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+| Ransomware |  |  |
+## Contributor info
+**Contributor:** Carl Peter McCollough
+**GitHub alias:** YulelogPagoda
+**Contact info:** https://www.linkedin.com/in/petemccollough/