Last updated 2021-07-22
HiveNightmare (CVE-2021-36934), also known as SeriousSAM, is a high severity zero-day elevation of privilege vulnerability in Windows currently under investigation by Microsoft.
Since Windows 10 build 1809, the Access Control Lists (ACLs) for %windir%\System32\config
have been granting read access to non-admin users. This is the primary directory that contains the files for the Windows Registry, including the Security Account Manager (SAM) which stores users’ passwords.
An attacker with the ability to execute code on a target host could exploit this vulnerability to elevate their privileges to SYSTEM.
Due to the ACLs granting read access, Volume Shadow Copy Service (VSS) shadow copies of these files may exist, for instance as part of system restore points.
For more information, please read the article on Sophos Naked Security.
What to do
This is still under investigation by Microsoft and a patch is not currently available however a workaround has been provided.
Both of these steps must be performed to prevent exploitation of this vulnerability.
Deleting shadow copies may impact restore operations, including the ability to restore data with third-party backup applications that utilize the Volume Shadow Copy Service.
- Restrict access to the contents of
%windir%\system32\config
-
- Command Prompt (Run as administrator):
icacls %windir%\system32\config\*.* /inheritance:e
- Windows PowerShell (Run as administrator):
icacls $env:windir\system32\config\*.* /inheritance:e
- Command Prompt (Run as administrator):
-
- Delete Volume Shadow Copy Service (VSS) shadow copies
-
-
-
- Identify whether Shadow volumes exist with either Command Prompt or PowerShell (Run as administrator):
vssadmin list shadows
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to the contents of
%windir%\system32\config
- For more information on how to delete shadow copies, see this Microsoft knowledgebase article.
- Identify whether Shadow volumes exist with either Command Prompt or PowerShell (Run as administrator):
-
-
Investigating exposure with Sophos XDR
This Live Discover query on Sophos Community, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files in Shadow volumes. It is optimized to minimize the number of accesses to the Sophos File Journal to enable hunts over wider periods of time.
The results show information about the process as well as the machine learning (ML) score, potentially unwanted application (PUA) score, local, and global reputation for the file corresponding to the process to aid in determining whether the file is suspicious or not.
We will update this article with further information as it becomes available.