Last updated 2021-07-22

HiveNightmare (CVE-2021-36934), also known as SeriousSAM, is a high severity zero-day elevation of privilege vulnerability in Windows currently under investigation by Microsoft.

Since Windows 10 build 1809, the Access Control Lists (ACLs) for %windir%System32config have been granting read access to non-admin users. This is the primary directory that contains the files for the Windows Registry, including the Security Account Manager (SAM) which stores users’ passwords.

An attacker with the ability to execute code on a target host could exploit this vulnerability to elevate their privileges to SYSTEM.

Due to the ACLs granting read access, Volume Shadow Copy Service (VSS) shadow copies of these files may exist, for instance as part of system restore points.

For more information, please read the article on Sophos Naked Security.

What to do

This is still under investigation by Microsoft and a patch is not currently available however a workaround has been provided.

Both of these steps must be performed to prevent exploitation of this vulnerability.

Deleting shadow copies may impact restore operations, including the ability to restore data with third-party backup applications that utilize the Volume Shadow Copy Service.

  1. Restrict access to the contents of  %windir%system32config
      • Command Prompt (Run as administrator):
        icacls %windir%system32config*.* /inheritance:e
      • Windows PowerShell (Run as administrator):
        icacls $env:windirsystem32config*.* /inheritance:e
  2.  Delete Volume Shadow Copy Service (VSS) shadow copies
        • Identify whether Shadow volumes exist with either Command Prompt or PowerShell (Run as administrator):
          vssadmin list shadows
        • Delete any System Restore points and Shadow volumes that existed prior to restricting access to the contents of %windir%system32config

Investigating exposure with Sophos XDR

This Live Discover query on Sophos Community, from Sophos MTR, will identify processes that have accessed either the SAM, SECURITY, or SYSTEM Registry hive files. It is optimized to minimize the number of accesses to the Sophos File Journal to enable hunts over wider periods of time.

The results show information about the process as well as the machine learning (ML) score, potentially unwanted application (PUA) score, local, and global reputation for the file corresponding to the process to aid in determining whether the file is suspicious or not.

We will update this article with further information as it becomes available.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)