HiveNightmare | Protecting Windows 10 Security Account Manager Against CVE-2021-36934

It has been a tough few weeks for many enterprise security teams fighting a series of severe bugs in Microsoft Windows 10. Shortly after being ‘all hands on deck’ dealing with the remote code execution (RCE) vulnerability dubbed PrintNightmare, IT admins and security teams were plunged into another unexpected crisis thanks to the emergence of the unrelated but familiar sounding ‘HiveNightmare’ bug, aka SeriousSAM.

More formerly tracked as CVE-2021-36934, HiveNightmare is a local privilege escalation (LPE) that allows any standard user to achieve SYSTEM privileges, with all the security headaches that that entails: the ability to install malware, delete data, create new user accounts and pretty much conduct any other malicious behavior so desired.

Although HiveNightmare requires an attacker to have gained a foothold on a target system, what makes CVE-2021-36934 of particular concern is that having done so, this bug is trivial to exploit. An attacker that either accesses the target locally or remotely (such as via SSH) can very quickly and easily take advantage of a vulnerable system. Consequently, it is imperative that admins and security teams understand the details of the HiveNightmare vulnerability, how it can be exploited, and how it can be mitigated.

What Is The HiveNightmare Vulnerability?

“HiveNightmare” is an NTFS-centric, access control list (ACL) flaw which affects Windows 10 builds 1809 up to and including 21H1. Upon exploitation, non-privileged users may potentially gain access to execute arbitrary code or read sensitive data. Specifically, attackers may leverage this vulnerability to extract registry hive data, including hashed passwords, which can in turn be used to further elevate privilege.

Attempts to attack hive data files have typically required the attacker to target the registry databases in an inactive or ‘offline’ Windows session. HiveNightmare greatly simplifies the attack, allowing (amongst other things) for the extraction of sensitive registry data from Volume Shadow Copies. Attackers can potentially execute arbitrary code with SYSTEM privileges, allowing for full control.

The heart of the problem lies in any user’s ability to read files in the C:WINDOWSSYSTEM32CONFIG folder. This folder includes the private system-wide  Windows registry files, as well as the frequently-targeted SAM (System Account Manager) file, which contains all the local user NTLM password hashes.

When the following command is run, vulnerable systems will show BUILTINUsers group having RX (Read + Execute) permissions on the config folder:

> icacls C:WindowsSystem32configSAM
Output from icacls on a vulnerable system

Attackers can leverage this insecure ACL permission to elevate privileges to local admin/SYSTEM. In organizations managed by image templates containing local users, this can be exploited for automatic lateral movement or to kickstart a worm infection mechanism.

How Is HiveNightmare Used In Attacks?

At the time of writing, the majority of activity around HiveNightmare is academic or ‘proof-of-concept’ in nature. Having said that, we have observed some examples of malware based on (or around) the code snippets that have cropped up. Dozens of such examples have already been submitted to VirusTotal in recent days.

Some of the many HiveNightmare exploits uploaded to VirusTotal

Even though exploitation is trivial, multiple exploits have been published in a variety of source code languages:

  1. Ps1: https://github.com/romarroca/SeriousSam
  2. Nim: https://github.com/HuskyHacks/ShadowSteal

As noted above, it is in general not possible to access hive data files when the system is ‘live’ as these files are locked when in use. However, since Windows 10 keeps system restore points (aka Volume Shadow Copies) that contain copies of the hive data files, an attacker can extract copies of these files from any existing snapshots.

The command

> vssadmin list shadows

lists saved snapshots for the device.

Listing the available Volume Shadow Copies

The built-in CERTUTIL command can then be used to dump the SAM database to the TEMP folder.

Dumping hive data files from a snapshot to TEMP

It is important to note that while the concept of exfiltrating credentials via stolen SAM data is not novel, HiveNightmare goes a long way towards simplifying the process for attackers. This observation is further solidified by the uptick in submissions  to public malware repositories of ‘commodity’ malware attempting to incorporate this exploit.

General Mitigations and Workarounds

The HiveNightmare vulnerability was disclosed in mid-July 2021 and officially addressed by Microsoft on July 20, 2021. This first disclosure from Microsoft included possible workaround and manual mitigation steps.

Microsoft Workarounds:

  1. Delete any Restore Points and VSS Volumes
  2. Restrict user access to %windir%system32config via ICACLS:
    icacls %windir%system32config*.* /inheritance:e

Monitoring & Threat Hunting:

  1. Any access to a path containing regex:
    ".*?HarddiskVolumeShadowCopy[0-9]+\Windows\System32\config\SAM.*?"
  2. Suspicious creation of symbolic links containing HarddiskVolumeShadowCopy, cmdline regex:
    ".*?cmd.*?mklink.*?HarddiskVolumeShadowCopy.*?"

    (as well as other variants such as PowerShell, fsutil.exe etc.)

It has also been noted that enabling periodic backup of the system registry to the “RegBack” folder will restore the ACL permissions to the more secure setting after a reboot. This was, in fact, Windows 10 default behavior until version 1803. As stated by Microsoft at the time, this change was intended to help reduce the overall disk footprint size and users were recommended to recover corrupt registry hives via a system restore point. In hindsight, that recommendation looks less than wise, and it will be interesting to see if Microsoft revises that advice.

Current guidance by Microsoft is available here.

Mitigating HiveNightmare With SentinelOne

The SentinelOne Singularity Platform detects and prevents attacks associated with CVE-2021-36934 (HiveNightmare) with the current Endpoint Security Agent release (starting 4.1). The Agent’s Intrusion Detection engine autonomously blocks attempts to access sensitive SAM information from a volume shadow copy.

To enable the protection, please follow the steps mentioned in this KB support article.

SentinelOne vs HiveNightmare
Watch how we protect Windows 10 against CVE-2021-36934 attacks.

Conclusion

HiveNightmare is certainly poised to become a standard weapon in the modern attacker’s armory. Escalating privileges and stealing credentials are tactics every threat actor desires to accomplish, and HiveNightmare just made these a whole lot easier to achieve. Organizations that fail to take the appropriate proactive mitigation steps are putting a target on their backs that may cost them dearly in the future. IT and security teams are, therefore, strongly advised to follow the mitigation procedures described above. If you need further assistance or would like to know more about how SentinelOne can help secure your organization, contact us or request a free demo.

MITRE ATT&CK

Credential Dumping: Security Account Manager – T1003.002
Unsecured Credentials: Credentials In Files – T1552.001
Data Encoding: Standard Encoding – T1132.001
Credential Dumping: NTDS – T1003.003
Signed Binary Proxy Execution- T1218
Indirect Command Execution – T1202
Obfuscated Files or Information – T1027
Deobfuscate/Decode Files or Information – T1140
Query Registry – T1012

Sample Hashes

SHA256
422411a976daad538aff6a61201934b4d60372a6afe7981b2b2b684a852ef6d7
92e853dd359cb3636fa165a7170498d14ef7c692d8e6545b7adea95d89fe189f

SHA1
e9cab9ddd3aa4f20aff8d33991f5996deb50bb02
a3bf960f6d124d0b53608ddb0c65177d3717a22f