I wrote about #HiveNightmare aka #SeriousSAM (blame @cyb3rops for that one), an unpatched Windows 10 vulnerability that allows any non-admin user to access the full system registry, including sensitive areas.
Terribly badly coded PoC included.https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5 …
-
Show this thread
-
Btw there's a pretty big logic gap in one of the fixes I've seen floated online - it doesn't impact the snapshots.pic.twitter.com/HlgfsBEvL1
4 replies 2 retweets 38 likesShow this thread -
Added US-CERT vulnerability note for this, written by
@wdormann. It’s excellent and clearly lays out the problem.#HiveNightmare#SeriousSAM https://www.kb.cert.org/vuls/id/506989 pic.twitter.com/kp3EcyAM06
3 replies 34 retweets 80 likesShow this thread -
Btw a fairly surefire custom EDR detection or hunt rule for this is non-admin user successfully read accessing c:\Windows\System32\config\SAM, SYSTEM and/or SECURITY. Or just any user other than SYSTEM, pretty much.
5 replies 7 retweets 59 likesShow this thread -
Updated write up to include CVE-2021-36934 being allocated by Microsoft for this (pretty quick response by them). Their write up suggests back in 2018, somebody enabled inheritance on the registry hive folder in error, that’s my reading anyhoo.
3 replies 6 retweets 33 likesShow this thread -
Microsoft have published an article about how erase snapshots (needed for the mitigation for this vuln)… but I kind of feel it’s not written in a way the average sysadmin will digest. But here it is anyway. https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7 …
3 replies 7 retweets 28 likesShow this thread -
Been in and updated my
#HiveNightmare/#SeriousSAM post. Includes custom detections, EDR blocks, hunting, script to auto apply mitigation etc. MS have updated the MSRC page to say all Windows 10 versions released in past 3 years impacted. https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5 …pic.twitter.com/fzFI2NNz6V
8 replies 20 retweets 56 likesShow this thread -
Replying to @GossiTheDog
what if you first overwrite your c: so it points to \device\HarddiskVolumeShadowCopy1\windows\system32\config\ - then just open c:\sam ? do the tools then detect it?pic.twitter.com/0zbttnMg9e
2 replies 12 retweets 48 likes
this is how to do it- yes you can do it as unprivpic.twitter.com/C15mcR25QB
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.