SeriousSAM or CVE-2021-36934 is a Privilege Escalation Vulnerability, which allows overly permissive Access Control Lists (ACLs) that provide low privileged users read access to privileged system files including the Security Accounts Manager (SAM) database. The SAM database stores users' encrypted passwords in a Windows system. According to the Microsoft advisory, this issue affects Windows 10 1809 and above as well as certain versions of Server 2019.
The low privileged group ‘BUILTIN\Users’ with RX permissions to the SAM database
To abuse this misconfiguration, an attacker who has already obtained low privilege code execution on a vulnerable host simply needs to read and export system files from a Volume Shadow Copy. An example is shown below using PowerShell:
[System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM", "c:\Windows\Temp\sam.copy") [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM", "c:\Windows\Temp\system.copy") |
Proof of concepts written in C (by Security Researcher Kevin Beaumont) and re-implemented in Go (by Christian Mehlmauer) are publicly available.
Using the recovered system files, an attacker will be able to obtain the list of local users and their corresponding NTLM hashes as shown below. These hashes can be cracked offline using tools like hashcat to obtain their clear text form, alternatively, they can also be used to authenticate to other hosts remotely using PassTheHash.
Obtaining NTLM hashes from the SAM database
In the most limited scenario, exploitation would allow a low privileged user to escalate privileges on a vulnerable host and take control of it. This allows attackers to install programs, read, modify, or delete sensitive data, add or remove users, etc.
However, organizations that leverage the same local account with the same credentials across several endpoints in an enterprise network face a higher risk. Leveraging the cracked passwords or the hashes, attackers will be able authenticate to remote hosts over the network and obtain remote code execution on them.
Using crackmapexec with the obtained hashes to connect to remote hosts
SeriousSAM has been categorized as Important by Microsoft and is pending a CVSS score by NIST at the time of writing. It is certainly not as serious as other vulnerabilities reported in the last few months like PringtNightmare or ProxyLogon. However, given the right circumstances as exposed above, it could enable adversaries to achieve operational success faster during a breach. The Splunk Threat Research team recommends performing an assessment to better understand the impact of this vulnerability in corporate environments.
Given that successful exploitation for this flaw simply means reading files within a Volume Shadow Copy, there are some limitations on how to detect it.
Native process command line logging, as well as EDR tools, can be used to hunt for suspicious Paths referencing Volume Shadow Copies just like the PowerShell example above.
However, these types of detections can be easily bypassed with custom tools that avoid command line parameters and leverage direct API calls for file reads.
Native File System auditing in Windows systems can be used to monitor user attempts to access objects like files and folders. This requires system administrators to create a System Access Control List (SACL) on the specific files or folders that want to be monitored. Under the right conditions, this can be a great way of detecting attempts to read the SAM database as shown below.
Event 4663 triggering on the SAM database read attempt
However, using SACLs to detect this attack also has some limitations. Based on our testing, the created SACLs will only apply to new Volume Shadow Copies. Existing Volume Shadow Copies will not be monitored, unfortunately. This forces detection teams to have to delete all previous VSC to successfully monitor for CVE-2021-36934 exploitation using this approach.
The following analytics were identified in Security Content related to Shadow Copies being modified or deleted. In addition, we also wrote two new detections specifically related to CVE-2021-36934.
Analytic |
Technique |
Tactic |
Notes |
Delete ShadowCopy With PowerShell (Existing) |
T1490 - Inhibit System Recovery |
Impact |
Utilizing PowerShell Script Block Logging to identify ShadowCopy being deleted or moved |
T1003.003 - OS Credential Dumping: NTDS |
Credential Access |
Identifies the use of mklink.exe to create a symlink to a created Volume Shadow Copy |
|
T1003.003 - OS Credential Dumping: NTDS |
Credential Access |
Identifies the use of wmic and Powershell to create a shadow copy |
|
Creation of Shadow Copy (Existing) |
T1003.003 - OS Credential Dumping: NTDS |
Credential Access |
Identifies Vssadmin or Wmic has been used to create a shadow copy |
Credential Dumping via Copy Command from Shadow Copy (Existing) |
T1003.003 - OS Credential Dumping: NTDS |
Credential Access |
Identifies possible credential dumping using copy command from a shadow copy |
Deleting Shadow Copies (Existing) |
T1490 - Inhibit System Recovery |
Impact |
Identifies vssadmin.exe or wmic being used to delete shadow copies |
Extract SAM from registry (Existing) |
T1003.002 - OS Credential Dumping: Security Account Manager |
Credential Access |
Identifies the use of `reg.exe` exporting Windows Registry hives containing credentials |
T1003.002 - OS Credential Dumping: Security Account Manager |
Credential Access |
Identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified inscript block logged |
|
T1003.002 - OS Credential Dumping: Security Account Manager |
Credential Access |
Utilizing Windows Event Code 4663 to identify a process accessing the SAM database |
Detect Copy of ShadowCopy with Script Block Logging
source=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104 Message IN ("*copy*","*[System.IO.File]::Copy*") AND Message IN ("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*")
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName EventCode Message
SAM Database File Access Attempt
source=WinEventLog:Security (EventCode=4663) process_name!=*\\dllhost.exe Object_Name IN ("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") | stats values(Accesses) count by process_name Object_Name dest user
As always, security at Splunk is a family business. Credit to authors and collaborators:
We would also like to thank security researcher Vadim Khrykov for his input, and Kevin Beaumont for the initial Proof-of-Concept.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.