Detect HiveNightmare (CVE-2021-36934) Exploitation Attempts

July 21, 2021 · 4 min read
HiveNightmare (CVE-2021-36934) detection

July 2021 proceeds to be a really hot and tough month in terms of the loud cybersecurity events. While the world of cyber is still recovering from PrintNighmare vulnerability (CVE-2021-1675), Kaseya supply chain attack, and SolarWinds Serv-U zero-day (CVE-2021-35211), Windows has officially announced a new notorious flaw within its products. A recently disclosed HiveNightmare (aka SeriousSAM) bug affects all Windows 10 versions released for the past two years and enables any unprivileged Windows 10 user to grab admin credentials.

HiveNightmare (CVE-2021-36934) Description

HiveNigtmare, or Serious SAM, is an elevation of privilege issue that occurs due to permission lapses within Access Control Lists (ACLs) on multiple system files inside the Security Account Manager (SAM) database. The misconfiguration enables low-privileged users to read the host’s SAM, system, and security Windows Registry hive files. These critical files incorporate highly sensitive details, including account password hashes, original Windows installation password, DPAPI computer keys applicable to decrypt all computer private keys, and more.

Successful exploitation of the HiveNightmare flaw allows a local adversary to run arbitrary code with SYSTEM rights. As a result, the hacker can launch malicious software on the targeted instance, access and manipulate sensitive data, or even create new admin accounts. However, there is a limitation to leverage CVE-2021-36934. A hacker should obtain the ability to execute code on a targeted device to proceed with the attack.

The flaw has been identified by cybersecurity researcher Jonas Lykkegaard and reported to the vendor. According to Microsoft, misconfiguration has been present in its products for years affecting all Windows 10 versions starting from build 1809 and later. Fortunately, no public proof-of-concept (PoC) exploits are available on the web to date.

HiveNightmare Detection and Mitigation

Microsoft confirmed the HiveNightmare vulnerability (CVE-2021-36934) on July 20, 2021, and the vendor is currently researching this issue to release a dedicated fix. For now, there are no official patches pushed. Yet, Microsoft has published a workaround that requires restricting access with Command Prompt or PowerShell and deleting Volume Shadow Copy Service (VSS) shadow copies.

To help the cybersecurity community spot and mitigate possible attacks leveraging the SeriousSAM flaw, SOC Prime released detection rules to identify workstations that contain Shadow Copies and reveal Suspicious Operations that precede CVE-2021-36934 exploitation. 

Identify Workstations which contains Shadow Copies [related to HiveNightmare/SeriousSAM/CVE-2021-36934 Attack Exploitation] (via audit)

This detection rule by SOC Prime can be used for identifying workstations that contain old shadow copy snapshots containing wrong permissions on SAM/System files. 

SIEM & SECURITY ANALYTICS: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, Qualys, Securonix

Suspicious Operations on SAM/SECURITY Before HiveNightmare/SeriousSAM/CVE-2021-36934 Attack Exploitation (via cmdline)

This detection rule identifies suspicious operations by adversaries related to possible CVE-2021-36934 Attack Exploitation, for example, icacls to check permissions to SAM/SYSTEM files.

SIEM & SECURITY ANALYTICS: Azure Sentinel, ELK Stack, Chronicle Security, Splunk, Sumo Logic, ArcSight, QRadar, Humio, SentinelOne, Microsoft Defender ATP, CrowdStrike, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Qualys, Securonix

The rules are mapped to MITRE ATT&CK methodology addressing the Privilege Escalation tactics and the Local Accounts sub-technique (t1078.003)  of the Valid Accounts (t1078)  technique.  Detection content is available in Threat Detection Marketplace upon registration.

Explore Threat Detection Marketplace to reach over 100K qualified, cross-vendor, and cross-tool detection rules tailored to 20+ market-leading SIEM, EDR, NTDR, and XDR technologies. Enthusiastic to contribute to the world’s cybercommunity by enriching the Detection as Code platform by your own detection content? Join our Threat Bounty Program for a safer future!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts