The following worklet is used to mitigate the abuse of a low privilege user that have RX permissions in the %windir%\system32\config directory. With the availability of VSS shadow copies, this low privilege user may obtain credentials and DPAPI computer keys, install programs, delete data, or create new accounts. The following worklet follows the recommendations of Microsoft for a suggested workaround.

Note: The recommendations provided by Microsoft includes the deletion of shadow copies. Please be advised that ransomware authors may also delete shadow copies, and many antiviruses and EDR solutions may block or flag this activity. Additionally, depending on your backup software and/or policies, this mitigation may conflict with your existing practices. Please consult with your IT/Security policies first prior to implementing this worklet. Also per best practice, please also test this worklet on a small sample size prior to implementing across the organization.

Evaluation Code


To evaluate if your system is vulnerable, this worklet looks to see if you have built-in users with RX permissions. Your system must have both shadow copies and users with RX permissions for it to be vulnerable. Sources state that Windows version 10 build 1809 and up are susceptible to this vulnerability.

# Check if the system is vulnerable to SAM access from low privileged users.





# Check if a 64bit system is vulnerable to SAM access





if ([system.environment]::Is64BitOperatingSystem)


{


    $SAM_perms_64 = icacls "$Env:windir\sysnative\config\sam"


    if ( $SAM_perms_64 -like "*BUILTIN\Users:(I)(RX)*" )


    {


        Write-Output "The SAM is vulnerable to LPE."


        exit 1


    }


    else


    {


        Write-Output "The system was not vulnerable."


        exit 0


    }


}





# Check if a 32bit system is vulnerable to SAM access


$SAM_perms = icacls "$Env:windir\system32\config\sam"


if ( $SAM_perms -like "*BUILTIN\Users:(I)(RX)*" )


    {


        Write-Output "The SAM is vulnerable to LPE."


        exit 1


    }


else


    {


        Write-Output "The system was not vulnerable."


        exit 0


    }

Remediation Code


If your system has been identified as vulnerable, this worklet will attempt to enforce ACL inheritance and purge shadow copies. Additionally, it will create new shadow copies, now that ACL inheritance is enforced. Again, please note that antiviruses and/or EDR solutions may block the deletion of shadow copies. Please always check with your security/IT policies first.

# Enable ACL inheritance for files in the %windir%\sysnatve\config\* directory for 64bit machines.


if ( [system.environment]::Is64BitOperatingSystem )


{


    $acl_check_64 = icacls "$Env:windir\sysnative\config\*" /inheritance:e


    if ( $acl_check_64 -Like "*Failed processing 0 files*" )


    {


        Write-Output "Successfully enabled ACL inheritance."


    }


    else


    {


        Write-Output "Failed to process ACL inheritance."


        exit 1


    }


    # Purge VSS Admin Shadow Copies. Please note that if you use any backup software that leverage vssadmin shadow copies, that this may cause interoperability.


    # This may also trigger your antivirus and/or EDR solutions.


    Start-Process -FilePath "$Env:windir\sysnative\vssadmin.exe" -ArgumentList 'delete shadows /Quiet /all'


    $shadows_exist_64 = &"$env:WINDIR\sysnative\windowspowershell\v1.0\powershell.exe" -Command "VSSAdmin list shadows"


    if ( $shadows_exist_64 -like "*No items*" )


    {


        Write-Output "Shadow copies successfully deleted."


        # Create new shadow copies assuming you are operating out of C:


        wmic shadowcopy call create Volume='c:\' | out-null


        Write-Output "New shadow copies created."


        exit 0


    }


    else


    {


        Write-Output "Shadow copies were not completely deleted. This could be due to interops with your antivirus."


        exit 1


    }


}


else


# Enable ACL inheritance for files in the %windr%\system32\config\* directory for 32bit machines.


{


    $acl_check = icacls "$Env:windir\system32\config\*" /inheritance:e


    if ( $acl_check -Like "*Failed processing 0 files*" )


    {


        Write-Output "Successfully enabled ACL inheritance."


    }


    else


    {


        Write-Output "Failed to process ACL inheritance."


        exit 1


    }


    # Purge VSS Admin Shadow Copies. Please note that if you use any backup software that leverage vssadmin shadow copies, that this may cause interoperability.


    # This may also trigger your antivirus and/or EDR solutions.


    Start-Process -FilePath "$Env:windir\system32\vssadmin.exe" -ArgumentList 'delete shadows /Quiet /all'


    $shadows_exist = &"$env:WINDIR\system32\windowspowershell\v1.0\powershell.exe" -Command "VSSAdmin list shadows"


    if ( $shadows_exist -like "*No items*" )


    {


        Write-Output "Shadow copies successfully deleted."


        # Create new shadow copies assuming you are operating out of C:


        wmic shadowcopy call create Volume='c:\' | out-null


        Write-Output "New shadow copies created."


    }


    else


    {


        Write-Output "Shadow copies were not completely deleted. This could be due to interops with your antivirus."


        exit 1


    }


}


exit 0

Hope you find this worklet helpful! Let us know if you have any questions or concerns. We may update this worklet if investigation and sources result in addition findings.

References

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36934