Skip to main content

The following worklet is used to mitigate the abuse of a low privilege user that have RX permissions in the %windir%\system32\config directory. With the availability of VSS shadow copies, this low privilege user may obtain credentials and DPAPI computer keys, install programs, delete data, or create new accounts. The following worklet follows the recommendations of Microsoft for a suggested workaround.



Note: The recommendations provided by Microsoft includes the deletion of shadow copies. Please be advised that ransomware authors may also delete shadow copies, and many antiviruses and EDR solutions may block or flag this activity. Additionally, depending on your backup software and/or policies, this mitigation may conflict with your existing practices. Please consult with your IT/Security policies first prior to implementing this worklet. Also per best practice, please also test this worklet on a small sample size prior to implementing across the organization.



Evaluation Code


To evaluate if your system is vulnerable, this worklet looks to see if you have built-in users with RX permissions. Your system must have both shadow copies and users with RX permissions for it to be vulnerable. Sources state that Windows version 10 build 1809 and up are susceptible to this vulnerability.



# Check if the system is vulnerable to SAM access from low privileged users.



# Check if a 64bit system is vulnerable to SAM access



if ([system.environment]::Is64BitOperatingSystem)

{

$SAM_perms_64 = icacls "$Env:windir\sysnative\config\sam"

if ( $SAM_perms_64 -like "*BUILTIN\Users:(I)(RX)*" )

{

Write-Output "The SAM is vulnerable to LPE."

exit 1

}

else

{

Write-Output "The system was not vulnerable."

exit 0

}

}



# Check if a 32bit system is vulnerable to SAM access

$SAM_perms = icacls "$Env:windir\system32\config\sam"

if ( $SAM_perms -like "*BUILTIN\Users:(I)(RX)*" )

{

Write-Output "The SAM is vulnerable to LPE."

exit 1

}

else

{

Write-Output "The system was not vulnerable."

exit 0

}



Remediation Code


If your system has been identified as vulnerable, this worklet will attempt to enforce ACL inheritance and purge shadow copies. Additionally, it will create new shadow copies, now that ACL inheritance is enforced. Again, please note that antiviruses and/or EDR solutions may block the deletion of shadow copies. Please always check with your security/IT policies first.



# Enable ACL inheritance for files in the %windir%\sysnatve\config\* directory for 64bit machines.

if ( [system.environment]::Is64BitOperatingSystem )

{

$acl_check_64 = icacls "$Env:windir\sysnative\config\*" /inheritance:e

if ( $acl_check_64 -Like "*Failed processing 0 files*" )

{

Write-Output "Successfully enabled ACL inheritance."

}

else

{

Write-Output "Failed to process ACL inheritance."

exit 1

}

# Purge VSS Admin Shadow Copies. Please note that if you use any backup software that leverage vssadmin shadow copies, that this may cause interoperability.

# This may also trigger your antivirus and/or EDR solutions.

Start-Process -FilePath "$Env:windir\sysnative\vssadmin.exe" -ArgumentList 'delete shadows /Quiet /all'

$shadows_exist_64 = &"$env:WINDIR\sysnative\windowspowershell\v1.0\powershell.exe" -Command "VSSAdmin list shadows"

if ( $shadows_exist_64 -like "*No items*" )

{

Write-Output "Shadow copies successfully deleted."

# Create new shadow copies assuming you are operating out of C:

wmic shadowcopy call create Volume='c:\' | out-null

Write-Output "New shadow copies created."

exit 0

}

else

{

Write-Output "Shadow copies were not completely deleted. This could be due to interops with your antivirus."

exit 1

}

}

else

# Enable ACL inheritance for files in the %windr%\system32\config\* directory for 32bit machines.

{

$acl_check = icacls "$Env:windir\system32\config\*" /inheritance:e

if ( $acl_check -Like "*Failed processing 0 files*" )

{

Write-Output "Successfully enabled ACL inheritance."

}

else

{

Write-Output "Failed to process ACL inheritance."

exit 1

}

# Purge VSS Admin Shadow Copies. Please note that if you use any backup software that leverage vssadmin shadow copies, that this may cause interoperability.

# This may also trigger your antivirus and/or EDR solutions.

Start-Process -FilePath "$Env:windir\system32\vssadmin.exe" -ArgumentList 'delete shadows /Quiet /all'

$shadows_exist = &"$env:WINDIR\system32\windowspowershell\v1.0\powershell.exe" -Command "VSSAdmin list shadows"

if ( $shadows_exist -like "*No items*" )

{

Write-Output "Shadow copies successfully deleted."

# Create new shadow copies assuming you are operating out of C:

wmic shadowcopy call create Volume='c:\' | out-null

Write-Output "New shadow copies created."

}

else

{

Write-Output "Shadow copies were not completely deleted. This could be due to interops with your antivirus."

exit 1

}

}

exit 0



Hope you find this worklet helpful! Let us know if you have any questions or concerns. We may update this worklet if investigation and sources result in addition findings.



References



https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-36934

Please note that for Automox customers, this worklet will display in the Community Worklets tab in the Automox console.


Awesome work, just remember if you have a SIEM or SOC service running these actions will result in alerts.


I got an error when I ran the worklet. Looks like it has been blocked by Endpoint Protection!



I think the path is incorrect:



C:\WINDOWS\sysnative\config*: The system cannot find the path specified.


Failed to process ACL inheritance


Deleting shadow copies is know malicious behavior and often stopped by endpoint protection behavioral engines.


I receive the same error.



Shouldn’t it be the following?



$SAM_perms_64 = icacls “$Env:windir\System32\config\sam” and $SAM_perms = icacls “$Env:windir\SysWOW64\config\sam”


@OROR and @MFKDGAF what happens when you run the command manually on a machine where you see that error?



icacls “$Env:windir\system32\config*” /inheritance:e



Do you get output similar to mine?




Also, do you have shadow copies enabled?


The Evaluation Code above will return false compliance if the Windows installation has been done in another language than English, since the name of the checked security group BUILTIN\Users will be localized:


e.g. German VORDEFINIERT\Benutzer



In many cases, it will make sense to retrieve the localized strings from the Well-known SIDs instead.


The adjusted evaluation code would look like:



# Check if the system is vulnerable to SAM access from low privileged users.



# Check if a 64bit system is vulnerable to SAM access



$SIDBUILTIN = "S-1-5-32"

$SIDUsers = "S-1-5-32-545"

$SecurityAuthority = $(Get-CimInstance -ClassName Win32_account -Filter "SID like $SIDBUILTIN").Name



if ([system.environment]::Is64BitOperatingSystem)

{

$SecurityGroup64 = &"$Env:windir\sysnative\windowspowershell\v1.0\powershell.exe" -Command "(Get-LocalGroup -SID $SIDUsers).Name"

$SAM_perms_64 = icacls "$Env:windir\sysnative\config\sam"

if ( $SAM_perms_64 -like "*$SecurityAuthority\$SecurityGroup64:(I)(RX)*" )

{

Write-Output "The SAM is vulnerable to LPE."

exit 1

}

else

{

Write-Output "The system was not vulnerable."

exit 0

}

}



# Check if a 32bit system is vulnerable to SAM access

$SecurityGroup = $(Get-LocalGroup -SID $SIDUsers).Name

$SAM_perms = icacls "$Env:windir\system32\config\sam"

if ( $SAM_perms -like "*$SecurityAuthority\$SecurityGroup:(I)(RX)*" )

{

Write-Output "The SAM is vulnerable to LPE."

exit 1

}

else

{

Write-Output "The system was not vulnerable."

exit 0

}

On 64bit, I use a slightly different method for evaluating, but the path itself works for me:



Get-Acl $env:windir\sysnative\config\SAM


Hi, sorry for delayed response. We will be releasing the v2 of this worklet. Thanks for your input and feedback.


Reply