New Windows 10 vulnerability allows anyone to get admin privileges July 20, 2021 https://www.bleepingcomputer.com/ne...bility-allows-anyone-to-get-admin-privileges/
Microsoft Windows 10 gives unprivileged user access to SAM, SYSTEM, and SECURITY files Vulnerability Note VU#506989 July 20, 2021 https://kb.cert.org/vuls/id/506989
Just a word of warning here. Although somewhat obvious, this mitigation will delete all your OS restore points. So after performing the mitigation, my advice is to create a restore point in case you need to do a system restore. BTW - the mitigation works. You will get access denied if trying to access shadow copy files when running under default limited admin account.
Andy replied to this (https://malwaretips.com/threads/new...ne-to-get-admin-privileges.109198/post-951912) > New Windows 10 vulnerability allows anyone to get admin privileges “That is not correct. The attack is based on the "Pass-the-Hash" method: A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. So, it is relevant to the business networks and not to the Home environment. PtH exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols.”
Updated: Microsoft provides workaround for HiveNightmare registry vulnerability that affects Windows 10 and 11 July 21, 2021 https://www.neowin.net/news/microso...vulnerability-that-affects-windows-10-and-11/
Interesting exercises for the technically inclined in this blog from Sophos: Windows “HiveNightmare” bug could leak passwords – here’s what to do! https://nakedsecurity.sophos.com/2021/07/21/windows-hivenightmare-bug-could-leak-passwords-heres-what-to-do/
I got vulenrability OK so I did in cmd (which "fixes" the vulnarbility) icacls %windir%\system32\config\*.* /inheritance:e this one is redundant icacls %windir%\system32\config\sam /remove "Users" icacls %windir%\system32\config\security /remove "Users" icacls %windir%\system32\config\system /remove "Users" but you need to delete shadow copies vssadmin delete shadows /for=c: /Quiet vssadmin.exe Delete Shadows /All /Quiet (for all volumes) vssadmin list shadows
I still have update from 08.07 maybe that's why, I checked and was vulnerable there is an update from 08.09 for 21h1 windows 10 the VSS is potentially dangeours, I've read that malware might hide there as it is not often scanned: the VSS snapshots potential in hiding data or other malicious stuff unfortunately macrium reflect uses VSS you can use WMIC method that does not rely on vssadmin if you use OS default backup WMIC can also do backup routine
That might or might not be. It's a Micro bug vulnerability. One of million others not yet discovered no doubt. As it isn't bad enough their forced overusage of Telemetry nuisance on Windows 10
Unpatched Windows Zero-Day Allows Privileged File Access ...using the LPE exploitation approach for the HiveNightmare/SeriousSAM bug November 29, 2021