Splunk Inc.

07/27/2021 | News release | Distributed by Public on 07/27/2021 16:47

Detecting SeriousSAM CVE-2021-36934 With Splunk

Share:
By Splunk Threat Research Team July 27, 2021

SeriousSAM or CVE-2021-36934 is a Privilege Escalation Vulnerability, which allows overly permissive Access Control Lists (ACLs) that provide low privileged users read access to privileged system files including the Security Accounts Manager (SAM) database. The SAM database stores users' encrypted passwords in a Windows system. According to the Microsoft advisory, this issue affects Windows 10 1809 and above as well as certain versions of Server 2019.


The low privileged group 'BUILTIN\Users' with RX permissions to the SAM database

Exploitation of SeriousSAM

To abuse this misconfiguration, an attacker who has already obtained low privilege code execution on a vulnerable host simply needs to read and export system files from a Volume Shadow Copy. An example is shown below using PowerShell:

[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM', 'c:\Windows\Temp\sam.copy')


[System.IO.File]::Copy('\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM', 'c:\Windows\Temp\system.copy')


Proof of concepts written in C (by Security Researcher Kevin Beaumont) and re-implemented in Go (by Christian Mehlmauer) are publicly available.

The Impact of SeriousSAM

Using the recovered system files, an attacker will be able to obtain the list of local users and their corresponding NTLM hashes as shown below. These hashes can be cracked offline using tools like hashcat to obtain their clear text form, alternatively, they can also be used to authenticate to other hosts remotely using PassTheHash.

Obtaining NTLM hashes from the SAM database

In the most limited scenario, exploitation would allow a low privileged user to escalate privileges on a vulnerable host and take control of it. This allows attackers to install programs, read, modify, or delete sensitive data, add or remove users, etc.

However, organizations that leverage the same local account with the same credentials across several endpoints in an enterprise network face a higher risk. Leveraging the cracked passwords or the hashes, attackers will be able authenticate to remote hosts over the network and obtain remote code execution on them.

Using crackmapexec with the obtained hashes to connect to remote hosts

SeriousSAM has been categorized as Important by Microsoft and is pending a CVSS score by NIST at the time of writing. It is certainly not as serious as other vulnerabilities reported in the last few months like PringtNightmare or ProxyLogon. However, given the right circumstances as exposed above, it could enable adversaries to achieve operational success faster during a breach. The Splunk Threat Research team recommends performing an assessment to better understand the impact of this vulnerability in corporate environments.

Detection Opportunities and Limitations

Given that successful exploitation for this flaw simply means reading files within a Volume Shadow Copy, there are some limitations on how to detect it.

Command Line Logging

Native process command line logging, as well as EDR tools, can be used to hunt for suspicious Paths referencing Volume Shadow Copies just like the PowerShell example above.

However, these types of detections can be easily bypassed with custom tools that avoid command line parameters and leverage direct API calls for file reads.

File System Auditing

Native File System auditing in Windows systems can be used to monitor user attempts to access objects like files and folders. This requires system administrators to create a System Access Control List (SACL) on the specific files or folders that want to be monitored. Under the right conditions, this can be a great way of detecting attempts to read the SAM database as shown below.

Event 4663 triggering on the SAM database read attempt

However, using SACLs to detect this attack also has some limitations. Based on our testing, the created SACLs will only apply to new Volume Shadow Copies. Existing Volume Shadow Copies will not be monitored, unfortunately. This forces detection teams to have to delete all previous VSC to successfully monitor for CVE-2021-36934 exploitation using this approach.

ESCU Coverage

The following analytics were identified in Security Content related to Shadow Copies being modified or deleted. In addition, we also wrote two new detections specifically related to CVE-2021-36934.

Analytic

Technique

Tactic

Notes

Delete ShadowCopy With PowerShell (Existing)


T1490 - Inhibit System Recovery



Impact

Utilizing PowerShell Script Block Logging to identify ShadowCopy being deleted or moved

Credential Dumping via Symlink to Shadow Copy (Existing)

T1003.003 - OS Credential Dumping: NTDS


Credential Access

Identifies the use of mklink.exe to create a symlink to a created Volume Shadow Copy

Creation of Shadow Copy with wmic and powershell (Existing)

T1003.003 - OS Credential Dumping: NTDS

Credential Access

Identifies the use of wmic and Powershell to create a shadow copy

Creation of Shadow Copy (Existing)

T1003.003 - OS Credential Dumping: NTDS

Credential Access

Identifies Vssadmin or Wmic has been used to create a shadow copy

Credential Dumping via Copy Command from Shadow Copy (Existing)

T1003.003 - OS Credential Dumping: NTDS

Credential Access

Identifies possible credential dumping using copy command from a shadow copy

Deleting Shadow Copies (Existing)

T1490 - Inhibit System Recovery



Impact

Identifies vssadmin.exe or wmic being used to delete shadow copies

Extract SAM from registry (Existing)

T1003.002 - OS Credential Dumping: Security Account Manager


Credential Access

Identifies the use of `reg.exe` exporting Windows Registry hives containing credentials

Detect Copy of ShadowCopy with Script Block Logging (New)

T1003.002 - OS Credential Dumping: Security Account Manager


Credential Access

Identifies `copy` or `[System.IO.File]::Copy` being used to capture the SAM, SYSTEM or SECURITY hives identified inscript block logged

SAM Database File Access Attempt (New)

T1003.002 - OS Credential Dumping: Security Account Manager


Credential Access

Utilizing Windows Event Code 4663 to identify a process accessing the SAM database


Detect Copy of ShadowCopy with Script Block Logging

source=WinEventLog:Microsoft-Windows-PowerShell/Operational 
EventCode=4104 Message IN ('*copy*','*[System.IO.File]::Copy*') AND Message IN 
('*System32\\config\\SAM*', '*System32\\config\\SYSTEM*','*System32\\config\\SECURITY*') 
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName EventCode Message 


SAM Database File Access Attempt

source=WinEventLog:Security (EventCode=4663)  process_name!=*\\dllhost.exe Object_Name IN 
('*\\Windows\\System32\\config\\SAM*','*\\Windows\\System32\\config\\SYSTEM*','*\\Windows\\System32\\config\\SECURITY*') 
| stats values(Accesses) count by process_name Object_Name  dest user

As always, security at Splunk is a family business. Credit to authors and collaborators:

We would also like to thank security researcher Vadim Khrykov for his input, and Kevin Beaumont for the initial Proof-of-Concept.