Detecting SeriousSAM CVE-2021-36934 With Splunk

SeriousSAM or CVE-2021-36934 is a Privilege Escalation Vulnerability, which allows overly permissive Access Control Lists (ACLs) that provide low privileged users read access to privileged system files including the Security Accounts Manager (SAM) database. The SAM database stores users' encrypted passwords in a Windows system. According to the Microsoft advisory, this issue affects Windows 10 1809 and above as well as certain versions of Server 2019.

_{The low privileged group ‘BUILTIN\Users’ with RX permissions to the SAM database}

Exploitation of SeriousSAM

To abuse this misconfiguration, an attacker who has already obtained low privilege code execution on a vulnerable host simply needs to read and export system files from a Volume Shadow Copy. An example is shown below using PowerShell:

Proof of concepts written in C (by Security Researcher Kevin Beaumont) and re-implemented in Go (by Christian Mehlmauer) are publicly available.

The Impact of SeriousSAM

Using the recovered system files, an attacker will be able to obtain the list of local users and their corresponding NTLM hashes as shown below. These hashes can be cracked offline using tools like hashcat to obtain their clear text form, alternatively, they can also be used to authenticate to other hosts remotely using PassTheHash.

_{Obtaining NTLM hashes from the SAM database}

In the most limited scenario, exploitation would allow a low privileged user to escalate privileges on a vulnerable host and take control of it. This allows attackers to install programs, read, modify, or delete sensitive data, add or remove users, etc.

However, organizations that leverage the same local account with the same credentials across several endpoints in an enterprise network face a higher risk. Leveraging the cracked passwords or the hashes, attackers will be able authenticate to remote hosts over the network and obtain remote code execution on them.

_{Using crackmapexec with the obtained hashes to connect to remote hosts}

SeriousSAM has been categorized as Important by Microsoft and is pending a CVSS score by NIST at the time of writing. It is certainly not as serious as other vulnerabilities reported in the last few months like PringtNightmare or ProxyLogon. However, given the right circumstances as exposed above, it could enable adversaries to achieve operational success faster during a breach. The Splunk Threat Research team recommends performing an assessment to better understand the impact of this vulnerability in corporate environments.

Detection Opportunities and Limitations

Given that successful exploitation for this flaw simply means reading files within a Volume Shadow Copy, there are some limitations on how to detect it.

Command Line Logging

Native process command line logging, as well as EDR tools, can be used to hunt for suspicious Paths referencing Volume Shadow Copies just like the PowerShell example above.

However, these types of detections can be easily bypassed with custom tools that avoid command line parameters and leverage direct API calls for file reads.

File System Auditing

Native File System auditing in Windows systems can be used to monitor user attempts to access objects like files and folders. This requires system administrators to create a System Access Control List (SACL) on the specific files or folders that want to be monitored. Under the right conditions, this can be a great way of detecting attempts to read the SAM database as shown below.

_{Event 4663 triggering on the SAM database read attempt}

However, using SACLs to detect this attack also has some limitations. Based on our testing, the created SACLs will only apply to new Volume Shadow Copies. Existing Volume Shadow Copies will not be monitored, unfortunately. This forces detection teams to have to delete all previous VSC to successfully monitor for CVE-2021-36934 exploitation using this approach.

ESCU Coverage

The following analytics were identified in Security Content related to Shadow Copies being modified or deleted. In addition, we also wrote two new detections specifically related to CVE-2021-36934.

Detect Copy of ShadowCopy with Script Block Logging

source=WinEventLog:Microsoft-Windows-PowerShell/Operational 
EventCode=4104 Message IN ("*copy*","*[System.IO.File]::Copy*") AND Message IN 
("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*") 

| stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName EventCode Message 

SAM Database File Access Attempt

source=WinEventLog:Security (EventCode=4663)  process_name!=*\\dllhost.exe Object_Name IN 
("*\\Windows\\System32\\config\\SAM*","*\\Windows\\System32\\config\\SYSTEM*","*\\Windows\\System32\\config\\SECURITY*") 
| stats values(Accesses) count by process_name Object_Name  dest user

As always, security at Splunk is a family business. Credit to authors and collaborators:

• Mauricio Velazco
• Michael Haag

We would also like to thank security researcher Vadim Khrykov for his input, and Kevin Beaumont for the initial Proof-of-Concept.