Researchers including @gentilkiwi, @jeffmcjunkin, @wdormann, are actively working to investigate the state of Access Control List (ACL) misconfigurations in versions of Windows including, Windows 10 and Windows 11 clients. Windows Server does not currently appear to be affected. The misconfigurations allow for read access to Windows SAM (Security Account Manager), SYSTEM, and SECURITY. While these files are locked away from local user access by Windows, Volume Shadow Service (VSS) can be used to bypass the file lock and obtain user passwords, computer private keys, create persistent “silver ticket” account access, etc.
Reports vary based on the installation methods, but fresh iso installations of Windows 10 1809, 1909, 20H2 (original but not the June version), and 21H1 (Windows 11 insider) seem to be affected by this misconfiguration. Updating the affected versions currently does not remove the misconfiguration. Earlier versions before 1809 are not affected.
Misconfigurations and 0-day vulnerabilities are an intrinsic part of the modern threat environment. An appropriate response will depend on an organization’s risk management framework, including specific threat models and overall assesses risks. Inactivating VSS may remove the ability to backup data on windows workstations and may not be the best solution, especially as other attack vectors to bypass Windows file locks may be employed. Mimikatz is not the only method of accessing these files – a simple proof of concept C program has been published. Existing systematic defense in-depth strategies that detect local privilege escalation and lateral movement across internal networks should detect these sorts of attacks as well. An example of such a strategy would be the MDR and active threat hunting options offered by Binary Defense.
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?
A: Local Privilege Escalation 🥳
— 🥝🏳️🌈 Benjamin Delpy (@gentilkiwi) July 20, 2021
UPDATE: Windows 10 20H2 does *not* appear to be vulnerable in its default configuration: pic.twitter.com/xZE9nocUKa
— Jeff McJunkin (@jeffmcjunkin) July 20, 2021