Overview
HiveNightmare (aka SeriousSAM, CVE-2021-36934) is a Windows vulnerability that allowed unauthorized read access to sensitive registry hive files (e.g., SYSTEM, SAM, SECURITY) due to incorrect ACLs. This could lead to local privilege escalation (LPE) and full system compromise if leveraged properly.
Technical Details
- Windows created shadow copies of SYSTEM hive files with overly permissive access
- Unprivileged users could copy these hives and extract password hashes using tools like mimikatz
- Registry hives contain credentials, SAM database, and SYSTEM keys used for hash decryption
- Affected versions include Windows 10 build 1809 to 21H1
MITRE ATT&CK Techniques
- T1003.002 – OS Credential Dumping: Security Account Manager
- T1003.004 – OS Credential Dumping: LSA Secrets
- T1059 – Command and Scripting Interpreter
- T1068 – Exploitation for Privilege Escalation
View this mapping using official
MITRE ATT&CK Navigator
Indicators of Compromise (IOCs)
- Unauthorized access to SYSTEM/SAM/SECURITY hive files in shadow copies
- Unexpected invocation of reg.exe, vssadmin.exe, or volume shadow tools
- Use of tools like mimikatz or secretsdump.py on affected systems
Mitigation and Detection
- Microsoft patch released in July 2021
- Manually delete shadow copies and restrict permissions on registry hives
- Monitor for suspicious registry hive access or use of tools like reg.exe, vssadmin, etc.
- Use EDR and logging to detect exploitation attempts
