Windows Local Privilege Escalation Vulnerability - CVE-2021-36934

THE THREAT

Microsoft has announced a high severity vulnerability impacting multiple versions of the Windows 10 operating system. The vulnerability is tracked as CVE-2021-36934 and is alternatively referred to as HiveNightmare and SeriousSAM. It is a Local Privilege Escalation (LPE) vulnerability; exploitation may allow a previously authenticated threat actor the ability to escalate their privileges on a vulnerable device and potentially install programs, change or delete data, or create new user accounts. Microsoft has not released security patches for this vulnerability. Organizations are strongly recommended to apply the relevant mitigations until security patches are made available.

What we’re doing about it

• eSentire MDR for Endpoint detects execution and known malicious binaries related to the exploitation of CVE-2021-36934
• MVS will automatically add the relevant plugins for this vulnerability once details are made available
• eSentire security teams continue to track this topic for additional details and detection opportunities

What you should do about it

• Apply the mitigations provided by Microsoft
  • See the additional information section for mitigations
• Security patches are not available at the time of writing
  • Organizations are strongly recommended to apply security patches once they are made available by Microsoft

Additional information

HiveNightmare impacts all versions of Windows 10 since version 1809, released October 17th, 2017. Proof-of-Concept (PoC) exploit code for this vulnerability is publicly available, but currently only allows for Denial-of-Service (DoS) attacks. It is highly likely that threat actors will alter the PoC code and employ it in real world attacks in the immediate future. As exploitation requires previous compromise, organizations are recommended to ensure that an endpoint monitoring solution is widely deployed in order to identify threat actor initial access attempts. 

Mitigations from Microsoft:

1. Restrict access to the contents of %windir%\system32\config
   1. Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
   2. Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e
2. Delete Volume Shadow Copy Service (VSS) shadow copies
   1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config
   2. Create a new System Restore point (if desired) 

References: 
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934