Recent research has revealed that Microsoft Windows 10 and 11 versions may have left or changed permissions on the SYSTEM and SAM hives in the Windows registry such that any local user can access the information stored in these registry hives. The SAM hive contains hashes of users on that windows system! Including the Administrator account(s).
The discovery is hitting security news sites today (July 20, 2021) so attackers are or will soon be aware.
The above commands will indicate if your versions of Windows has the misconfiguration. Most users are reporting the problem has existed since Windows 10 version 1809.
While Windows is running these hives are locked.
BUT Volume Shadow Copy has read these hives and abusers CAN read those volume copies.
The hive permissions, the still unpatched (third time) Print Spooler vulnerability kinda makes a bad period for Microsoft.
No comments:
Post a Comment