Vulnerability Leaves Password Hashes Exposed in Recent Versions of Windows
Some recent versions of Windows leave the SAM and SYSTEM hive exposed to be read by all local users. These hives contain hashed passwords, and are often the target of privilege elevation exploits. But as security researchers Jonas Lyk and Benjamin Deply found, some recent versions of Windows leave these hives exposed as shadow copies. Initially, only the brand new beta of Windows 11 was found vulnerable, but additional research showed that some recent versions of Windows 10 are vulnerable as well.
"Summer of SAM" as well as the remnants of "PrintNightmare" are offering two different relatively straight forward privilege escalation exploits to attackers. Make sure your end point visibility is sufficient to detect these attacks. As I am writing this, "Summer of SAM" is still developing. Watch out for guidance from Microsoft for mitigation and detection techniques. Do not fall for random "patches" that will be offered by malicious actors.
Read more in
SANS ISC: Summer of SAM - incorrect permissions on Windows 10/11 hives
Twitter: Jonas L
Twitter: Jeff McJunkin