Blood sunset over Arizona.
Photo by Jared Murray / Unsplash

There's a lot of buzz going around in Twitter regarding the latest Windows ACL Update. It seems that the latest updates have altered the ACL permission for the SAM , SECURITY, SOFTWARES files located at C:\Windows\System32\config\

Under normal circumstances, the ACL for SAM,SECURITY,SOFTWARE should looks like this:

ACL for SAM,SYSTEM,SOFTWARE

However funny thing happened on the latest Windows 11 built , and also Windows 10 Update.

Allowing normal users to read SAM,SOFTWARE,SECURITY is a recipe for disaster.

Benjamin Delpy have created PoC where you can mimikatz without admin priviledge to retrieve the NT hashes.

In order to minimized any intrusion alert (AV,IDS,IPS) , certutil can be use to access the ShadowCopy of the SAM,SYSTEM,SECURITY files. (Trying to the file directly  will not work since the process is held by VSS). Credits to Reaper

Using secretsdump.py from impacket , user should be able to dump the hashes.