There's a lot of buzz going around in Twitter regarding the latest Windows ACL Update. It seems that the latest updates have altered the ACL permission for the SAM , SECURITY, SOFTWARES files located at C:\Windows\System32\config\
Under normal circumstances, the ACL for SAM,SECURITY,SOFTWARE should looks like this:
However funny thing happened on the latest Windows 11 built , and also Windows 10 Update.
Allowing normal users to read SAM,SOFTWARE,SECURITY is a recipe for disaster.
Benjamin Delpy have created PoC where you can mimikatz without admin priviledge to retrieve the NT hashes.
Q: what can you do when you have #mimikatz🥝 & some Read access on Windows system files like SYSTEM, SAM and SECURITY?
— 🥝 Benjamin Delpy (@gentilkiwi) July 20, 2021
A: Local Privilege Escalation 🥳
Thank you @jonasLyk for this Read access on default Windows😘 pic.twitter.com/6Y8kGmdCsp
In order to minimized any intrusion alert (AV,IDS,IPS) , certutil can be use to access the ShadowCopy of the SAM,SYSTEM,SECURITY files. (Trying to the file directly will not work since the process is held by VSS). Credits to Reaper
Using secretsdump.py from impacket , user should be able to dump the hashes.
