What is HiveNightmare?

This security flaw is present in all Windows versions from 1809 onwards. It is even present in Windows 11. Thanks to this flaw, any user can access critical system files. Even without administrator privileges. Some of these files are SAM, SYSTEM, and SECURITY. Therefore, accessing any user would have high levels of privileges on the system. So you could literally do anything. For example, execute random code in the PC memory. Or change Windows programs. Also, this bug is very similar to Sequoia. Which affects GNU/Linux systems.

At the moment, Microsoft has not released much information about it. However, researchers have released a handy tool. Which allows you to determine if your computer is affected by this vulnerability.

How to know if your PC is vulnerable to HiveNightmare.

This time we will use a simple script. It is available from GitHub. Consequently, we will be able to check the permissions of the SAM, SYSTEM, and SECURITY files. To do this we will run a couple of PowerShell commands. To do so, press the Win+X combination to open PowerShell with administrator privileges.

Then run the following command:

Invoke-WebRequest -URI https://raw.githubusercontent.com/JumpsecLabs/Guidance-Advice/main/SAM_Permissions/SAM_Permissions_Check.ps1 -OutFile ./SAM_Permissions_Check.ps1 -usebasicparsing

This action will allow downloading from PowerShell the script SAM_Permissions_Check.ps1. The download is done from the GitHub servers and only takes a few seconds. Finally, just run the following:

.\SAM_Permissions_Check.ps1

f you have permissions errors, try:

Unblock-File -path C:\path\to\SAM_Permissions_Check.ps1
powershell -exec bypass .\SAM_Permissions_Check.ps1

The script will scan the computer for vulnerabilities. In fact, it will mark in red the affected files. On the other hand, it will show protected files in green.

You can also use the command prompt. With this in mind, run the following command from CMD:

icacls %windir%/system32/config/sam

If a message like BUILTINUsers:(I)(RX) is displayed, then we are in danger. Otherwise, there is no problem.

Resolving vulnerability.

Let’s show you what to do if your computer is at risk. You have to open a CMD with administrator privileges. Then, just run the following commands:

icacls %windir%\system32\config. /inheritance:e
vssadmin delete shadows /for=c: /Quiet
vssadmin list shadows

The first command activates ACL inheritance. The second deletes shadow copies from the system. Finally, the third command checks that there are no shadow copies on the system. Ultimately we have seen how to find out if the computer is vulnerable to HiveNightmare. Ultimately we have seen how to find out if the PC is vulnerable to HiveNightmare. A better way to keep your computer safe from threats. Bye!

The post How to know if your PC is vulnerable to HiveNightmare appeared first on Linux Windows and android Tutorials.