*** UPDATE - added Server 2016 to the relevance for the sample fixlet and upgraded to Beta ***
MS has another hot item this week
Allowing for Everyone account to extract SAM information to leverage in NTLM hash attacks on Windows 10 1806 and greater.
some relevance that can help you detect this on your Windows 10 estate.
Q: (windows of it and name of it = "Win10") of operating system AND exists files "config/SAM" whose (exists entries whose (account name of trustee of it = "Users" and generic read permission of it and not deny type of it) of dacls of security descriptors of it) of native system folder
I have a sample Fixlet posted to the community here: https://bigfix.me/fixlet/details/26866
*** Sample Fixlet has had 64bit redirection added and been tested once. Please report back here if you try it and it works (or doesn’t) ***
It uses the icacls.exe command suggested in the MS article above
It uses a vssadm command to clear out all shadow copies, as documented in the article below