Allowing for Everyone account to extract SAM information to leverage in NTLM hash attacks on Windows 10 1806 and greater.
some relevance that can help you detect this on your Windows 10 estate.
Q: (windows of it and name of it = "Win10") of operating system AND exists files "config/SAM" whose (exists entries whose (account name of trustee of it = "Users" and generic read permission of it and not deny type of it) of dacls of security descriptors of it) of native system folder
A: True
From MS reporting a vulnerability it is right to limit the scope to only systems that would be configured this way as a default configuration. There might be some edge case they want to cover with the addition of Server 2019.
I might assert, from a system hardening point of view instead of a vulnerability point of view, that any Windows system that has the relaxed permissions on these folders is at risk and should be tightened up.
Curiously, I’m not seeing a massive freakout on this one. Anyone have any guesses as to why? The ability to easily escalate to SYSTEM seems like kind of a big deal.
In at least one customer environment in which I’m working, Crowdstrike flags only when we use vssadmin to delete ‘/all’ snapshots, but doesn’t flag if we delete one-by-one.
I built a custom copy of the fixlet that uses WMI to retrieve a list of snapshots and delete them individually, I should be able to post that here later today.
I don’t know whether our content team should change the action (and add a WMI lookup complexity) to avoid what is essentially a Crowdstrike problem though.
This version of the Action Script will enumerate the shadow copies and delete them individually. That should avoid the problem of CrowdStrike flagging/blocking the use of the ‘vssadmin delete shadows /all’ command.
//redirect to 64 bit versions
action uses wow64 redirection false
//icacls command to apply permissions inheritance
waithidden cmd.exe /C icacls.exe "{pathname of windows folder}\system32\config\*.*" /inheritance:e
//Create & run batch to delete prior VSS shadow copies
delete __appendfile
appendfile {concatenation "%0d%0a" of ("%22" & pathname of file "vssadmin.exe" of native system folder & "%22 delete shadows /shadow=" & it & " /quiet") of string values of selects "ID from Win32_Shadowcopy" of wmis "root\cimv2"}
delete RemoveSnapshots.cmd
move __appendfile RemoveSnapshots.cmd
waithidden cmd.exe /c RemoveSnapshots.cmd