Powerful threat prediction, prevention, detection, and response along with compliance in a scalable, simple managed solution.
All-in-one networking solution that combines network connectivity, agility, security, and compliance in an affordable managed solution.
Accelerate business growth through our award-winning partner program.
Published: July 22, 2021
THIS NOTICE AFFECTS ONLY THOSE RUNNING CERTAIN VERSIONS OF WINDOWS SERVER OR WINDOWS 10 AS NOTED BELOW.
Microsoft (CVE-2021-36934) issued an alert (on July 20, 2021) about the Windows Elevation of Privilege Vulnerability which provides non-privileged user access to system files on affected versions.
If your organization is running an affected version (listed below), then it is recommended that the workaround or mitigations described herein be implemented immediately.
An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database.
An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. If a Volume Shadow Copy Service (VSS) shadow copy of the system drive is available, a threat actor may leverage access to these files to perform the following activities:
Note: Threat actor must have the ability to execute code on a victim’s system to exploit this vulnerability.
Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.
Delete any System Restore points and shadow copy volumes that existed prior to restricting access to %windir%\system32\config.
To delete all shadow copies of the system drive, run the following command:
vssadmin delete shadows /for=%systemdrive% /Quiet
Note: Newly created shadow copies, which will contain the proper ACLs, will function as expected.
Run this command to confirm VSS shadow copy deletion status: vssadmin list shadows
The EventTracker SOC Team is tracking the process details and command line executed with C:\Windows\system32\config file directory using Saved Searches, Dashboards, and Reports.