Overview
Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY files. This can allow for local privilege escalation (LPE).
Description
Starting with Windows 10 build 1809, the BUILTINUsers group is given RX permissions to the following files:
c:WindowsSystem32configsam
c:WindowsSystem32configsystem
c:WindowsSystem32configsecurity
If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:
Extract and leverage account password hashes.
Discover the original Windows installation password.
Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
Obtain a computer machine account, which can be used in a silver ticket attack.
Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created. To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:
vssadmin list shadows
A system with VSS shadow copies will report details of at least one shadow copy that specifies Original Volume: (C:), such as the following:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}
Contained 1 shadow copies at creation time: 7/19/2021 10:29:49 PM
Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}
..
Support the originator by clicking the read the rest link below.
