Security

PowerShell Script workaround for SeriousSAM and HiveNightmare Vulnerability

There are many who are looking at ways to automate the process to apply the currently recommended remediation using a script. With Windows, PowerShell is the obvious choice here as it is easy to use and works well on the client operating systems affected – Windows 10. In this quick post, let’s take a look at a PowerShell script workaround for SeriousSAM and HiveNightmare vulnerability.

Importance to get your machines patched

This is an extremely bad vulnerability that provides the means for an attacker to get access to sensitive data, install programs, and create high-level user accounts. Until Microsoft releases an official patch for the vulnerability, the workaround needs to be applied.

You can find the official CVE information from Microsoft here:

PowerShell Script fix for SeriousSAM and HiveNightmare Vulnerability

The SeriousSAM and HiveNightmare vulnerability remediation include a combination of changing permissions on a folder in the system directory and also deleting Volume Shadow Copies (VSS). The script checks the permissions on the folder for the BUILTIN\Users inherited permissions. If the permissions that make the Windows 10 machine vulnerable are present, it prompts to apply the remediation.

The script will create a temporary file where the output from the Get-ACL command is stored. It will then be deleted as the script is run. Also, there will be a log file created in the directory where you run the script. It will contain the output from the permissions change operation and the vssadmin delete command. Below is the script in full.

You can download or clone the script from my repo here:

#PowerShell script to check for the SeriousSAM/HiveNightmare vulnerability and remediate 
#Use at your own risk! 
#Author: Brandon Lee - Virtualizationhowto.com 

$placeholder = "check.txt" 
$log = "SeriousSAM.log" 
try { 
         
    Write-Host "Checking for SeriousSAM and HiveNightmare vulnerability" -ForegroundColor Yellow 
    Get-Acl $env:windir\system32\config\SAM | fl | out-file $placeholder 
    $check = Get-Content $placeholder | Where-Object { $_.Contains("BUILTIN\Users") } 
         
    if ($check -ne $null) { 
        try { 
             
            Write-Warning "Your Machine is Vulnerable to the SeriousSAM and HiveNightmare vulnerability - Apply permissions changes and delete VSS copies?" -WarningAction Inquire 
            icacls c:\windows\system32\config\*.* /inheritance:e > $log 
            vssadmin delete shadows /All /Quiet >> $log 
            Remove-Item $placeholder 
            Write-Host "Your computer is now remediated" -ForegroundColor Green 
        } 
        catch { 
            Write-Host "You chose not to remediate your host" -ForegroundColor Red 
        } 
    }     
    else { 
        Remove-Item $placeholder 
        Write-Host "Your Machine is not vulnerable to the SeriousSAM or HiveNightmare" -ForegroundColor Green 
    } 
} 
         
catch { 
    Write-Host "Error running the script" -ForegroundColor Red 
}
PowerShell Script workaround for SeriousSAM and HiveNightmare Vulnerability
PowerShell Script workaround for SeriousSAM and HiveNightmare Vulnerability

Wrapping Up

Hopefully, this PowerShell Script workaround for SeriousSAM and HiveNightmare vulnerability will help to provide an automated workaround for implementing the currently recommended remediations for the vulnerability. I will keep the post updated and code if there are additional items found to be affected.

Subscribe to VirtualizationHowto via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Brandon Lee

Brandon Lee is the Senior Writer, Engineer and owner at Virtualizationhowto.com and has over two decades of experience in Information Technology. Having worked for numerous Fortune 500 companies as well as in various industries, Brandon has extensive experience in various IT segments and is a strong advocate for open source technologies. Brandon holds many industry certifications, loves the outdoors and spending time with family.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.