Mitigation for SeriousSAM/HiveNightmare LPE CVE (International)

What the HiveNightmare mitigation Worklet does

This Automox Worklet™ closes the SeriousSAM / HiveNightmare local privilege escalation path on Windows endpoints by restoring inherited access control on the local registry hives and deleting volume shadow copies that still hold the exposed files. CVE-2021-36934 lets any unprivileged interactive user read the SAM, SYSTEM, and SECURITY hive files from %windir%\system32\config\ because Microsoft shipped Windows 10 build 1809 (and later) with the BUILTIN\Users group granted read access via explicit ACLs on those files.

The Worklet runs icacls against the hive files in %windir%\system32\config\ (using the sysnative redirector on 64-bit endpoints) with /inheritance:e so the files inherit from the parent directory instead of carrying the over-permissive explicit grant to BUILTIN\Users. Inheritance alone is not enough, because Volume Shadow Copy Service snapshots taken before remediation still contain the readable hives. The Worklet then runs vssadmin delete shadows /all /quiet to remove every existing snapshot and recreates a fresh shadow copy on C: with wmic shadowcopy call create so System Protection continues to function with corrected ACLs.

The evaluation phase is idempotent and exits 0 on already-hardened endpoints, so the policy is safe to schedule on a recurring cadence. The remediation phase writes status messages such as "Successfully enabled ACL inheritance" and "Shadow copies successfully deleted" to the Automox activity log so you can confirm both halves of the fix succeeded on every endpoint in the run.

Why mitigate CVE-2021-36934 across the fleet

The SAM hive contains NTLM password hashes for every local account on the endpoint. The SYSTEM hive holds the boot key needed to decrypt them, and the SECURITY hive carries cached domain secrets and LSA data. With CVE-2021-36934, a user who can log on locally (or land a low-privilege shell) can copy all three files out of an old VSS shadow copy, run them through secretsdump.py or impacket offline, recover the local Administrator hash, and pass-the-hash back into the same endpoint or any other endpoint reusing that local password. Microsoft's own KB5005357 guidance acknowledged the exposure but stopped short of automatic remediation, which leaves the icacls and vssadmin steps as the operator's job.

HiveNightmare remediation has two halves, and an endpoint that gets the icacls fix but keeps a stale VSS snapshot from before the change still leaks the SAM. Applying both steps through a single Automox policy reaches every Windows 10 1809+ workstation in the fleet, including laptops that rarely connect to the corporate network and build hosts that have not been touched since their original image went down. The evaluation phase is idempotent, so scheduling the policy on a recurring cadence catches any endpoint where a backup restore or system image reseats the over-permissive ACLs.

How SAM hive hardening works

1. Evaluation phase: The Worklet reads OSVersion and Win32_OperatingSystem.ProductType, then gates remediation to Windows 10 build 17763 (version 1809) and later on workstation endpoints (ProductType = 1). It resolves the localized name of the BUILTIN\Users group by translating the S-1-5-32-545 SID, runs icacls against the SAM hive under %windir%\system32\config (using the sysnative redirector on 64-bit endpoints), and reads Get-Acl AreAccessRulesProtected. If the icacls listing shows the BUILTIN\Users group with (I)(RX) and inheritance is disabled, the endpoint exits 1 as non-compliant. Otherwise the endpoint exits 0.

2. Remediation phase: The Worklet runs icacls %windir%\system32\config\* /inheritance:e (via sysnative on 64-bit endpoints) to re-enable inheritance on every hive file, replacing the over-permissive explicit ACE with the directory's restrictive defaults. It then launches vssadmin.exe delete shadows /Quiet /all to remove every snapshot that may still hold a world-readable hive, confirms the deletion with vssadmin list shadows, and recreates a fresh shadow copy on C: via wmic shadowcopy call create. Status lines like "Successfully enabled ACL inheritance", "Shadow copies successfully deleted", and "New shadow copies created" land in the Automox activity log. Exit 0 means both halves succeeded; exit 1 surfaces an inheritance failure or a shadow deletion that did not complete (often caused by an EDR or antivirus interlock).

HiveNightmare mitigation requirements

• Windows 10 build 17763 (version 1809) or later, including Windows 11. The shipped evaluation script gates on workstation product type, so the policy is a no-op on Windows Server endpoints even though the underlying vulnerability also affects Server 2019 and Server 2022

• Administrator privileges for the Automox agent (the default agent context already meets this; icacls and vssadmin both require elevation)

• PowerShell execution policy that permits Worklet scripts to run (Automox runs PowerShell with -ExecutionPolicy Bypass by default)

• Backup posture review: vssadmin delete shadows /all removes every existing snapshot, which invalidates Previous Versions and any backup product that depends on pre-existing shadow copies. Coordinate with the backup owner before fleet-wide rollout

• EDR / antivirus tuning: vssadmin delete shadows is a common ransomware tactic, so endpoint protection tools may flag the call. Whitelist the Automox agent process or expect a benign alert in your SIEM during the rollout window

• FixNow compatible: this Worklet exposes RunNow so an admin can trigger the fix on a single endpoint from the Automox console for an incident response use case

Expected SAM hive state after mitigation

After a successful run, the hive files under %windir%\system32\config\ inherit their ACLs from the parent directory, which grants read access only to SYSTEM and Administrators. Validate with icacls %windir%\system32\config\SAM and confirm that the BUILTIN\Users entry no longer carries an explicit (RX) grant. The Worklet deletes every pre-existing VSS shadow copy on C: and immediately creates a fresh one with the corrected ACLs, so vssadmin list shadows returns a single new snapshot rather than the chain of pre-remediation copies.

Re-run the Worklet on a recurring policy to catch any endpoint where a restored image, a system reset, or a software installer re-introduces the vulnerable explicit ACE. Subsequent evaluations exit 0 against already-hardened endpoints, so remediation does not re-trigger and existing shadow copies are left alone. For audit evidence, capture the icacls listing and the vssadmin list shadows output per endpoint and attach them to the policy run identifier; this supports the CIS Microsoft Windows 10 Benchmark control on registry hive ACLs and the NIST 800-53 AC-3 access enforcement requirement for credential material.