Mitigation for SeriousSAM/HiveNightmare LPE CVE (International)

What the HiveNightmare mitigation Worklet does

This Automox Worklet™ remediates the SeriousSAM/HiveNightmare vulnerability (CVE-2021-36934) by enabling ACL inheritance on the Windows SAM (Security Accounts Manager) database and removing vulnerable shadow copies that could expose the SAM to unauthorized access.

The Worklet addresses a critical local privilege escalation flaw that allows unprivileged users on Windows 10 version 1809 and later to read the SAM file from volume shadow copies. This vulnerability was publicly disclosed in August 2021 and affects endpoints where ACL inheritance is disabled on the SAM registry location.

The Worklet examines registry keys including HKLM:\SAM.

Why secure against HiveNightmare attacks

The SAM database contains password hashes and security information for all local user accounts on a Windows endpoint. If an unprivileged user can access this file, they can extract password hashes and use offline cracking tools to gain administrative privileges on that endpoint.

HiveNightmare created a direct path for this attack: volume shadow copies preserve the SAM file in a location that low-privilege users can access, bypassing the normal file access controls. Attackers only need local access to an endpoint to exploit this vulnerability, making it a serious risk in environments with contractor access, shared workstations, or remote workers.

By applying this Worklet, you eliminate the exposure path and restore proper access controls. This is a critical remediation for any organization managing Windows endpoints at scale.

How SAM hardening works

1. Evaluation phase: The Worklet checks whether the endpoint is running Windows 10 build 1809 or later and whether the SAM file has ACL inheritance disabled. It also verifies whether low-privilege users can read the SAM file. If the endpoint is vulnerable, the Worklet flags it for remediation.

2. Remediation phase: The Worklet enables ACL inheritance on all registry files in the SAM configuration directory, removing the protection bypass. It then deletes all volume shadow copies using vssadmin and creates fresh shadow copies. This removes the vulnerable copy of the SAM file while preserving system restore functionality.

SAM hardening requirements

• Windows 10 version 1809 (build 17763) or later, or Windows Server equivalents

• Administrator privileges to modify ACL settings and shadow copies

• PowerShell execution policy must allow the Worklet to run scripts

• Backup software compatibility: If your organization uses backup solutions that depend on Volume Shadow Copy Service (VSS), verify compatibility before applying this Worklet in production environments

• Antivirus or EDR compatibility: The shadow copy deletion process may trigger alerts in security tools; coordinate with your security team if needed

Expected security state after remediation

After the Worklet completes successfully, the SAM registry location will have ACL inheritance enabled, restoring the default Windows security model. This prevents low-privilege users from circumventing access controls through shadow copies.

All previous volume shadow copies are deleted and replaced with fresh copies. The endpoint retains shadow copy functionality for system restore operations, but the vulnerable SAM copies no longer exist. Subsequent evaluation runs of this Worklet will detect that the endpoint is now compliant and will exit without making further changes.

How to validate mitigation for serioussam/hivenightmare lpe cve (international) changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for mitigation for serioussam/hivenightmare lpe cve (international).

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as Get-CimInstance, Get-LocalGroup, Get-Acl.

4. Validate remediation effects from script operations such as Write-Output, Start-Process, then rerun evaluation for compliance.