Skip to content

Latest commit

 

History

History
61 lines (38 loc) · 3.68 KB

README.md

File metadata and controls

61 lines (38 loc) · 3.68 KB

Project-Beewolf

SAM extraction via PowerShell

GitHub top language Version GitHub issues GitHub code size in bytes

Beewolf is a PowerShell (Version 7/5/2) script that exploits the HiveNightmare (aka SeriousSAM) vulnerability CVE-2021-36934

Table of contents

  1. About
  2. Installation /usage
  3. Disclaimer / Warning
  4. Credits
  5. License

About

Beewolf copies the Windows Security Account Manager database to $env:PUBLIC (or another filepath) for your viewing pleasure. It works by creating symbolic links to a shadowcopy of the SAM, and preforming sleight of hand with variables. There's a task in Windows Task Scheduler called "SilentCleanup" which automatically runs with elevated privileges, even when called from a non-privileged user. When not invoked by an adminstrator, Beewolf creates a new Registry Key "HKCU:\Environment\windir" in order to change the %windir% variable (normally pointing to C:\Windows) value to the command we want to be run as admin, in this case "powershell -ep bypass -w hidden $PSCommandPath;#"

It has been tested on the following versions of Windows:

  • Windows 10 Pro. 10.0.19043.0 (Major.Minor.Build.Revision) (We anticipate it will work on Windows 11 also)
  • Windows Server 2019 Build 17763.rs5_release.180914-1434
  • Windows 8.1 Enterprise. 6.3.9600.0 (Major.Minor.Build.Revision)
  • Windows 7 Enterprise Service Pack 1. 6.1.7601.65536 (Major.Minor.Build.Revision)

Here is the concept of operation:

image

Installation / Usage

Install using PowerShell Version 3 or later

Installation:

  1. Navigate to the desired install path:

Set-Location <install\path>

  1. Place Beewolf.ps1 into path:

     (Invoke-WebRequest -URI "https://raw.githubusercontent.com/Operational-Sciences-Group/Project-Beewolf/main/Beewolf.ps1").Content > Beewolf.ps1
    

Usage:

.\Beewolf.ps1

Disclaimer / Warning

All the contents of this repository should be used for authorized and/or educational purposes only. Any misuse of this repository will not be the responsibility of the author or of any other collaborator.

Credits

Credit to enigma0x3 and Matt Graeber for the UAC bypass.

Credit to Jonas L for discovering the vuln.

License

GPL-3.0