CVE-2021-36934

What is the Windows SAM Database and VSS?

The Security Account Manager (SAM) database is a Windows registry hive that stores local user account credentials as password hashes. The SYSTEM hive contains the SYSKEY boot key used to encrypt the SAM, and the SECURITY hive contains cached domain credentials and LSA secrets. Together, these three hives contain the credential material needed to extract all local account password hashes — including the local administrator account. Under normal circumstances, these files are locked by Windows and readable only by SYSTEM. Volume Shadow Copy Service (VSS) creates point-in-time backup snapshots of the system drive. If VSS creates shadow copies that include the registry hives with overly-permissive ACLs, non-privileged users can read the credential files from the shadow copy path.

Overview

CVE-2021-36934, publicly called HiveNightmare or SeriousSAM, is a Windows privilege escalation vulnerability where incorrect Access Control Lists on the SAM, SYSTEM, and SECURITY registry hives in Volume Shadow Service (VSS) shadow copies allow low-privileged users to read these files. A low-privileged user can extract the SAM hive from a shadow copy, dump all local account password hashes, crack or pass the hashes to escalate to local administrator, and then to SYSTEM. This affects Windows 10 version 1809 and later where system shadow copies exist. Security researcher Jonas Lykkegaard (@jonasLyk) disclosed this publicly on July 19, 2021; Microsoft issued a patch in August 2021 Patch Tuesday. CISA added it to the KEV catalog in February 2022.

Affected Versions

Technical Details

• Root cause: Overly permissive ACLs on the SAM, SYSTEM, and SECURITY registry hives in VSS shadow copies — Windows 10 (version 1809+) changed the permissions on these registry hive files, inadvertently granting the built-in BUILTIN\Users group read access in VSS shadow copies
• Shadow copy access path: The shadow copies are accessible via \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyX\Windows\System32\config\ — a path that bypasses the live registry lock; any low-privileged user can read the SAM, SYSTEM, and SECURITY hives from this path if shadow copies exist
• Credential extraction: Using tools like reg save or secretsdump.py (Impacket), an attacker copies the three hive files and extracts all local account NTLM hashes — including the built-in Administrator account hash
• Pass-the-hash escalation: The extracted NTLM hash for the local Administrator account can be used in a Pass-the-Hash attack to authenticate as local admin, and from there to SYSTEM
• Prerequisite: VSS shadow copies must exist on the system drive — present on most Windows 10/Server installations with System Restore enabled or backup solutions configured
• No elevated privileges needed: CVSS PR:L — any local account (standard user, service account, limited user) can perform the shadow copy read

Discovery

Discovered by security researcher Jonas Lykkegaard (@jonasLyk), who posted the finding on Twitter on July 19, 2021. Within 24 hours, multiple researchers had published proof-of-concept tools demonstrating credential extraction. Microsoft acknowledged the vulnerability the same day and issued interim mitigations while developing the permanent patch released in August 2021 Patch Tuesday.

Exploitation Context

HiveNightmare quickly entered post-exploitation toolkits because it provides a straightforward and reliable path to local credential material without requiring any kernel exploit — just file system access to the shadow copies. Attackers who gain any local foothold (via phishing, credential stuffing against a service account, or RDP brute force) can immediately extract local admin hashes. With local admin credentials, attackers can disable defenses, access other systems using the same local admin password (if not randomized via LAPS), and move laterally through environments where the same local administrator password is reused. The February 2022 CISA KEV addition reflects confirmed exploitation six months after the patch, consistent with incorporation into commercial post-exploitation frameworks.

Remediation

1. Apply August 2021 Patch Tuesday updates — permanently fixes the SAM ACLs in shadow copies
2. Interim mitigation (pre-patch): Restrict access to the VSS shadow copy paths:

   icacls %windir%\system32\config\*.* /inheritance:e
   

3. Delete existing shadow copies after applying the patch — historical shadow copies with the incorrect ACLs remain exploitable until removed:

   vssadmin delete shadows /all /quiet
   

4. Enable Windows Local Administrator Password Solution (LAPS) to ensure unique local admin passwords on each Windows system, preventing lateral movement even if hashes are extracted
5. Verify System Restore and VSS are configured appropriately — disable if not required; new shadow copies created after the patch will have correct ACLs
6. Review local account membership: limit which accounts have local logon rights; service accounts should not have interactive logon rights