SeriousSAM vulnerability, tracked as CVE-2021-36934, exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows 'read' permissions to the built-in user's group that contains all local users.Īs a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. 4661(S, F): A handle to an object was requested.Microsoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly.Īs we reported last week, the vulnerability - SeriousSAM - allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack.Īttackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges.There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at Security Account Manager level. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.Įvent volume: High on domain controllers. Only a SACL for SAM_SERVER can be modified.Ĭhanges to user and group objects are tracked by the Account Management audit category.
Success audits record successful attempts, and failure audits record unsuccessful attempts. If you configure this policy setting, an audit event is generated when a SAM object is accessed.
SAM_GROUP: A group that is not a local group The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer. Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ( SAM) objects.
0 kommentar(er)
