It never rains, but it pours, as they say…
After Printnightmare came the Windows Hello zero-day, which allowed a hacker to access any account using PC using a Hello capable camera for authentication (they just needed an infrared image of the user, which could be obtained using any IR camera – E.g. walking past them with the camera, putting a camera in an elevator etc. where the user would pass by). While it would be highly targeted, it is a serious problem.
Now we have Hivenightmare. A bug in a recent(?) Windows update, first noticed in Windows 11 Beta, but also in all versions of Windows 10 in support, allows any user to read key system files, including the SAM password database – passwords are hashed, but there are known workarounds for finding passwords.
There is currently no patch, but you can manually re-apply the correct protection to the files and you will have to manually remove an VSS copies on your system (and generate a new one, if you want to have a recovery point).
Restrict access to the contents of %windir%\system32\config
1. Open Command Prompt or Windows PowerShell as an administrator.
2. Run this command: `icacls %windir%\system32\config\ *.* /inheritance:e`
Delete Volume Shadow Copy Service (VSS) shadow copies
1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
2. Create a new System Restore point (if desired).