CVE-2021-36934

To check if system is vulnerable to HiveNightmare

HiveNightmareChecker CVE-2021–36934 To check if system is vulnerable to HiveNightmare CVE-2021-36934 Check if shadow copies are available, help user to delete them and create new restore points after ensuring the permission of SAM, SECURITY, SYSTEM is correct More info : msrcmicrosoftcom/update-guide/vulnerability/CVE-2021-36934 Usage git clone github

Go-HiveNightmare Edition - VSC Hive Accessibility Testing and Extraction

GoHN - Go HiveNightmare Test and extraction tool for SeriousSam, CVE-2021-36934, HiveNightmare, or 2021's latest excitement What Is This Inspired by githubcom/GossiTheDog/HiveNightmare and built out for use to develop detections associated with this potential attack This version supports -test as well as -extract mode and will iterate through up to 64 snapshots

What is securitygpt ? securitygpt is a package that makes makes common tasks that a security engineer does easy using generative LLMs As a security engineer, you dont want to worry about writing correct prompts, we have taken care of that for you Examples Anonymize Data before you send to LLM from gptssafegptanonymize import encrypt, decrypt, get_mappings, decrypt_dataframe

SeriousSam-Vulnerability-exploitation-and-mitigation This assignment was given in the SNP(Systems and Network Programming) module This is a very clearly explained document about the CVE-2021-36934 vulnerability This document includes the introduction, vulnerability exploitation, and mitigation Introduction Jonas Lykkegaard discovered the CVE-2021-36934 vulnerability, also k

Exploit for HiveNightmare - CVE-2021–36934

HiveNightmare this is a quick and dirty exploit for HiveNightmare (or SeriousSam) - CVE-2021–36934 This allows non administrator users to read the SAM, SECURITY and SYSTEM hives from system restore points This is based on the original exploit of Kevin Beaumont To run this exploit just execute hiveexe This will save the latest SAM, SECURITY und SYSTEM hives to the curre

HiveShadow This is an implementation of CVE-2021–36934 written in GO (1163) Usage Arguments: -h Print this message -q Quick wins - only scans for the first shadow copy -b Brute force shadow copy number up to max depth (default 20) -d Brute force max depth (default 20) -o The output directory (make sur

SeriousSAM Auto Exploiter

CVE-2021-36934 SeriousSAM Auto Exploiter Requirements HiveNightmare , executable or a DLL equivelant of it (the DLL equivelant would require some code modifications in order to run it through rundll32, this could be useful when you run into applocker environments) dumpexe m which is a pyinstaller compiled secretsdumppy so its pretty large since it contains all modules and

Beewolf is a PowerShell script that exploits HiveNightmare/SeriousSAM

Project-Beewolf SAM extraction via PowerShell Beewolf is a PowerShell (Version 7/5/2) script that exploits the HiveNightmare (aka SeriousSAM) vulnerability CVE-2021-36934 Table of contents About Installation /usage Disclaimer / Warning Credits License About Beewolf copies the Windows Security Account Manager database to $env:PUBLIC (or another filepath) for your viewing p

Hi there 👋, my name is Noureldin

Exploit for HiveNightmare - CVE-2021–36934

HiveNightmare this is a quick and dirty exploit for HiveNightmare (or SeriousSam) - CVE-2021–36934 This allows non administrator users to read the SAM, SECURITY and SYSTEM hives from system restore points This is based on the original exploit of Kevin Beaumont To run this exploit just execute hiveexe This will save the latest SAM, SECURITY und SYSTEM hives to the curre

Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

HiveNightmare aka SeriousSam, or now CVE-2021–36934 Exploit allowing you to read any registry hives as non-admin What is this? An zero day exploit for HiveNightmare, which allows you to retrieve all registry hives in Windows 10 as a non-administrator user For example, this includes hashes in SAM, which can be used to execute code as SYSTEM Download This is the direc

Detection and Mitigation script for CVE-2021-36934 (HiveNightmare aka. SeriousSam)

CVE-2021-36934 Usage Detection \Get-HiveNightmareStatusps1 Detection for management tools that need True/False output \Get-HiveNightmareStatusps1 -PostureCheck Remediation # For initial SAM fixes and vss removal \Get-HiveNightmareStatusps1 -Remediate # Remediate even if the checks say healthy

Windows Defender ATP Publisher: Splunk Connector Version: 382 Product Vendor: Microsoft Product Name: Windows Defender ATP Product Version Supported (regex): "*" Minimum Product Version: 611 This app integrates with Windows Defender Advanced Threat Protection(ATP) to execute various containment, corrective, generic, and investigative actions Defender ATP Instance

CVE-2021-36934 python secretsdumppy -sam C:\Windows\Temp\SAM -security C:\Windows\Temp\SECURITY -system C:\Windows\Temp\SYSTEM LOCAL

CVE-2021–36934 The derived hash is used for forgery such as PTH and bills There is no detailed analysis here In addition, given that access rights to most system files can be obtained, there should be more than this one method of exploitation, including Microsoft officials, which have also characterized it as a privilege escalation vulnerability A simple script is used

CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin in powershell

PSHiveNightmare PSHiveNightmare CVE-2021–36934 Exploit allowing you to read any registry hives as non-admin What is this? An zero day exploit for HiveNightmare, which allows you to retrieve all registry hives in Windows 10 as a non-administrator user For example, this includes hashes in SAM, which can be used to execute code as SYSTEM Why PS this? The HiveNightmware w

Cobalt Strike Beacon Object Files

Beacon Object Files Name Syntax Silent Lsass Dump silentLsassDump < LSASS PID > CredPrompt credprompt [Text message] SeriousSam (CVE-2021-36934) BOFNET, check the readme CredEnum CredEnum WindowsVault WindowsVault InlineZipper Check the project here

Fix for the CVE-2021-36934

CVE-2021-36934 Fix for the CVE-2021-36934 Script will run and check if your system is affected and then apply the fix

Small and dirty PoC for CVE-2021-36934

VSSCopy Small and dirty PoC for CVE-2021-36934 Usage: VSSCopyexe C:\temp Credits: twittercom/jonasLyk twittercom/gentilkiwi

HiveNightmare a.k.a. SeriousSam Local Privilege Escalation in Windows – CVE-2021-36934

SeriousSam HiveNightmare aka SeriousSam Local Privilege Escalation in Windows – CVE-2021-36934

A capability to identify and remediate CVE-2021-36934 (HiveNightmare)

Invoke-HiveDreams A capability to identify and remediate CVE-2021-36934 (HiveNightmare)

CVE-2021-36934 PowerShell Fix

CVE-2021-36934 CVE-2021-36934 PowerShell Fix This powershell script fixes CVE-2021-36934, based on the original script of Joran Slingerland (githubcom/JoranSlingerland) githubcom/JoranSlingerland/CVE-2021-36934/blob/main/CVE-2021-36934ps1 The Powershell script will do following: Produce a LOG under $env:windir\Logs\ with the name of CVE-2021-36934_$date$tim

CVE-2021-36934 PowerShell scripts

CVE-2021-36934 CVE-2021-36934 PowerShell scripts Detectionps1 This is a quick and dirty script to see if a machine may be vulnerable It writes out a message to the shell indicating if BUILTIN\Users was detected in the permission list and includes the current permissions on the SAM path for validation If the system is unaffected or has been remediated you would see output s

HiveNightmare aka SeriousSAM

CVE-2021-36934 HiveNightmare aka SeriousSAM

HiveNightmare aka SeriousSam, or now CVE-2021–36934 Exploit allowing you to read any registry hives as non-admin What is this? An zero day exploit for HiveNightmare, which allows you to retrieve all registry hives in Windows 10 as a non-administrator user For example, this includes hashes in SAM, which can be used to execute code as SYSTEM Download This is the direc

Pure Nim implementation for exploiting CVE-2021-36934, the SeriousSAM local privilege escalation

ShadowSteal | CVE-2021-36934 Pure Nim implementation for exploiting CVE-2021-36934, the SeriousSAM Local Privilege Escalation (LPE) Not OPSEC safe yet ;) I do not claim credit for the discovery of this exploit Quick Start Build with Docker Getting started with ShadowSteal is now easier than ever thanks to Docker! Don't wanna mess with installing Nim dependencies? I

Microsoft Security Response Center API - Azure Function Credits A big thank you to Manbearpiet who created the initial code for this function Description The function can be used to get the latest CVE and supporting information from the Microsoft Security Response Center (MSRC) API apimsrcmicrosoftcom/cvrf/v20/cvrf/2021-Jul Information returned from the API: CVE

POC experiments with Volume Shadow copy Service (VSS)

poc_CVE-2021-36934 POC experiments with Volume Shadow copy Service (VSS)

Windows Elevation of Privilege Vulnerability CVE-2021-36934

Windows Elevation of Privilege Vulnerability CVE-2021-36934   #SeriousSAM Description see MS article: msrcmicrosoftcom/update-guide/vulnerability/CVE-2021-36934   To deploy the workaround via GPO Copy paste the below commands in notepad, save as a batch file (bat extension) and then use to push on to windows machines via GPO @echo

HiveNigtmare CVE-2021-36934 Checker in crappy batch file

CVE-2021–36934 The derived hash is used for forgery such as PTH and bills There is no detailed analysis here In addition, given that access rights to most system files can be obtained, there should be more than this one method of exploitation, including Microsoft officials, which have also characterized it as a privilege escalation vulnerability A simple script is used

CVE-2021-36934 HiveNightmare vulnerability checker and workaround

CVE-2021-36934 CVE-2021-36934 HiveNightmare vulnerability checker and workaround Flow The script has the following flow: Requires it to run with Administrator privileges Check Windows 10 version is affected by the vulnerability IF affected by vulnerability: Show Windows version may be affected by the vulnerability message Check if the hive system files permissions are acces

PoC for CVE-2021-36934 Aka HiveNightmare/SeriousSAM written in python3

PyNightmare PoC for CVE-2021-36934 Aka HiveNightmare/SeriousSAM fully written in python3 Explanation CVE-2021-36934 is a recently discovered vulnerability found by @jonasLyk allowing non-admin users to copy all registry hives which contain very private information like hashes which could lead to Privilege Escalation Inspiration Simple Poc for the HiveNightmare vulnerabilty insp

PoC for CVE-2021-36934, which enables a standard user to be able to retrieve the SAM, Security, and Software Registry hives in Windows 10 version 1809 or newer

Invoke-HiveNightmare PowerShell-based PoC for CVE-2021-36934, which enables a standard user to be able to retrieve the SAM, Security, and Software Registry hives in Windows 10 version 1809 or newer Situation In specific versions of Windows 10, standard users have read/execute rights to files in [SYSTEMROOT]\System32\Config directory, which is where the Registry hives reside on

This PowerShell script will take the mitigation measures for CVE-2021-36934 described by Microsoft and the US CERT team. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 https://kb.cert.org/vuls/id/506989 USE AT YOUR OWN RISK -- BACKUPS MAY BREAK.

Overview This is a Datto RMM component to mitigate CVE-2021-36934, aka Serious SAM It follows the mitigation measures outlined at: msrcmicrosoftcom/update-guide/vulnerability/CVE-2021-36934 kbcertorg/vuls/id/506989 USE AT YOUR OWN RISK EXPECT THIS TO BREAK SOME BACKUPS TEMPORARILY Only basic error checking is in place Usage Just upload the component in

This is a basic example of how to setup two agents a researcher and a writer. This example uses a local llm setup with Ollama. Your responsible for setting up all the requirements and the local llm, this is just some example code.

A simple crewai example This code uses a simple example of employing two AI agents and a local llm to do work for you In simple terms: *Crew AI used agents to do work for you *We define tasks and assign those tasks to our agents *The agents may also use tools to assist in their tasks This simple example we setup two agents: A security researcher A security writer I used

This is a basic example of how to setup two agents a researcher and a writer. This example uses a local llm setup with Ollama. Your responsible for setting up all the requirements and the local llm, this is just some example code.

Crew AI Examples Example 1 local llm no tools This code uses a simple example of employing two AI agents and a local llm to do work for you In simple terms: Crew AI used agents to do work for you We define tasks and assign those tasks to our agents The agents may also use tools to assist in their tasks This simple example we setup two agents: A security researcher A secu

Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands

SharpKatz Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands Usage Ekeys SharpKatzexe --Command ekeys list Kerberos encryption keys Msv SharpKatzexe --Command msv Retrive user credentials from Msv provider Kerberos SharpKatzexe --Command kerberos Retrive user credentials from Kerberos provider Tspkg SharpKatzexe --Command tspk