Introduction:-

The Security Account Manager (SAM) is a database file in Windows XP, Windows Vista, Windows 7, 8.1, 10 and 11 that stores Users password. It can be used to authenticate local and remote users. SAM uses cryptographic measures to prevent unauthenticated users accessing the system.

The user passwords are stored in a hashed format in a registry hive either as a LM hash or as an NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.

It is not possible to simply copy the SAM file to another location. The SAM file cannot be moved or copied while Windows is running, since the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file, and will not release that lock until the operating system has shut down.

Users of Microsoft Windows 10 and Windows 11 are at risk of new vulnerabilities that have not been patched recently.

This vulnerability reported last week, the vulnerability Serious SAM Allows an attacker with low-level permissions to access Windows system files to perform a Pass-the-Hash attack.

Serious SAM vulnerability, Tracked as CVE-2021-36934 is present in the default configuration for Windows 10 and Windows 11. This is especially due to the setting that allows “read” permissions for a group of embedded users, including all local users.

Still yet, there is no official patch available for this vulnerability from Microsoft yet, so the best way to protect your environment from Serious SAM vulnerabilities is to implement enhancements.

Impact by this Vulnerabiltiy:-

1) An attacker could exploit this vulnerability to obtain

2) The hashed password stored in Security Account Manager (SAM)                                                                                            Registry

3) Eventually execute arbitrary code with SYSTEM privileges.

As a result, built-in local users have access to read SAM files and registries and can also view hashes. Once an attacker gains “user” access, tools such as Mimikatz can be used to access the registry or SAM to steal hashes and convert them into passwords. Such intrusion into a domain user would allow an attacker to gain elevated privileges on the network.

Recommendation to mitigating SeriousSAM:-

1. Delete all users from the built-in users’ group: this is a good place to start from, but won’t protect you if Administrator credentials are stolen.
2. Restrict SAM files and Registry permissions: allow access only for Administrators.
3. Don’t allow the storage of passwords and credentials for network authentication: this rule is also recommended in the CIS benchmarks. By implementing this rule, there will be no hash stored in the SAM or registry, thereby mitigating this vulnerability completely.