HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11

Be aware that the suggested mitigation may actually carry greater risk than the vulnerability itself. As always, think about the threat model before taking action…:

[…] While Microsoft is expected to come up with an out-of-band patch for this vulnerability, there are some things you can do to defeat the vulnerability. Whatever you do to address problem, note that fixing the cause does not necessarily fix broken permissions in shadow copies you have already taken.

You can find some useful commands for discovering if your systems have Shadow copies enabled, and whether they are vulnerable in the CERT advisory. The advisory notes that “simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created.”

Microsoft recommends restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.

Restrict access to the contents of %windir%\system32\config

  • Open Command Prompt or Windows PowerShell as an administrator.
  • Run this command: icacls %windir%\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  • Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
  • Create a new System Restore point (if desired).

Note: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.

Original Article