1

The essence of this vulnerability is that if you perform a shadow copy of your important files with hashed passwords for all OS accounts, encryption key data, and other important information (the files stored in SAM, SECURITY and SYSTEM) - you will be able to read them immediately with standard user rights.

Whereas in a standard situation, after performing a shadow copy, you can’t read the specified files with user rights. In other words, you will be able to elevate privileges after obtaining the desired password hash.

Are there any ways to fix it, without installing the latest Windows updates?

Maurice.Torres64
  • 11
  • 1

1 Answers1

0

We are using a Workaround

Create a .bat File

icacls %windir%\system32\config\*.* /inheritance:e 
vssadmin delete shadows /all /quiet

Create a File Called Windows_10_all.mof

instance of MSFT_SomFilter
{
    Author = "Administrator@domain";
    ChangeDate = "20210722135205.787000-000";
    CreationDate = "20210722134746.125000-000";
    Description = "Windows 10 Clients only";
    Domain = "domain";
    ID = "{677E2CEF-BCFC-46A5-B4D6-61C9A70250E8}";
    Name = "Windows 10 Only";
    Rules = {
instance of MSFT_Rule
{
    Query = "Select * from Win32_OperatingSystem where Version like \"10.%\" and ProductType=\"1\"";
    QueryLanguage = "WQL";
    TargetNameSpace = "root\\CIMv2";
}};
};

Create a GPO for the Startup Script

Copy the Above batch into the created directory.

Use MWI Filter

Goto WMI Filter, rightclick import the file from above

or do it lazy, by create it manually

"Select * from Win32_OperatingSystem where Version like \"10.%\" and ProductType=\"1\"";

After that, select your GPO on the left side and afterwards select on the right downside your WMI Filter.

Conclusions

This is just a Workaround which Microsoft tells to do, most Websites only Explain to fix the File instead of Folder Permissions.

djdomi
  • 1,377
  • 3
  • 10
  • 19