v0.4 of #HiveNightmare exploit is out, aka CVE-2021-36934 github.com/GossiTheDog/Hi…
You can specify the maximum number of shadows you want to inspect now, so if you have lots of snapshots from years of use specify 200 and it'll dump the most recent registry hives.
I like the 'dark web' versions of this, where people have added z's and their names, lol.
0.5 is out, retrieves latest snapshot and fixes a bunch of shit. Note file names have changed, apologies.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Kevin Beaumont

Kevin Beaumont Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @GossiTheDog

20 Jul
I’ve made a version of this that drops a shell as SYSTEM by automating the remaining steps, but opting not to publish for now as it’s too EZ mode github.com/GossiTheDog/Hi…
By the way, I haven’t coded anything in C++ since 1999 so this was fun. I’m terrible at it.

I’ve also never used Visual Studio before, and never committed code in GitHub before (previously I was pasting stuff in from browser).
Anyhoo if you’re having imposter syndrome know that any old idiot can own Windows nowadays.
Read 5 tweets
20 Jul
I wrote about #HiveNightmare aka #SeriousSAM (blame @cyb3rops for that one), an unpatched Windows 10 vulnerability that allows any non-admin user to access the full system registry, including sensitive areas.

Terribly badly coded PoC included.

Btw there's a pretty big logic gap in one of the fixes I've seen floated online - it doesn't impact the snapshots.
Added US-CERT vulnerability note for this, written by @wdormann. It’s excellent and clearly lays out the problem. #HiveNightmare #SeriousSAM kb.cert.org/vuls/id/506989
Read 6 tweets
19 Jul
Oh dear. I need to validate this myself, but it seems like MS may have goofed up and made the SAM database (user passwords) accessible to non-admin users in Win 10.
Confirmed; works on a Win10 Professional endpoint. It looks like the ACLs have been set wrong in Win10 on SAM database. 🤦‍♀️

It’s obvs not the only priv esc as the print spooler stuff also works out the box.
I think I’m going to be doing a blog asking what the fuck is happening with Windows OS security, as something is badly wrong.
Read 11 tweets
19 Jul
It's the sound of the police (me).

Gonna fly this helicopter around the UK and shout "Stop right there, Criminal Scum!" at people in Oblivion voice.
Trying to figure out if I should yolo try to take off with all these warning lights.
Things I learn, you can open the bum on this and put luggage in it.
Read 16 tweets
19 Jul
The EU attributes Hafnium activity to China (others will go shortly, too). consilium.europa.eu/en/press/press…
I realise as I’m tweeting this how disinterested I am in nation state cyber stuff.
Read 4 tweets
18 Jul
All legal restrictions for Coronavirus are over in England since 19 minutes ago, so clubs are open now.

I’m not a scientist and not in my lane here, but I guess the danger worldwide is going to be variants emerging from England. We’ll see what happens.
Somebody in the replies took offence to the idea England could be a variant issue, but.. eh, all the prior spikes have been stopped via lockdowns. We’re removing all lockdown now.

Serious illness is low due to vaccination here, scientists agree a risk is variant mutation.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!