Beewolf is a PowerShell (Version 7/5/2) script that exploits the HiveNightmare (aka SeriousSAM) vulnerability CVE-2021-36934
Beewolf copies the Windows Security Account Manager database to $env:PUBLIC (or another filepath) for your viewing pleasure. It works by creating symbolic links to a shadowcopy of the SAM, and preforming sleight of hand with variables. There's a task in Windows Task Scheduler called "SilentCleanup" which automatically runs with elevated privileges, even when called from a non-privileged user. When not invoked by an adminstrator, Beewolf creates a new Registry Key "HKCU:\Environment\windir" in order to change the %windir% variable (normally pointing to C:\Windows) value to the command we want to be run as admin, in this case "powershell -ep bypass -w hidden $PSCommandPath;#"
It has been tested on the following versions of Windows:
- Windows 10 Pro. 10.0.19043.0 (Major.Minor.Build.Revision) (We anticipate it will work on Windows 11 also)
- Windows Server 2019 Build 17763.rs5_release.180914-1434
- Windows 8.1 Enterprise. 6.3.9600.0 (Major.Minor.Build.Revision)
- Windows 7 Enterprise Service Pack 1. 6.1.7601.65536 (Major.Minor.Build.Revision)
Here is the concept of operation:
Install using PowerShell Version 3 or later
Installation:
- Navigate to the desired install path:
Set-Location <install\path>
-
Place Beewolf.ps1 into path:
(Invoke-WebRequest -URI "https://raw.githubusercontent.com/Operational-Sciences-Group/Project-Beewolf/main/Beewolf.ps1").Content > Beewolf.ps1
Usage:
.\Beewolf.ps1
All the contents of this repository should be used for authorized and/or educational purposes only. Any misuse of this repository will not be the responsibility of the author or of any other collaborator.
Credit to enigma0x3 and Matt Graeber for the UAC bypass.
Credit to Jonas L for discovering the vuln.