I'm trying to mitigate the HiveNightmare vulnerability that was identified a few years ago. To do this, I've come across a command that I need to run on Windows: `icacls %windir%system32config*.* /inheritance:e`. However, when I use PowerShell, I get an error stating that the system can't find the specified path. I decided to modify the command to use the full path: `icacls C:Windowssystem32config*.* /inheritance:e`, and this one executes without errors.
I assumed this would resolve the ACL issues associated with the config directory, especially after deleting all shadow copies. But when I run a script to check for vulnerabilities, it returns true, indicating that the command didn't work as intended. Here's the script I used to verify vulnerability:
```powershell
$vulnerable = $false
$LocalUsersGroup = Get-LocalGroup -SID 'S-1-5-32-545'
if ($vulnerable -eq $false) {
$checkPermissions = Get-Acl $env:windirSystem32Configsam
if ($LocalUsersGroup) {
if ($CheckPermissions.Access.IdentityReference -match $LocalUsersGroup.Name) {
$vulnerable = $true
}
}
}
# Follow similar checks for SYSTEM and SECURITY files
return $vulnerable
```
So, I'm wondering, am I doing something wrong in my command or the way I'm validating the results? Any suggestions?
4 Answers
It sounds like you're running into some issues because the command you've used (`icacls %windir%system32config*.* /inheritance:e`) is made for the Command Prompt, not PowerShell. Instead, try using this PowerShell-friendly version:
`icacls $env:windirsystem32config*.* /inheritance:e`. That should help address the error you're encountering. Also, have you checked to see if the vulnerability has already been patched with the latest Windows updates? Sometimes, updating is the simplest solution and might save you from dealing with these command issues!
It seems like you might need to tweak how you are checking permissions. Instead of using `-match`, try switching to `-contains` since you're working with an array instead of a string for `IdentityReference`. This small change could be what you need to get accurate results about vulnerability!
You're right that the command is supposed to change the ACL permissions by enabling inheritance, but keep in mind that changing permissions on the files themselves may not be enough if the parent folder has the same user group assigned. Make sure to apply ACL fixes to the parent directory too. You also need to remember that the results from your script can depend on effective permissions, which might involve various groups the user could belong to. You might also want to explore a Group Policy Object (GPO) for managing access rights if possible. It’s usually a more robust way to handle permissions.
You could be running into issues with how PowerShell processes those commands. It's crucial to consider that environment variables in PowerShell should be referenced using `$env:VARIABLE` rather than `%VARIABLE%`. Additionally, looking into using `Get-Acl` and `Set-Acl` functions might suit your needs better than relying solely on icacls. This might give you more control over verifying and adjusting ACLs properly.
Thanks for the tip! I’ll try that and see if it resolves the issue.