HiveNightmare ACL Fix (and Shadow Copies)

HiveNightmareFix.ps1

#change permissions and delete shadows
$checkPermissions = icacls c:\Windows\System32\config\sam
if ($checkPermissions -like '*BUILTIN\Users:(I)(RX*)*') {
    icacls c:\windows\system32\config\*.* /inheritance:e
    vssadmin delete shadows /quiet /all
    $vulnerable = $true
}
else {
    $vulnerable = $false
}

 

#check permissions
if ($vulnerable -eq $true) {
    $checkPermissions = icacls C:\windows\system32\config\sam
    if ($checkPermissions -like '*BUILTIN\Users:(I)(RX*)*') {
        $permissionsSucces = $false
        write-host "ACL change failed. Check permissions running script."
    }
    else {
        $permissionsSucces = $true
        Write-Host "Successfully reset permission inheritance on affected files."
    }
}

 

#check shadow
if ($vulnerable -eq $true) {
    $checkShadow = Get-WmiObject Win32_ShadowStorage -Property UsedSpace | Select-Object -ExpandProperty UsedSpace
    if (0 -eq $checkShadow) {
        $shadowSucces = $true
        Write-Host "Successfully deleted old volume shadow copies."
    }
    else {
        $shadowSucces = $false
        write-host "Shadow deletion failed. Security software may be blocking this action."
    }
}

 

#check if fixed logic
if ($vulnerable -eq $true) {
    if ($permissionsSucces -eq $true -and $shadowSucces -eq $true) {
        $fixed = $true
    }
    else {
        $fixed = $false
    }
}
else {
    $fixed = 'Not applicable'
}

 

#create new shadow
if ($vulnerable -eq $true -and $shadowSucces -eq $true -and $permissionsSucces -eq $true) {
    wmic shadowcopy call create Volume='C:\'
    Write-Host ""
}

 

#output data
write-host "vulnerable: $vulnerable"
write-host "Fixed: $fixed"

Make sure you are running the script as system via SCCM or similar