code/windows/audit/kisa/sam-file-access-control.yaml

id: sam-file-access-control

info:
  name: SAM File Access Control Check
  author: nukunga[SungHyunJeon]
  severity: medium
  description: |
    Ensure the SAM file (%SystemRoot%\system32\config\SAM) is secured so that only the Administrators and SYSTEM groups have full access.The presence of permissions for any other users or groups represents a potential security vulnerability.
  impact: |
    If users or groups besides Administrators and SYSTEM have access to the SAM file, attackers could exploit this to obtain sensitive password data, raising the risk of password-based attacks.
  remediation: |
    Revoke any permissions assigned to users or groups other than Administrators and SYSTEM by:
    - Running the command: > cacls %systemroot%\system32\config\SAM /remove:g [UserOrGroup]
    - Or by adjusting the permissions through File Explorer.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
  tags: sam,account-management,code,windows-audit,kisa

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $samPath = "$env:SystemRoot\system32\config\SAM"
      if (-Not (Test-Path $samPath)) {
          "SAM_FILE_NOT_FOUND"
          exit
      }
      # Retrieve the ACL for the SAM file
      $acl = Get-Acl $samPath
      # Define allowed identities (variations may exist)
      $allowed = @("BUILTIN\Administrators", "Administrators", "NT AUTHORITY\SYSTEM", "SYSTEM")
      $vulnerable = $false
      foreach ($ace in $acl.Access) {
          $account = $ace.IdentityReference.ToString()
          if ($allowed -notcontains $account) {
              $vulnerable = $true
              break
          }
      }
      if ($vulnerable) {
          "SAM_ACCESS_VULNERABLE"
      } else {
          "SAM_ACCESS_COMPLIANT"
      }

    matchers:
      - type: word
        words:
          - "SAM_ACCESS_VULNERABLE"
# digest: 490a00463044022040dec32d4771631e7b3d39511a48983e2fadad35eb9c1c0ddd873fbdf3d204ab02203870f2731378bab592f0218f083a88ca737324ef53a99f9a182488e58c645970:922c64590222798bb761d5b6d8e72950
docs: add KISA cloud vulnerability inspection guide for Windows Server 2025-02-03 11:22:27 -08:00			`id: sam-file-access-control`

			`info:`
			`name: SAM File Access Control Check`
			`author: nukunga[SungHyunJeon]`
			`severity: medium`
			`description: \|`
Enhancement 2025-06-19 18:28:59 +05:30			`Ensure the SAM file (%SystemRoot%\system32\config\SAM) is secured so that only the Administrators and SYSTEM groups have full access.The presence of permissions for any other users or groups represents a potential security vulnerability.`
docs: add KISA cloud vulnerability inspection guide for Windows Server 2025-02-03 11:22:27 -08:00			`impact: \|`
Enhancement 2025-06-19 18:28:59 +05:30			`If users or groups besides Administrators and SYSTEM have access to the SAM file, attackers could exploit this to obtain sensitive password data, raising the risk of password-based attacks.`
docs: add KISA cloud vulnerability inspection guide for Windows Server 2025-02-03 11:22:27 -08:00			`remediation: \|`
Enhancement 2025-06-19 18:28:59 +05:30			`Revoke any permissions assigned to users or groups other than Administrators and SYSTEM by:`
			`- Running the command: > cacls %systemroot%\system32\config\SAM /remove:g [UserOrGroup]`
			`- Or by adjusting the permissions through File Explorer.`
			`reference:`
			`- https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85`
			`tags: sam,account-management,code,windows-audit,kisa`
docs: add KISA cloud vulnerability inspection guide for Windows Server 2025-02-03 11:22:27 -08:00
			`self-contained: true`

			`code:`
			`- pre-condition: \|`
			`IsWindows();`
			`engine:`
			`- powershell`
			`- powershell.exe`
			`args:`
			`- -ExecutionPolicy`
			`- Bypass`
			`pattern: "*.ps1"`
			`source: \|`
			`$samPath = "$env:SystemRoot\system32\config\SAM"`
			`if (-Not (Test-Path $samPath)) {`
			`"SAM_FILE_NOT_FOUND"`
			`exit`
			`}`
			`# Retrieve the ACL for the SAM file`
			`$acl = Get-Acl $samPath`
			`# Define allowed identities (variations may exist)`
			`$allowed = @("BUILTIN\Administrators", "Administrators", "NT AUTHORITY\SYSTEM", "SYSTEM")`
			`$vulnerable = $false`
			`foreach ($ace in $acl.Access) {`
			`$account = $ace.IdentityReference.ToString()`
			`if ($allowed -notcontains $account) {`
			`$vulnerable = $true`
			`break`
			`}`
			`}`
			`if ($vulnerable) {`
			`"SAM_ACCESS_VULNERABLE"`
			`} else {`
			`"SAM_ACCESS_COMPLIANT"`
			`}`
tags -update 2025-04-03 00:35:31 +05:30
docs: add KISA cloud vulnerability inspection guide for Windows Server 2025-02-03 11:22:27 -08:00			`matchers:`
			`- type: word`
			`words:`
chore: sign templates 🤖 2025-07-10 10:32:02 +00:00			`- "SAM_ACCESS_VULNERABLE"`
			`# digest: 490a00463044022040dec32d4771631e7b3d39511a48983e2fadad35eb9c1c0ddd873fbdf3d204ab02203870f2731378bab592f0218f083a88ca737324ef53a99f9a182488e58c645970:922c64590222798bb761d5b6d8e72950`