admin/nuclei-templates
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei-templates.git synced 2026-02-09 20:23:21 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
22f1d94449fcb8bdd55f54594deac3539108b51e
nuclei-templates/code/windows/audit/kisa/sam-file-access-control.yaml
ghost b2039aeba4 chore: sign templates 🤖
2025-07-10 10:32:02 +00:00

59 lines
2.2 KiB
YAML
Raw Blame History

id: sam-file-access-control
info:
name: SAM File Access Control Check
author: nukunga[SungHyunJeon]
severity: medium
description: |
Ensure the SAM file (%SystemRoot%\system32\config\SAM) is secured so that only the Administrators and SYSTEM groups have full access.The presence of permissions for any other users or groups represents a potential security vulnerability.
impact: |
If users or groups besides Administrators and SYSTEM have access to the SAM file, attackers could exploit this to obtain sensitive password data, raising the risk of password-based attacks.
remediation: |
Revoke any permissions assigned to users or groups other than Administrators and SYSTEM by:
- Running the command: > cacls %systemroot%\system32\config\SAM /remove:g [UserOrGroup]
- Or by adjusting the permissions through File Explorer.
reference:
- https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
tags: sam,account-management,code,windows-audit,kisa
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
$samPath = "$env:SystemRoot\system32\config\SAM"
if (-Not (Test-Path $samPath)) {
"SAM_FILE_NOT_FOUND"
exit
}
# Retrieve the ACL for the SAM file
$acl = Get-Acl $samPath
# Define allowed identities (variations may exist)
$allowed = @("BUILTIN\Administrators", "Administrators", "NT AUTHORITY\SYSTEM", "SYSTEM")
$vulnerable = $false
foreach ($ace in $acl.Access) {
$account = $ace.IdentityReference.ToString()
if ($allowed -notcontains $account) {
$vulnerable = $true
break
}
}
if ($vulnerable) {
"SAM_ACCESS_VULNERABLE"
} else {
"SAM_ACCESS_COMPLIANT"
}
matchers:
- type: word
words:
- "SAM_ACCESS_VULNERABLE"
# digest: 490a00463044022040dec32d4771631e7b3d39511a48983e2fadad35eb9c1c0ddd873fbdf3d204ab02203870f2731378bab592f0218f083a88ca737324ef53a99f9a182488e58c645970:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink