Recently a new vulnerability named PrintNightmare CVE 2021-1675/34527 surfaced which scored 8.2/10 on the Common Vulnerability Scoring System. PrintNightmare allows an attacker to execute remote commands to gain full access to a domain controller and take over the whole domain — with user-level access. The vulnerability takes advantage of the Windows-native service called Print Spooler that is enabled by default on all Windows machines (servers and endpoints).
They are two distinct vulnerabilities.
It was initially released as a minor elevation of privilege vulnerability (CVE 2021-1675) and Microsoft released a patch for it. However, it was later exploited as a remote code execution (CVE 2021-34527) by researchers from Tencent & NSFOCUS Security Lab. Fortunately and unfortunately, both the vulnerabilities are similar but they are distinct. For CVE 1675, the attacker needs to have direct access to the machine to use a malicious DLL file to escalate privileges. While with CVE 34527, the attacker can remotely inject DLLs.
MITRE ATT&CK techniques mapped to the PrintNightmare vulnerability:
As there are multiple ways to exploit the vulnerability, there are multiple ways to detect PrintNightmare. Before proceeding, please make sure to enable these logs:
Detection case 1
Abnormal parent-child relationship for the processes:
Detecting remote print spooler driver load using file share logs:
Detection case 6
Detecting spoolsv registry changes:
How do you patch this?
Microsoft released a patch for the Windows versions impacted Security Update Guide – Microsoft Security Response Center but we have seen reports that attackers can still exploit the vulnerability.
Alternatively, if you don’t require printspooler on your domain controllers, it is advisable to disable it. You can disable the printspooler server altogether, or alternatively, disable it until the Microsoft patch is verified.
Conclusion
PrintNightmare is a critical vulnerability that can have a dramatic impact on a company’s operations if exploited by attackers. It is recommended to monitor the print spooler service closely and disable the print spooler service if not necessary. With this exploit an adversary gains the ability to escalate privileges and execute remote code injection.
References
www.exabeam.com
www.blumira.com
They are two distinct vulnerabilities.
It was initially released as a minor elevation of privilege vulnerability (CVE 2021-1675) and Microsoft released a patch for it. However, it was later exploited as a remote code execution (CVE 2021-34527) by researchers from Tencent & NSFOCUS Security Lab. Fortunately and unfortunately, both the vulnerabilities are similar but they are distinct. For CVE 1675, the attacker needs to have direct access to the machine to use a malicious DLL file to escalate privileges. While with CVE 34527, the attacker can remotely inject DLLs.
A significant impact: How attackers can exploit this vulnerability
- Domain administrator access: With domain administrator access, an attacker can get full control of the network.
- Credential stuffing: Attackers can use the domain password to use brute force against other sensitive accounts like social media, bank accounts, etc.
- Deploy malware/keylogger: Attackers can use keylogger, or any other malware to harm any user on your network.
MITRE ATT&CK techniques mapped to the PrintNightmare vulnerability:
- T1569.002 – System Services: Service Execution
- T1574.002 – Hijack Execution Flow: DLL Side Loading
- T1068 – Exploitation for Privilege Escalation
As there are multiple ways to exploit the vulnerability, there are multiple ways to detect PrintNightmare. Before proceeding, please make sure to enable these logs:
- 4688/1(Sysmon) – Process Creation logs
- 808 – Microsoft Windows PrintService/Admin
- 11 (Sysmon) – File Creation Logs
- 7 (Sysmon) – Image Load Logs
Into action: Detecting the exploit with Exabeam
You can find the exploit on any Github repository but please make sure to run it under a controlled environment (and only if you must run the exploit).Detection case 1
Abnormal parent-child relationship for the processes:
- Event Code – 4688/1
- Process Name – PowerShell.exe or cmd.exe or werfault.exe
- Parent Process Name – spoolsv.exe
Detecting remote print spooler driver load using file share logs:
- Event Code – 5145
- ShareName – \\*\IPC$
- AccessMask – 0x3
- RelativeTargetName – spoolss
Caption : Detecting remote print spooler driver load using 5145
Detection case 3
Detecting abnormal DLL load via sysmon:
- Event Code – 11 or 7
- Image Name – spoolsv.exe
- Target File Name – \System32\spool\drivers\x64\3\* (Check for new DLLs added here)
Caption: Detecting DLL load for spoolsv.exe using Sysmon
Detection case 4
Detecting failed spooler logs:
- Event Code – 808
- Image Name – C:\Windows\System32\spool\drivers\*
- Module Name – myexploit.dll or evil.dll or addcube.dll or rev.dll or rev2.dll or main64.dll or mimilib.dll
Detection case 5
Detecting unsigned DLL loading (NOTE: this could trigger some some false positives as it differs environment-to-environment ):
- Event Code – 7
- Image Name – spoolsv.exe
- Signed – False
Detection case 6
Detecting spoolsv registry changes:
- Event Code – 13
- TargetObject – HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-*\<new dll file>
How do you patch this?
Microsoft released a patch for the Windows versions impacted Security Update Guide – Microsoft Security Response Center but we have seen reports that attackers can still exploit the vulnerability.
Alternatively, if you don’t require printspooler on your domain controllers, it is advisable to disable it. You can disable the printspooler server altogether, or alternatively, disable it until the Microsoft patch is verified.
- You can disable it via GPO if you configured printspooler via GPO.
- If you don’t have it enabled in the GPO, check to see if it is running as a service under services.
Conclusion
PrintNightmare is a critical vulnerability that can have a dramatic impact on a company’s operations if exploited by attackers. It is recommended to monitor the print spooler service closely and disable the print spooler service if not necessary. With this exploit an adversary gains the ability to escalate privileges and execute remote code injection.
References
Detecting Printnightmare CVE 2021-1675/34527 Using Exabeam
PrintNightmare allows an attacker to execute remote commands to gain full access to a domain controller and take over the whole domain — with user-level access.
www.exabeam.com
PrintNightmare (CVE-2021-1675 and CVE 2021-34527) Explained
Proof-of-concept exploit code was published on Github on June 29, 2021 for a vulnerability (CVE-2021-1675) in Print Spooler.
www.blumira.com
