Threat Advisory: PrintNightmare exploitation in the wild

Jul 02, 2021
Written by Davinsi Labs

A recent proof of concept exploit was published (and quickly deleted) containing an unpatched 0-day in all supported Windows Operating Systems. Unfortunately, by the time the exploit was deleted, the Proof of Concept was already forked and is now used by adversaries in the wild with a heavy focus on exploiting Domain Controllers to gain full domain compromise.

The vulnerability, dubbed PrintNightmare (CVE-2021-34527), exploits a flaw in RpcAddPrinterDriver. The legitimate function is designed to allow remote printing scenarios and driver installations. It contains a logic flaw allowing adversaries to remotely add any print driver to Windows without being an administrator. An adversary who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges.

Scope of the vulnerability:

Windows Servers and Clients run Print Spooler service by default, including Domain Controllers, thereby all Windows Server and Windows Client versions (ranging from Windows Server 2008 – 2019, including Windows 10) are affected.

Remediation:

No remediation or patching is provided yet by Microsoft. This blog post will be updated in case a security patch is published.

Mitigation:

Davinsi Labs strongly recommends and urges our customers to follow one of the 2 scenarios listed below as rapid mitigation for the ongoing vulnerability, as referenced by Microsoft in their Security Guidance:

  • Option 1: disable the Print Spooler Service on all systems where the ability to print both locally and remotely is not required.
  • Option 2: disable inbound remote printing through Group Policy on all systems where the ability of local printing is required and the system is not acting as a print server.

Technical guidance on the mitigations above can be found here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

Detection:

Our partner Rapid7 advises running the following line of Powershell to detect any exploitation attempts.

Get-WinEvent -LogName ‘Microsoft-Windows-PrintService/Admin’ | Select-String -InputObject {$_.message} -Pattern ‘The print spooler failed to load a plug-in module’

Davinsi Labs strongly recommends enabling ‘ Microsoft-Windows-PrintService/Operational ‘ and  ‘ Microsoft-Windows-PrintService/Admin ‘  logging on the systems that require Print Spooler running for the time being and to monitor for event ID 316 (‘ adding a printer driver ’) and error messages failing to load plug-in module DLL’s (event ID 808).

On top of this, if Sysmon is running, ensure to expand your sysmon config with the imageload events for spoolsv.exe, provided by ‘LaresLLC’ : https://github.com/LaresLLC/CVE-2021-1675/blob/main/CVE-2021-1675.xml

Detect any Sysmon ImageLoad events (Event ID 7) targeting spoolsv.exe.

In case you have Microsoft Defender for Endpoints running across your organization, take a look at the following KQL Query for Sentinel by Olaf Hartong to detect any exploitation attempts: https://gist.github.com/olafhartong/af523adcd7df7706bae527af8fee1700

Hunting:

Hunting for the exploitation of PrintNightmare can be done through Native Windows Logging and Sysmon logging:

  • Hunt for the print spooler service terminating unexpectedly due to loading of the payload DLL (Windows System Event ID 7031)
  • Hunt for Spoolsv.exe spawning werfault.exe as a result of the printer spooler service being terminated unexpectedly (Windows Security Event ID 4688)
  • Hunt for unknown and unsigned drivers loaded from ‘ c:\windows\system32\spool\drivers ‘ (Sysmon Event ID 6)

This blog post will be continuously updated in case new findings are published and a patch becomes available by Microsoft.

Reach out to info@davinsi.com if you need any assistance from our team of security experts.

We hope the following threat advisory assists to react quickly to ongoing threats and urges the need for patching and security monitoring.

References:

Share this news