Threat Research

 View Only

TAU-TIN - PrintNightmare

By gallen posted Jul 02, 2021 12:07 AM

  

Threat Analysis Unit - Threat Intelligence Notification

Title: PrintNightmare CVE-2021-34527

Based on current information, any remotely accessible Windows system running the Print Spooler service is at risk of privileged remote-code-execution IF the attacker has remote access to affected machines AND valid user credentials. Patches are not available at this time (July 1, 2021), so defenders should use other compensating controls to mitigate the risk of this vulnerability.

Update, Fri Jul 2 11:26:35 EDT 2021: This vulnerability has been assigned CVE-2021-34527 and Microsoft has posted additional information here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527. This link contains a group-policy mitigation for hosts that are not print servers.

Summary

On June 29, 2021 a researcher going by the name zhiniang peng released a proof-of-concept exploit for what they assumed demonstrated the vulnerability covered in CVE-2021-1675. The PoC was published on GitHub, providing a publicly available 0-day exploit for Remote Code execution and Local Privilege Escalation. 

The PrintNightmare vulnerability in the RpcAddPrinterDriver function allows a remote party to bypass administrator authentication checks. The exploit requires valid credentials, and allows the attacker to remotely add and install a “print driver” on machines which have the print spooler service enabled. The installed print driver can also be specified by the attacker, so malicious content can be uploaded and executed in the context of the Print Spooler service which runs as SYSTEM.

Exploits like PrintNightmare can be used in a couple of ways:

  • To gain remote access to a machine to perform actions on objective
  • Perform a local privilege escalation from user -> SYSTEM to then perform actions on objective

The VMware Threat Analysis Unit (TAU) expects the vulnerability to become a common post-compromise tactic used by attackers after they have gathered credentials in an environment.

Once an attacker gains access to a system via PrintNightmare they still need to work their way through the rest of the kill-chain to perform their actions on objective. Carbon Black products focus on these behaviors and provide detection and preventions across the kill-chain.

TAU believed it was important to get this information to our customers as quickly as possible.  TAU is working to test and create additional detections and as additional information is learned about this vulnerability we will continue to update this blog.  As we complete the formal testing process of some of these recommendations we will push them to the products in watchlist or feeds where appropriate.  

Recommended Mitigation Strategies

Below is a table of options and the risks associated with them when implemented:

Mitigation

Risks

Recommended

*Group Policy Mitigation

Mitigation for clients, not print servers, described here: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527.

Yes

Stop Print Spooler Service

All printing operations will stop working

No

Adjust Print Spooler Service File System ACLs

No new drivers can be added to the system running the print spooler service. Note some virtual desktop software may have printing issues with this ACL in place

Yes (but again no new printers can be added/updated. Printing operations will still work)

*  Update: 2021-07-02T11:34-04:00


A great article by Truesec can be found
here on how to implement the proper print spooler file system ACLs here.

Please ensure you are running the latest versions of the Carbon Black sensors on your systems. This ensures the most up-to-date capabilities are enabled in your environment and zero-touch prevention rules are in place to mitigate common attacker techniques across common adversary choke-points like credential theft, defense evasion, and privilege escalation.


Customer Protection

VMware Carbon Black Audit and Remediation:

Audit and Remediation customers can use the query below to determine the created time of files in the C:\Windows\System32\spool\drivers\ directory.  This query will allow customers to determine if any recent files were created as part of this vulnerability.

Print Spooler driver files by date and hash:                                                                                   

SELECT path, uid, gid, SIZE,
 datetime(mtime,'unixepoch') AS file_last_modified_time,
 datetime(btime,'unixepoch') AS file_created_time,
 file_version, product_version, md5, sha1, sha256
 FROM file JOIN hash USING (path)
WHERE path like "C:\Windows\System32\spool\drivers\%%"
  AND type = 'regular'
ORDER BY mtime, btime DESC;


The below query will allow customers so search the Windows Print Service event logs for events related to Point and Print Restrictions.  This query was adopted from a powershell query available online.

Search windows event logs for failed module loads by the print service, which may indicate attempts to load malicious print drivers:

SELECT * FROM windows_eventlog
WHERE channel = 'Microsoft-Windows-PrintService/Admin'
  AND eventid=808 AND level=2;


Additionally the following query will allow customers to query their endpoints and determine where the Print Spooler service is installed and running.

Print Spooler Service Status                                                                                                               

SELECT display_name, status, pid, start_type, user_account
FROM services WHERE name = 'Spooler';

 

VMware Carbon Black App Control: 

The most effective way of blocking this technique is by running VMware Carbon Black App Control in High or Medium enforcement.

Since this exploit depends on a file being written to disk and then loaded. App Control would block that file from loading if it was not already previously approved or didn't meet trust rules.

Additionally a UeX community user (@otakar) recommended an AppControl policy that will help to mitigate files being created by this exploit. To further prevent exploitation, Carbon Black strongly encourages customers to disable the Trusted Updater called "Allow Printer Installations". 

VMware Carbon Black EDR and Cloud Enterprise EDR:

Carbon Black TAU continuously scans the internet for known command and control servers (IE. Cobalt Strike). These C2 servers are updated weekly in the Known IOCs feed, and are  invaluable in helping detect attacker compromise.

There are numerous post-compromise detectors which ship within the Carbon Black EDR products that can help in detecting attacker behaviors including but not limited to detectors in the following feeds:

  • Advanced Threats
  • AMSI Threat Intelligence (Enterprise EDR only)
  • CB Community
  • Suspect Indicators

There is currently a detector shipped in Carbon Black’s EDR product that is known to catch suspect, post compromise, behaviors from the print spooler service. 

Advanced Threats

Title: Privilege Escalation - spoolsv Launching Command Interpreters with SYSTEM Privileges

EDR Query: ((parent_name:spoolsv.exe username:SYSTEM (process_name:powershell.exe or process_name:cmd.exe or process_name:wscript.exe or process_name:cscript.exe or process_name:mshta.exe)) AND -(cmdline:system32/spool/DRIVERS))


Enterprise EDR Query: ((((parent_name:spoolsv.exe AND process_username:SYSTEM) AND (process_name:powershell.exe OR process_name:cmd.exe OR process_name:wscript.exe OR process_name:cscript.exe OR process_name:mshta.exe)) AND -(process_cmdline:system32\/spool\/DRIVERS))) -legacy:true

 

Other useful queries that can be used to detect suspect behaviors related to PrintNightmare executions:

Spoolsv loads a malicious payload but the payload crashes

EDR & EEDR Query: parent_name:spoolsv.exe AND childproc_name:werfault.exe

 

File modifications to the drivers directory where Spoolsv will write the malicious payload:

EDR: filemod:windows\\system32\\spool\\drivers*

EEDR: filemod_name:windows\\system32\\spool\\drivers*

 

VMware Carbon Black Endpoint Standard:

In order to take full advantage of the most up-to-date threat intelligence detection and prevention rules, Endpoint Standard customers must be running 3.6 or greater CBC sensor versions. 

Customers running 3.6 sensor versions are protected out of the box without any need to configure rules relating to post compromise behaviors such as credential theft and defense evasion techniques. Latest versions of the CBC sensors will also detect and block suspect Powershell usage typically associated with post-compromise behaviors. 

Endpoint Standard detection analytics will generically identify and alert on behaviors associated with process injection, reverse shells, and unusual process behaviors. 

TAU also recommends customers to enable the following Anti-Malware engine settings to ensure the best possible protections:

  • Delay execute for cloud scan
  • Submit unknown binaries for analysis

 

Endpoint Standard Investigate Queries:

Spoolsv launching cmd interpreters

((((parent_name:spoolsv.exe AND process_username:SYSTEM) AND (process_name:powershell.exe OR process_name:cmd.exe OR process_name:wscript.exe OR process_name:cscript.exe OR process_name:mshta.exe)) AND -(process_cmdline:system32\/spool\/DRIVERS)))


Spoolsv loads a malicious payload but the payload crashes

parent_name:spoolsv.exe AND childproc_name:werfault.exe



About TAU-TINs
For more information about TAU-TIN or to receive future notifications, follow the instructions in our About TAU-TIN post.


#TAU-TIN
19 comments
0 views

Permalink