PrintNightmare (CVE-2021–1675)

If you have not heard there is a zero-day vulnerability actively being exploited in the wild. The vulnerability was originally “patched” back in the Microsoft June 2020 Patch Tuesday update that was issued on June 8, 2021. Its a big issue because it impacts operating system versions starting with Windows 7 SP1 to Server 2019. The vulnerability allows for Remote Code Execution (RCE) and privilege escalation to SYSTEM. Why is this bad? Well…it basically means an attacker can remotely take over a system and escalate to the highest privilege possible — meaning if your Domain Controllers (DC) are running the printer spooler service an attacker can take over a domain easily.

Mitigation

What do you do about it? Patch…when Microsoft releases a patch. Hopefully the patch will come out prior to the next Patch Tuesday (7/12/2021). In the meantime, I recommend disabling the printer spooler service where possible and if not possible implement the following detection technique.

Detection Technique

The main goal here is to identify DLLs loaded by the printer spool service that are not commonly loaded within your environment are not signed by Microsoft and have invalid certificates. This can be accomplished by narrowing in on Image Load events. In Sysmon this is EventID 7 (Image Loaded).

A great reference for this detection was created by Olaf Hartong. Ref: https://gist.github.com/olafhartong/af523adcd7df7706bae527af8fee1700#file-2021-1675-spooler-imageloads-kql

let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000) 
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
| join kind=inner (DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
| where InitiatingProcessFileName != "ccmexec.exe"

Update (2021–07–03)
Microsoft has confirmed that the vulnerability is mitigated with the original patch on everything but Domain Controllers.

Mitigation

Option 1 — Disable the Print Spooler service.

Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled

Option 2 — Disable inbound printing via GPO
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks

This option will block/prevent the RCE component of this attack effectively requiring an attacker to be on a vulnerable system to perform the attack.