A Nightmare on Spooler Street
A few weeks ago we mentioned a long list of vulnerabilities patched by Microsoft on June’s Patch Tuesday. Among those was what was originally thought to be a local privilege escalation involving the Windows Print Spooler CVE-2021-1675. Further details were leaked this week that the vulnerability, now dubbed “PrintNightmare”, also allows for remote code execution of the Windows RPC call, RpcAddPrinterDriver. This makes it possible for an attacker to remotely install a driver to a print server via local resources. The exploit will work on fully patched systems and give the attacker SYSTEM level privileges.
A proof-of-concept was originally released on Github, https://github.com/hhlxf/PrintNightmare, but it was removed and re-published under https://github.com/afwu/PrintNightmare. An Impacket script PoC can be found here, https://github.com/cube0x0/CVE-2021-1675.
The ConnectWise CRU has been working tirelessly to identify methods of detecting exploitation based on log artifacts and network traffic and we are sharing that intelligence along with Elastic queries that will work within the Perch platform or can be modified for your own SIEM solution.
Windows Sysmon Event ID 13
Twitter user, @dez_, found that Windows Sysmon Event ID 13, RegistryEvent (Value Set), logs the driver configs being replaced.
Windows Sysmon Event ID 11 & 23
Twitter user, @mvelazco, reports the Windows Sysmon Event ID 11 & 23, logs the driver file creation and deletion, respectively, by spoolsv.exe.
Windows PrintService Event ID 316
Microsoft-Windows-PrintService/Operational Event ID 316 was also found to log a message like the following:
“Printer driver [file] for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, AddUser.dll,AddUser.dll. No user action is required”.
The ConnectWise CRU was able to test the PoC from cube0x0 and were able to successfully get SYSTEM level access on a remote server.
Perch Elastic Queries
Printer Driver Update
winlog.channel: "Microsoft-Windows-PrintService/Operational" AND winlog.event_id:316
winlog.provider_name: "Microsoft-Windows-Sysmon" AND (winlog.event_id:(11 OR 23) AND winlog.event_data.Image:*spoolsv* AND winlog.event_data.TargetFilename:*drivers* AND winlog.event_data.TargetFilename:*dll)
Registry Value Set
winlog.provider_name:"Microsoft-Windows-Sysmon" AND winlog.event_id:(13) AND process.name:"spoolsv.exe"
SMB File Access
fileinfo.magic:("PE32+ executable (DLL) (GUI) x86-64, for MS Windows") OR fileinfo.magic:("PE32+ executable (DLL) (GUI) x86, for MS Windows") AND smb.share:* and smb.filename:*
Print Spooler Drive Load Failure
winlog.channel:"Microsoft-Windows-PrintService/Admin" AND winlog.event_id:808
The official recommendation to mitigate this threat is to disable Printer Services for any device that does not require it.
Another method recommended by some, which did not work in our test environment, is to restrict the capabilities to add/delete printer drivers to only privileged groups. “Configure the policy value for Computer Configuration » Windows Settings » Security Settings » Local Policies » Security Options » “Devices: Prevent users from installing printer drivers” to “Enabled”.