Published on July 30, 2021

Understanding PrintNightmare: The importance of having visibility over new attack vectors

What is PrintNightmare?

PrintNightmare (CVE-2021-34527) is a recently discovered vulnerability, affecting the Microsoft Windows Print Spooler Service. It allows threat actors to run arbitrary code on any device with Print Spooler service enabled with SYSTEM level privileges via Remote Code Execution (RCE) after obtaining initial access. The vulnerability allows attackers to load a DLL into a remote Windows Host, enabling users with local domain privileges to create accounts with administrative privileges. As the Print Spooler service is enabled by default, it has garnered immediate worldwide attention, as there is an urgent need for organizations to address this vulnerability. 

Microsoft has released security updates to resolve the PrintNightmare vulnerability, but to date, has been discovered to be effective only under certain configurations. In other instances, the patch can be bypassed, allowing attackers to exploit the machine and obtain system privileges rights. While this was initially classified as a low severity vulnerability, Microsoft has since upgraded the severity classification of the vulnerability to critical. 

New call-to-action

Running the attack

The figure below shows a Windows Server 2016 installation with a regular domain user account. 

Users list on the Domain Controller 

The exploit targets the Windows Server 2016 device using the available user’s credentials and passing as parameter a path to the reverse shell in the form of a DLL.

The reverse shell, obfuscated using msf venom is named “reverse1.dll” and is loaded into the victim’s system after a successful exploitation. 

Once the exploit is launched, a command shell is activated with “nt authority\system” access rights. We can now see that the attacker is running with elevated privileges on the Domain Controller. At this point, attackers have full freedom of operation and they can proceed to deploy additional stages, such as a RAT or a ransomware.

PrintNightmare Under the Lens

ReaQta-Hive’s Behavioural Tree showing the PrintNightmare exploit

The entire exploit is captured and displayed via the ReaQta-Hive behavioural tree, presenting the attack information enriched with all connected behaviors, allowing analysts and security teams to easily follow the incident as it unfolds. From the above image, we are able to see a series of events spawning from “spoolsv.exe”: first, the reverse shell is dropped to disk, then it is loaded via rundll32.exe and finally a cmd.exe instance is started, allowing the attacker to run arbitrary commands, in this case “whoami.exe”. The entire behavioral chain runs under elevated privileges as “NT AUTHORITY/SYSTEM”. 

The series of post-exploitation events leading to the instancing of the reverse shell

Maintaining continuous visibility over all assets allows security teams to quickly identify such exploitation attempts and react accordingly even in the presence of critical vulnerabilities like PrintNightmare.

New call-to-action

ReaQta’s Recommendations

ReaQta suggests that companies apply the revised update from Microsoft.

Speaking in response to PrintNightmare, ReaQta’s Security Architect Sam Lai recommends: “disable the Print Spooler service for domain controllers and Active Directory admin systems that do not require the print service”. Companies can look through the following options for additional mitigations if needed:

Option 1: Disable the Print Spooler service

Use the following PowerShell commands:

  • Stop-Service -Name Spooler -Force
  • Set-Service -Name Spooler -StartupType Disabled

Impact of workaround Printing will be disabled both locally and remotely. 

Option 2:  Disable inbound remote printing through Group Policy

Impact of workaround →  This prevents inbound remote printing operations, blocking the remote attack vector. System will no longer function as a print server, but local printing will still be possible through a direct device attachment. 

ReaQta-MDR ensures cyber resilience through Proactive Threat Hunting

As part of ReaQta’s commitment to our customers, the ReaQta SOC team has been working on the detection of this vulnerability since it first emerged, so as to ensure that our customers’ infrastructures remain safe and secure. Proactive Threat Hunting helps in the early detection of new threats and in the discovery of any weak spots that can be targeted by attackers to gain or maintain elevated access to any infrastructure. 

The Proactive Threat Hunting service, managed by experienced threat hunters and analysts, is available via ReaQta-MDR, providing 24/7 round-the-clock coverage across the infrastructure by responding to any suspicious or malicious activity.