By Splunk Threat Research Team July 02, 2021
On Monday, June 21st, Microsoft updated a previously reported vulnerability (CVE-2021-1675) to increase its severity from Low to Critical and its impact to Remote Code Execution. On Tuesday, June 29th, a security researcher posted a working proof-of-concept named PrintNightmare that affects virtually all versions of Windows systems. Yesterday, July 1, Microsoft assigned this flaw a new CVE, CVE-2021-34527.
Update 07/06: Microsoft released an emergency patch to address this vulnerability, but it did not fully resolve the issue as the patch only addresses the Remote Code Execution component. An attacker can still use the local privilege escalation component to gain SYSTEM level privileges.
Update 07/15: Microsoft reported a new privilege escalation vulnerability, CVE-2021-34481, that could allow attackers to execute malicious code as SYSTEM. No patch is available at the time of writing.
The vulnerability affects the Print Spooler service, which is enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with SYSTEM privileges (Privilege Escalation).
The prerequisites for successful exploitation consist of:
- Print Spooler service enabled on the target system
- Network connectivity to the target system (initial access has been obtained)
- Hash or password for a low privileged user (or computer) account
Impact
In the most impactful scenario, an attacker would be able to leverage this vulnerability to escalate their privileges in an Active Directory environment from a low privileged domain user to full domain administrator privileges by executing malicious code on a Domain Controller as shown below.
Successful exploitation to obtain a reverse meterpreter shell on a Domain Controller
The Splunk Threat Research team recommends taking immediate actions to mitigate this vulnerability using the documented workarounds as no official patches have been released yet. If you want a very quick way of understanding your exposure to this vulnerability, you can do so if you have Universal Forwarders deployed across your server fleet. Simply enable the WinHostMon input from the Splunk Add-On for Windows to report on the status of services on each server (highlighted below):
####### Host monitoring #######
[WinHostMon://Service]
interval = 600
disabled = 0
type = Service
Then, perform a search across the WinHostMon data to easily show you what servers have the Print Spooler service enabled or running. This can be used to track mitigation progress:
index=<your index> sourcetype=WinHostMon source=service DisplayName="Print Spooler" | stats values(DisplayName) as Disp_Name,values(StartMode) as Start_mode,values(Started) as Started,values(State) as State by host
We also encourage a defense-in-depth approach to complement the prevention efforts with detection and monitoring controls. This blog post describes detection opportunities cyber defenders can leverage to identify successful exploitation of CVE-2021-34527 in their environments.
These detections were developed in an Attack Range environment where exploitation was reproduced with some of the released POCs. This analysis was focused on 3 data sources:
- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
- WinEventLog:Microsoft-Windows-PrintService/Admin
- WinEventLog:Microsoft-Windows-PrintService/Operational
We are also releasing the attack_data datasets generated using the publicly available exploit against a victim endpoint. Security teams can leverage these datasets to validate or enhance detection security posture without having to actually replicate the attacks.
Print service logs may not be enabled by default. To ingest them into Splunk, a similar configuration as below can be used in inputs.conf.
[WinEventLog://Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = win
[WinEventLog://Microsoft-Windows-PrintService/Admin]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = win
Detections for PrintNightmare
The Splunk Threat Research team is releasing a new analytic story named ‘PrintNightmare CVE-2021-34527’ to help security operations center (SOC) analysts detect successful exploitation scenarios. This story consists of seven new and two existing detection analytics.
In this blog post we are providing both sourcetype and datamodel SPL searches where possible. Please note, datamodel searches require CIM compliance.
You can find this content as well as other security analytic stories on GitHub and in Splunkbase. The Splunk Security Essentials app also has all these detections now available via push update.
Spoolsv Spawning Rundll32
Detects Spoolsv with a child process of rundll32.exe.
Sysmon:
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventID=1 parent_process_name=spoolsv.exe process_name=rundll32.exe
| stats count min(_time) as firstTime max(_time) as lastTime by Computer, User,
parent_process_name, process_name, OriginalFileName, process_path, CommandLine
Datamodel:
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe Processes.process_name=rundll32.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
Spoolsv Suspicious Process Access
Identifies suspicious process access events from Spoolsv.exe with high granted process rights access to the target process.
Sysmon:
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=10 SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Windows\\system32\\spool\\DRIVERS\\x64\\*"
TargetImage IN ("*\\rundll32.exe", "*\\spoolsv.exe") GrantedAccess = 0x1fffff |
stats count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage
TargetImage GrantedAccess CallTrace EventCode
Spoolsv Suspicious Loaded Modules
Identifies potentially suspicious module loads into Spoolsv.exe based on DLL loading from a specific path used by CVE-2021-34527.
The minimum countImgLoaded value is set to 3 as the exploit will load 3 modules (unidrv.dll, kernelbase.dll and the suspect dll) at the same time in specific target folder.
Sysmon:
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*"
ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded)
as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer
EventCode | where countImgloaded >= 3
Suspicious Rundll32 no Command Line Arguments
Identifies Rundll32.exe with no command line arguments.
Datamodel:
| tstats count FROM datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name
| rename "Processes.*" as *
| regex process="(rundll32\.exe.{0,4}$)"
| join process_id
[| tstats count FROM datamodel=Endpoint.Ports where Ports.dest_port !="0" by Ports.process_id Ports.dest Ports.dest_port
| rename "Ports.*" as *
| rename dest as connection_to_CNC]
| table _time dest parent_process_name process_name process_path process process_id connection_to_CNC dest_port
Spoolsv.exe writing a DLL
Detects Spoolsv.exe writing a DLL.
Sysmon:
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventID=11 process_name=spoolsv.exe file_path="*\\spool\\drivers\\x64\\*"
file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by
dest, UserID, process_name, file_path, file_name, TargetFilename
Datamodel:
| tstats count FROM datamodel=Endpoint.Processes where Processes.process_name=spoolsv.exe by _time Processes.process_id Processes.process_name Processes.dest
| rename "Processes.*" as *
| join process_guid _time
[| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\spool\\drivers\\x64\\*" Filesystem.file_name="*.dll" by _time Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path
| rename "Filesystem.*" as *
| fields _time dest file_create_time file_name file_path process_name process_path process]
| dedup file_create_time
| table dest file_create_time, file_name, file_path, process_name
Print Spooler Adding A Printer Driver
Identifies Print Spooler adding a new Printer Driver.
source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode=316 category = "Adding a printer driver" Message = "*kernelbase.dll,*" Message = "*UNIDRV.DLL,*" Message = "*.DLL.*"
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message
Print Spooler Failed to Load a Plug-in
Detects when a new Printer Plug-In has failed to load.
source="WinEventLog:Microsoft-Windows-PrintService/Admin" ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909"))
OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\"))
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message
Detection |
Techniques ID |
Tactic(s) |
Description |
Persistence, Privilege Escalation |
Identifies Print Spooler adding a new Printer Driver. |
||
Print Spooler Failed to Load a Plug-in (New) |
Persistence, Privilege Escalation |
Detects when a new Printer Plug-In has failed to load. |
|
Persistence, Privilege Escalation |
Detects Spoolsv with a child process of rundll32.exe |
||
Persistence, Privilege Escalation |
Identifies potentially suspicious module loads into Spoolsv.exe based on DLL loading from a specific path used by CVE-2021-34527 |
||
Privilege Escalation |
Identifies suspicious process access events from Spoolsv.exe to a Target process. |
||
Spoolsv Writing a DLL (New) (sourcetype search) Spoolsv Writing a DLL - Sysmon (New) (datamodel search) |
Persistence, Privilege Escalation |
Detects Spoolsv.exe writing a DLL. |
|
Defense Evasion |
Identifies Rundll32.exe with no command line arguments |
||
Suspicious Rundll32 no Command Line Arguments with Network (Existing) |
Defense Evasion |
Identifies Rundll32.exe with no command line arguments with a network connection. |
As always, security at Splunk is a family business. Credit to authors and collaborators: