SECURITY

I Pity the Spool: Detecting PrintNightmare CVE-2021-34527

On Monday, June 21st, Microsoft updated a previously reported vulnerability (CVE-2021-1675) to increase its severity from Low to Critical and its impact to Remote Code Execution. On Tuesday, June 29th, a security researcher posted a working proof-of-concept named PrintNightmare that affects virtually all versions of Windows systems. Yesterday, July 1, Microsoft assigned this flaw a new CVE, CVE-2021-34527

Update 07/06: Microsoft released an emergency patch to address this vulnerability, but it did not fully resolve the issue as the patch only addresses the Remote Code Execution component. An attacker can still use the local privilege escalation component to gain SYSTEM level privileges. 

Update 07/15: Microsoft reported a new privilege escalation vulnerability, CVE-2021-34481, that could allow attackers to execute malicious code as SYSTEM. No patch is available at the time of writing.

The vulnerability affects the Print Spooler service, which is enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with SYSTEM privileges (Privilege Escalation).  

The prerequisites for successful exploitation consist of:

  • Print Spooler service enabled on the target system
  • Network connectivity to the target system (initial access has been obtained)
  • Hash or password for a low privileged user (or computer) account
     

Impact

In the most impactful scenario, an attacker would be able to leverage this vulnerability to escalate their privileges in an Active Directory environment from a low privileged domain user to full domain administrator privileges by executing malicious code on a Domain Controller as shown below.

Successful exploitation to obtain a reverse meterpreter shell on a Domain Controller

The Splunk Threat Research team recommends taking immediate actions to mitigate this vulnerability using the documented workarounds as no official patches have been released yet. If you want a very quick way of understanding your exposure to this vulnerability, you can do so if you have Universal Forwarders deployed across your server fleet. Simply enable the WinHostMon input from the Splunk Add-On for Windows to report on the status of services on each server (highlighted below):

####### Host monitoring #######
[WinHostMon://Service]
interval = 600
disabled = 0
type = Service

Then, perform a search across the WinHostMon data to easily show you what servers have the Print Spooler service enabled or running. This can be used to track mitigation progress:

index=<your index> sourcetype=WinHostMon source=service 
DisplayName="Print Spooler" 
| stats values(DisplayName) as 
Disp_Name,values(StartMode) as Start_mode,values(Started) as Started,values(State) as State by host


We also encourage a defense-in-depth approach to complement the prevention efforts with detection and monitoring controls. This blog post describes detection opportunities cyber defenders can leverage to identify successful exploitation of CVE-2021-34527 in their environments.

These detections were developed in an Attack Range environment where exploitation was reproduced with some of the released POCs. This analysis was focused on 3 data sources:

  • XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  • WinEventLog:Microsoft-Windows-PrintService/Admin
  • WinEventLog:Microsoft-Windows-PrintService/Operational
     

We are also releasing the attack_data datasets generated using the publicly available exploit against a victim endpoint. Security teams can leverage these datasets to validate or enhance detection security posture without having to actually replicate the attacks.

Print service logs may not be enabled by default. To ingest them into Splunk, a similar configuration as below can be used in inputs.conf.

[WinEventLog://Microsoft-Windows-PrintService/Operational]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = win
[WinEventLog://Microsoft-Windows-PrintService/Admin]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
renderXml=false
index = win

Detections for PrintNightmare

The Splunk Threat Research team is releasing a new analytic story named ‘PrintNightmare CVE-2021-34527’ to help security operations center (SOC) analysts detect successful exploitation scenarios. This story consists of seven new and two existing detection analytics. 

In this blog post we are providing both sourcetype and datamodel SPL searches where possible. Please note, datamodel searches require CIM compliance

You can find this content as well as other security analytic stories on GitHub and in Splunkbase. The Splunk Security Essentials app also has all these detections now available via push update. 

Spoolsv Spawning Rundll32

Detects Spoolsv with a child process of rundll32.exe.

Sysmon:

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventID=1  parent_process_name=spoolsv.exe process_name=rundll32.exe
  | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User,
  parent_process_name, process_name, OriginalFileName, process_path, CommandLine

Datamodel:

| tstats count min(_time) as firstTime max(_time) as lastTime from 
datamodel=Endpoint.Processes where 
Processes.parent_process_name=spoolsv.exe 
Processes.process_name=rundll32.exe by Processes.dest Processes.user 
Processes.parent_process Processes.process_name Processes.process 
Processes.process_id Processes.parent_process_id


Spoolsv Suspicious Process Access

Identifies suspicious process access events from Spoolsv.exe with high granted process rights access to the target process. 

Sysmon:

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR 
source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=10 
SourceImage = "*\\spoolsv.exe" CallTrace = "*\\Windows\\system32\\spool\\DRIVERS\\x64\\*"
 TargetImage IN ("*\\rundll32.exe", "*\\spoolsv.exe") GrantedAccess = 0x1fffff |
 stats  count min(_time) as firstTime max(_time) as lastTime by Computer SourceImage
 TargetImage GrantedAccess CallTrace  EventCode


Spoolsv Suspicious Loaded Modules

Identifies potentially suspicious module loads into Spoolsv.exe based on DLL loading from a specific path used by CVE-2021-34527.

The minimum countImgLoaded value is set to 3 as the exploit will load 3 modules (unidrv.dll, kernelbase.dll and the suspect dll) at the same time in specific target folder. 

Sysmon:

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR 
source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=7 Image ="*\\spoolsv.exe" ImageLoaded="*\\Windows\\System32\\spool\\drivers\\x64\\*"
 ImageLoaded = "*.dll" | stats dc(ImageLoaded) as countImgloaded values(ImageLoaded)
 as ImgLoaded count min(_time) as firstTime max(_time) as lastTime by Image Computer
 EventCode | where countImgloaded >= 3


Suspicious Rundll32 no Command Line Arguments

Identifies Rundll32.exe with no command line arguments.

Datamodel: 

| tstats count FROM datamodel=Endpoint.Processes where 
Processes.process_name=rundll32.exe by _time span=1h Processes.process_id 
Processes.process_name Processes.dest Processes.process_path 
Processes.process Processes.parent_process_name 
| rename "Processes.*" as * 
| regex process="(rundll32\.exe.{0,4}$)" 
| join process_id 
    [| tstats count FROM datamodel=Endpoint.Ports where Ports.dest_port !="0" by Ports.process_id Ports.dest Ports.dest_port 
    | rename "Ports.*" as * 
    | rename dest as connection_to_CNC] 
| table _time dest parent_process_name process_name process_path process process_id connection_to_CNC dest_port


Spoolsv.exe writing a DLL

Detects Spoolsv.exe writing a DLL.

Sysmon:

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR 
source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventID=11 
process_name=spoolsv.exe file_path="*\\spool\\drivers\\x64\\*"
 file_name=*.dll | stats count min(_time) as firstTime max(_time) as lastTime by
 dest, UserID, process_name, file_path, file_name, TargetFilename

Datamodel: 

| tstats count FROM datamodel=Endpoint.Processes where 
Processes.process_name=spoolsv.exe by _time Processes.process_id Processes.process_name Processes.dest 
| rename "Processes.*" as * 
| join process_guid _time 
    [| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where 
Filesystem.file_path="*\\spool\\drivers\\x64\\*" Filesystem.file_name="*.dll" by _time 
Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path 
    | rename "Filesystem.*" as * 
    | fields _time dest file_create_time file_name file_path process_name process_path process] 
| dedup file_create_time 
| table dest file_create_time, file_name, file_path, process_name



Print Spooler Adding A Printer Driver

Identifies Print Spooler adding a new Printer Driver.

source="WinEventLog:Microsoft-Windows-PrintService/Operational" 
EventCode=316 category = "Adding a printer driver" Message = "*kernelbase.dll,*" Message = "*UNIDRV.DLL,*" Message = "*.DLL.*" 
| stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message 


Print Spooler Failed to Load a Plug-in

Detects when a new Printer Plug-In has failed to load.

source="WinEventLog:Microsoft-Windows-PrintService/Admin" ((ErrorCode="0x45A" (EventCode="808" OR EventCode="4909")) 
OR ("The print spooler failed to load a plug-in module" OR "\\drivers\\x64\\")) 
  | stats count min(_time) as firstTime max(_time) as lastTime by OpCode EventCode ComputerName Message


Detection

Techniques ID

Tactic(s)

Description

Print Spooler Adding A Printer Driver (New)

T1547.012

Persistence, Privilege Escalation

Identifies Print Spooler adding a new Printer Driver.

Print Spooler Failed to Load a Plug-in (New)


T1547.012

Persistence, Privilege Escalation

Detects when a new Printer Plug-In has failed to load.

Spoolsv Spawning Rundll32 (New)

T1547.012

Persistence, Privilege Escalation

Detects Spoolsv with a child process of rundll32.exe

Spoolsv Suspicious Loaded Modules (New)

T1547.012

Persistence, Privilege Escalation

Identifies potentially suspicious module loads into Spoolsv.exe based on DLL loading from a specific path used by CVE-2021-34527

Spoolsv Suspicious Process Access (New)

T1068

Privilege Escalation

Identifies suspicious process access events from Spoolsv.exe to a Target process.

Spoolsv Writing a DLL (New) (sourcetype search)

Spoolsv Writing a DLL - Sysmon (New) (datamodel search)

T1547.012

Persistence, Privilege Escalation

Detects Spoolsv.exe writing a DLL.

Suspicious Rundll32 no Command Line Arguments (Existing)

T1218.011

Defense Evasion

Identifies Rundll32.exe with no command line arguments

Suspicious Rundll32 no Command Line Arguments with Network (Existing)

T1218.011

Defense Evasion

Identifies Rundll32.exe with no command line arguments with a network connection.

 


As always, security at Splunk is a family business. Credit to authors and collaborators:

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS
Show All Tags
Show Less Tags