Analytics Story: PrintNightmare CVE-2021-34527

Date: 2021-07-01 ID: fd79470a-da88-11eb-b803-acde48001122 Author: Splunk Threat Research Team Product: Splunk Enterprise Security

Description

The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.

Why it matters

This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation). The prerequisites for successful exploitation consist of:

  1. Print Spooler service enabled on the target system
  2. Network connectivity to the target system (initial access has been obtained)
  3. Hash or password for a low privileged user ( or computer ) account. In the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Print Spooler Adding A Printer Driver Print Processors, Boot or Logon Autostart Execution TTP
Print Spooler Failed to Load a Plug-in Print Processors, Boot or Logon Autostart Execution TTP
Rundll32 with no Command Line Arguments with Network System Binary Proxy Execution, Rundll32 TTP
Spoolsv Spawning Rundll32 Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Loaded Modules Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Process Access Exploitation for Privilege Escalation TTP
Spoolsv Writing a DLL Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Writing a DLL - Sysmon Print Processors, Boot or Logon Autostart Execution TTP
Suspicious Rundll32 no Command Line Arguments System Binary Proxy Execution, Rundll32 TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Printservice 316 Windows icon Windows WinEventLog WinEventLog:Microsoft-Windows-PrintService/Admin
Windows Event Log Printservice 808 Windows icon Windows WinEventLog WinEventLog:Microsoft-Windows-PrintService/Admin
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1