Try in Splunk Security Cloud

Description

The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-07-01
  • Author: Splunk Threat Research Team
  • ID: fd79470a-da88-11eb-b803-acde48001122

Narrative

This vulnerability affects the Print Spooler service, enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. Successful exploitation effectively allows adversaries to execute code in the target system (Remote Code Execution) in the context of the Print Spooler service which runs with the highest privileges (Privilege Escalation).
The prerequisites for successful exploitation consist of: \

  1. Print Spooler service enabled on the target system \
  2. Network connectivity to the target system (initial access has been obtained) \
  3. Hash or password for a low privileged user ( or computer ) account.
    In the most impactful scenario, an attacker would be able to leverage this vulnerability to obtain a SYSTEM shell on a domain controller and so escalate their privileges from a low privileged domain account to full domain access in the target environment as shown below.

Detections

Name Technique Type
Print Spooler Adding A Printer Driver Print Processors, Boot or Logon Autostart Execution TTP
Print Spooler Failed to Load a Plug-in Print Processors, Boot or Logon Autostart Execution TTP
Rundll32 with no Command Line Arguments with Network Signed Binary Proxy Execution, Rundll32 TTP
Spoolsv Spawning Rundll32 Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Loaded Modules Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Process Access Exploitation for Privilege Escalation TTP
Spoolsv Writing a DLL Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Writing a DLL - Sysmon Print Processors, Boot or Logon Autostart Execution TTP
Suspicious Rundll32 no Command Line Arguments Signed Binary Proxy Execution, Rundll32 TTP

Reference

source | version: 1