The Cybereason Global Security Operations Center (SOC) issues Cybereason Threat Alerts to inform customers of emerging impacting threats. The Alerts summarize these threats and provide practical recommendations for protecting against them.
The Cybereason GSOC Managed Detection and Response (MDR) Team is investigating the PrintNightmare vulnerability (CVE-2021-34527), a critical vulnerability in the Windows Print Spooler service. This vulnerability enables attackers to execute arbitrary code on target systems with administrative privileges.
PrintNightmare is a critical vulnerability in the Windows Print Spooler service, which executes as the spoolsv.exe process in Windows systems. An adversary who successfully exploits the PrintNightmare vulnerability could achieve full control over a target system by executing arbitrary code, such as a dynamic link library (DLL) or a Windows executable, with administrative privileges. The adversary must be authenticated to the Windows Print Spooler service to take advantage of PrintNightmare.
The RpcAddPrinterDriverEx function, implemented in the Windows Print Spooler service, allows authenticated users to deploy arbitrary DLLs or Windows executables on systems where the Windows Print Spooler service runs and execute them with administrative (SYSTEM) privileges. Adversaries can exploit this vulnerability.
According to the CERT Coordination Center at Carnegie Mellon University:
The RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this function is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the added printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be copied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx() and specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe executing code in an arbitrary DLL file with SYSTEM privileges.
When an adversary exploits the PrintNightmare vulnerability, the Windows Print Spooler service writes two files, kernelbase.dll and UNIDRV.dll, as well as any attacker-provided DLL or Windows executable in the %SYSTEM%\System32\spool\drivers\ directory (for example, in C:\Windows\System32\spool\drivers\x64\3). The vulnerable Windows Print Spooler service (spoolsv.exe) then executes the attacker-provided DLL or Windows executable with administrative privileges. The spoolsv.exe process executes the executable as a child process.
For lateral movement, an attacker may deploy a command line interpreter utility, such as cmd.exe or powershell.exe, to execute arbitrary commands on the target system. An attacker may also load other executables that facilitate lateral movement, such as rundll32.exe, regsvr32.exe, msbuild.exe, or installutil.exe:
The Windows Print Spooler service writes and then executes the attacker-provided calc.dll
The Windows Print Spooler service executes the attacker-provided command line interpreter cmd.exe as a child process
Cybereason recommends the following:
$Path = "C:\Windows\System32\spool\drivers"
$Acl = Get-Acl $Path
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
$Acl.AddAccessRule($Ar)
Set-Acl $Path $Acl
Aleksandar Milenkoski, Senior Threat and Malware Analyst, Cybereason Global SOC
Aleksandar Milenkoski is a Senior Threat and Malware Analyst with the Cybereason Global SOC (GSOC) team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD degree in the area of system security. Prior to Cybereason, his work was focusing on research in the area of intrusion detection and reverse engineering security mechanisms of the Windows 10 operating system.
Eli Salem, Senior Security Analyst, Cybereason Global SOC
Eli Salem is a lead threat hunter and malware reverse engineer at Cybereason. Eli has worked in the private sector of the cyber security industry for a couple of years now. In his free time he publishes articles about malware research and threat hunting.
The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.
All Posts by Cybereason Global SOC Team
Where other vendors fail to support on-premises deployments, Cybereason is globally minded, and we address the need for secure Private Infrastructure.
In this article we take a deeper dive into an often abused Microsoft-signed tool, the infamous rundll32.exe, which allows adversaries to execute malicious code during their offensive operations through a technique which we explain in detail...
