 back to blog

Putting CVE-2021-1675 PrintNightmare to Rest

Luke Richards
Threat Intelligence Lead
July 2, 2021
Please note that this is an automated translation. For the most accurate information, refer to the original version in English.

At the end of June, research teams published information about a remote code execution (RCE) vulnerability in Microsoft Windows Print Spooler, now known as CVE-2021-1675. An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system. This vulnerability appears to have existed in Windows for some time, and the researchers were able to develop an exploit as a Proof of Concept (POC) in order to Participate in the Tianfu Cup.

We know attackers will perform several actions before leveraging this exploit that would trigger existing Vectra detections.  These detections would be associated with command and control like External Remote Access or HTTPS Hidden Tunnel, reconnaissance techniques like Port Scan, Port Sweep, and Targeted RPC Recon, and credential-based lateral movement like Suspicious Remote Execution or Privilege Access Anomaly.

Windows Print Spooler has a long history of vulnerabilities, and its ubiquity can seriously impact targets. Because the POC for this attack is now public and the ease of deployment of this attack, Vectra has developed a custom model to augment our existing coverage and highlight the use of this exploit.

Achieve total visibility

The exploit relies on creating a new network printer driver associated with a malicious dynamic link library (DLL). This means that we can detect the attack by looking for those two distinct activities and quickly stop the attack.

The first of these activities is the DCE/RPC command that adds the new network printer.




These commands on their own can be benign under the circumstances of creating a new printer. However, the responding host would be associated with Printer systems, and the origin host an administrator who was creating the printer in such cases.

The second distinct activity to look for is uploading a suspicious DLL file prior to creating the new Printer Driver. The operation RpcAddPrinterDriver will be linked to a malicious DLL file, which would have to be compiled by a malicious threat actor before running the exploit.

Stay ahead of threats

To learn more about how Vectra can detect attackers in all stages of their attack including the use of PrintNightmare, please feel free to contact us or try our solution free for 30 days!

Want to learn more?

Vectra® is the leader in Security AI-driven hybrid cloud threat detection and response. The Vectra platform and services cover public cloud, SaaS applications, identity systems and network infrastructure – both on-premises and cloud-based. Organizations worldwide rely on the Vectra platform and services for resilience to ransomware, supply chain compromise, identity takeovers, and other cyberattacks impacting their organization.

If you’d like to hear more, contact us and we’ll show you exactly how we do this and what you can do to protect your data. We can also put you in contact with one of our customers to hear directly from them about their experiences with our solution.

Get in touch