Putting CVE-2021-1675 PrintNightmare to Rest

Putting CVE-2021-1675 PrintNightmare to Rest

Putting CVE-2021-1675 PrintNightmare to Rest

Putting CVE-2021-1675

PrintNightmare to Rest

Putting CVE-2021-1675

PrintNightmare to Rest

By:
投稿者:
Luke Richards
July 2, 2021

At the end of June, research teams published information about a remote code execution (RCE) vulnerability in Microsoft Windows Print Spooler, now known as CVE-2021-1675. An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system. This vulnerability appears to have existed in Windows for some time, and the researchers were able to develop an exploit as a Proof of Concept (POC) in order to Participate in the Tianfu Cup.

We know attackers will perform several actions before leveraging this exploit that would trigger existing Vectra detections.  These detections would be associated with command and control like External Remote Access or HTTPS Hidden Tunnel, reconnaissance techniques like Port Scan, Port Sweep, and Targeted RPC Recon, and credential-based lateral movement like Suspicious Remote Execution or Privilege Access Anomaly.

Windows Print Spooler has a long history of vulnerabilities, and its ubiquity can seriously impact targets. Because the POC for this attack is now public and the ease of deployment of this attack, Vectra has developed a custom model to augment our existing coverage and highlight the use of this exploit.

Achieve Total Visibility

The exploit relies on creating a new network printer driver associated with a malicious dynamic link library (DLL). This means that we can detect the attack by looking for those two distinct activities and quickly stop the attack.

The first of these activities is the DCE/RPC command that adds the new network printer.

RpcAddPrinterDriver

or

RpcAddPrinterDriverEx

These commands on their own can be benign under the circumstances of creating a new printer. However, the responding host would be associated with Printer systems, and the origin host an administrator who was creating the printer in such cases.

The second distinct activity to look for is uploading a suspicious DLL file prior to creating the new Printer Driver. The operation RpcAddPrinterDriver will be linked to a malicious DLL file, which would have to be compiled by a malicious threat actor before running the exploit.

Stay Ahead of Threats

To learn more about how Vectra Cognito can detect attackers in all stages of their attack including the use of PrintNightmare, please feel free to contact us or try our solution free for 30 days!

About the author

Luke Richards

Luke is the Threat Intel Lead for Vectra. He has been with the company for 4 years, joining as a consultant analyst and working with customers and high level incident response directly. Before joining Vectra, Luke was a senior Security Analyst for an international Engineering and Defence contractor where he developed SOC toolsets, processes and incident response playbooks.

Author profile and blog posts

Most recent blog posts from the same author

Breach

SolarWinds Orion Hack: What To Know & How To Protect Your Network

December 15, 2020
Read blog post
Breach

SolarWinds:知っておくべきこと、すべき対策

December 15, 2020
Read blog post
Threat detection

Putting CVE-2021-1675 PrintNightmare to Rest

July 2, 2021
Read blog post