At the end of June, research teams published information about a remote code execution (RCE) vulnerability in Microsoft Windows Print Spooler, now known as CVE-2021-1675. An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system. This vulnerability appears to have existed in Windows for some time, and the researchers were able to develop an exploit as a Proof of Concept (POC) in order to Participate in the Tianfu Cup.
We know attackers will perform several actions before leveraging this exploit that would trigger existing Vectra detections. These detections would be associated with command and control like External Remote Access or HTTPS Hidden Tunnel, reconnaissance techniques like Port Scan, Port Sweep, and Targeted RPC Recon, and credential-based lateral movement like Suspicious Remote Execution or Privilege Access Anomaly.
Windows Print Spooler has a long history of vulnerabilities, and its ubiquity can seriously impact targets. Because the POC for this attack is now public and the ease of deployment of this attack, Vectra has developed a custom model to augment our existing coverage and highlight the use of this exploit.
The exploit relies on creating a new network printer driver associated with a malicious dynamic link library (DLL). This means that we can detect the attack by looking for those two distinct activities and quickly stop the attack.
The first of these activities is the DCE/RPC command that adds the new network printer.
These commands on their own can be benign under the circumstances of creating a new printer. However, the responding host would be associated with Printer systems, and the origin host an administrator who was creating the printer in such cases.
The second distinct activity to look for is uploading a suspicious DLL file prior to creating the new Printer Driver. The operation RpcAddPrinterDriver will be linked to a malicious DLL file, which would have to be compiled by a malicious threat actor before running the exploit.