Security Engineer - Incident Response Specialist
While our clients with EDR should be protected from this kind of attack we are still going to be actively threat hunting until a patch is pushed out by Microsoft.
Print Nightmare (CVE-2021-34527) is a vulnerability that allows an adversary with a standard domain user account to escalate privileges to Domain Admin via the Windows Print Spooler service. This service runs on every Windows Operating System by default.
How does the exploit work?
The exploit allows an attacker to load a DLL with elevated privileges in a subdirectory under C:\Windows\System32\spool\drivers. Due to a logic flaw in spoolsv.exe, the exploit circumvents the usual security checks performed by SeLoadDriverPrivilege.
This means that an attacker with access to a standard domain joined account can take over the entire Active Directory in seconds. The issue is Microsoft's June 8th patch was supposed to remediate this vulnerability. We have tested it against fully patched servers and unfortunately, it is still exploitable.
1. We recommend disabling the Print Spooler service on all systems (especially Domain Controllers).
If you can't disable the service there are 3 alternatives. As always, please test these before implementation
2. With credit to TrueSec, they wrote a small PowerShell script to restrict ACLs on the directory and subdirectories that would allow an attacker to exploit this vulnerability.
The following script adds a Deny rule to the “drivers” directory and all subdirectories, which will prevent the user SYSTEM from being allowed to drop malicious DLLs into them.
$Path = "C:\Windows\System32\spool\drivers"
$Acl = Get-Acl $Path
$Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
Set-Acl $Path $Acl
3. Instead of disabling the service, you can configure it via GPO to not accept Client Connections which is under: Computer Configuration -> Administrative Templates -> Printers -> Allow Print Spooler to accept client connections : disabled
4. You can remove all "Authenticated Users" from the "Pre-Windows 2000 Compatible Access" group in AD.