Update: ExtraHop currently has custom-built detections for the original PoC as well as detections for a newly published variant of PrintNightmare.
PrintNightmare is among a new class of attacks that use encrypted traffic to cover their tracks. To help detect potential breaches, ExtraHop now has decryption and threat detection capabilities for encrypted Microsoft protocols. These include Active Directory, Kerberos and Microsoft Remote Procedure Call (MS-RPC), among others. Read more about Microsoft protocol decryption here.
ExtraHop has released a detector for the recent PrintNightmare vulnerability to identify attempted exploitation. As of Friday, July 2, this issue remains unpatched. Additionally, we are releasing a Threat Briefing to explain the vulnerability and appropriate responses.
Multiple vulnerabilities involving the Windows Print Spooler service have been disclosed recently, making for some understandable confusion. The latest, zero day CVE-2021-34527, has publicly available proof-of-concept code and has been actively exploited.
The implications for Windows are widespread since the Print Spooler service is enabled by default on most client and server platforms. According to ExtraHop's threat research data, 93% of environments could be vulnerable to PrintNightmare making it the most severe issue since SolarWinds.
Which Print Spooler-Related Vulnerability?
Previous Vulnerability: CVE-2021-1675
In June, Microsoft disclosed a separate vulnerability involving the Print Spooler service which enabled local privilege escalation (LPE) exploits. This vulnerability was patched, but complications involving a different exploit technique and an accidently shared proof-of-concept exploit means that patched systems may still be vulnerable to the related, more recently released CVE-2021-34527.
The latest vulnerability, disclosed on Thursday, is particularly serious because it can provide system-level privileges on domain controllers, allowing attackers to use remote code execution to install programs, modify data and create new accounts with full user rights. The Print Spooler service should be disabled immediately on Windows Domain Controllers and critical systems until further updates are available.
How the Latest PrintNightmare Exploit Works
For CVE-2021-34527, Microsoft disclosed that "a remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges."
The exploit leverages the RpcAddPrinterDriverEx() function, which is used to install printer drivers on a system. In Microsoft environments, this feature capability allows authenticated users to install new printer drivers. PrintNightmare exploits this capability by specifying a malicious driver file that resides on a local or remote server, allowing an attacker to cause the Print Spooler service to execute arbitrary code.
Exploiting the PrintNightmare CVE begins by remotely calling the RpcAddPrinterDriverEx() function and passing it a malicious DLL, often over an encrypted protocol. This approach grants attackers the ability to install malicious code with SYSTEM level privileges. By targeting domain controllers, attackers gain an immediate foothold on critical systems allowing them to install programs, modify data, and create new accounts with full user rights.
Detection and Decryption
ExtraHop is currently testing a purpose-built detection for this CVE that will begin rolling out later today. Reveal(x) already monitors network traffic to and from domain controllers and tracks Active Directory activity within customer environments. Reveal(x) uses this data to drive cloud-based machine learning to detect unusual behavior patterns that indicate lateral movement and network privilege escalation. Even if an attacker were to gain remote code execution capabilities on a domain controller, Reveal(x) would have a strong chance of rapidly detecting the subsequent malicious behaviors.
The exploitation activity in this situation could potentially occur within encrypted protocols, posing a visibility and detection challenge. ExtraHop customers have the ability to decrypt industry-standard protocols including TLS1.3, giving them more visibility into difficult-to-monitor behavior. The ability to fully parse over 75 protocols including common Microsoft protocols such as MSRPC, allows for more in-depth analysis and the creation of forensic-level metadata for the most commonly used network protocols.