PrintNightmare – Use Microsoft Defender/ Sentinel toolings to get insights
Technical details and a proof-of-concept (PoC) exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that makes remote code execution possible. The issue affects Windows Print Spooler. The researchers named it PrintNightmare. Currently, the latest June 2021 security patches do not actually fix the issues. The zero-day named PrintNightmare.
Update: PrintNightmare is NOT the same as CVE-2021-1675. Article and title changed based on the change.
US-CERT-CISA: “It is important to realize that this update does not address the public exploits that also identify as CVE-2021-1675.” An attacker can exploit this vulnerability—nicknamed PrintNightmare—to take control of an affected system.
What is the issue?
Windows runs Print Spooler services by default on each system. Also on Domain Controllers the Print Spooler is active by design. With this, the Print Spooler service is enabled on any Windows Server and Windows OS versions.
For checking the service running; check the “spooler service”
PrintNightmare is a vulnerability/exploit that allows an attacker with a regular normal user account to take over a server with an active Windows Print Spooler service. By default this is running on all Windows servers and clients Server 2008 – 2019 and Windows. More important is the domain controller part in the Active Directory environment.
In the practice, it is possible that an attacker with a domain account can take over the Active Directory.
A proof-of-concept (POC) exploit was recently published (and quickly removed). The only issue; the files are never deleted from the internet.
We deleted the POC of PrintNightmare. To mitigate this vulnerability, please update Windows to the latest version, or disable the Spooler service. For more RCE and LPE in Spooler, stay tuned and wait our Blackhat talk. https://t.co/heHeiTCsbQ
— zhiniang peng (@edwardzpeng) June 29, 2021
More information about the exploit: Public Windows PrintNightmare 0-day exploit allows domain takeover (bleepingcomputer.com)
In this blog:
- Use Microsoft Defender for Identity for discovery Domain Controllers with Active print spooler service
- Azure Sentinel event collecting
- Import Print related events into Azure Sentinel/ Log Analytics
What to do?
There’s no official patch yet [2021-1-07] Microsoft will hopefully fix the path as soon as possible. Some useful next steps:
Disable print spooler services if not needed (always good)
For all the systems where the print spooler services are not required. Disable the services and apply the latest security patches.
Tip: Use the following script to only disable the Print Spooler service when the default printers exist. Use the below service assessment if Defender for Identity is available in the environment.
Remove authenticated users (test first)
Removement of the Authenticated users from “Builtin\Pre-Windows 2000 Compatible Access” seems also a working solution in the combination with the original Microsoft Path. Source
Note: Always test in the environment
Monitor if print spoolers are used (always good)
Monitor the print spooler installed in the environment. Below the ways to monitor based on Microsoft technology and collect events.
- Monitor events with Azure Sentinel
- Monitor active Print Spoolers on domain controllers with Defender for Identity
Update June 2021 updates
Not resolve the current issue. Important to protect the environment against other security items.
Defender for Endpoint/ EDR
Configure Defender for Endpoint or other protection solutions for full endpoint protection.
Defender for Identity – Print spooler service assessment
When Defender for Identity is part of the environment and configured for Domain Controllers the Disable Print Spooler service on domain controller security assessment is available from Cloud App Security.
Below image: All domain controllers part of MDI with running service state.
For opening the security assessment view from Cloud App Security:
- Open Cloud App Security
- Open Investigate -> Identity security posture
- Click on the improvement action -> Disable Print spooler service on domain controllers
The security assessment part of cloud app security is updated in near real-time. The following result is visible when the service status is running:
When opening the Identity Security Posture page: The following information is visible. Included with the DC name, Domain, Service status/ startup type.
Azure Log Analytics / Sentinel events
With Azure Sentinel, it is possible to collect the specific print server events. Make sure the following custom log sources are part of the log. Both events are custom and need to be added to the default log collection for collecting the events.
With the addition of both log collections the following events are visible:
- EventID: 808 Microsoft-Windows-PrintService/Admin
- EventID: 31017 Microsoft-Windows-PrintService/Admin
- EventID: 316 Microsoft-Windows-SmbClient/Security
Example KQL query for getting the events for the specific EventID’s:
Event | where EventID == 31017 | where EventID == 316 | where EventID == 808
For adding the custom log collection. Open the Log Analytics workspace with the connected agents and follow the steps below:
- Open Log Analytics workspace
- Go to Agent configuration
- Click Add Windows event log
Add the following custom event logs:
Defender for Endpoint
With Defender for Endpoint Advanced Hunting is possible. Olaf Hartong made a good Advanced Hunting Query for Defender for Endpoint.
Note: The KQL is based for usage in Defender for Endpoint
For starting the hunting:
- Go to Security.microsoft.com
- Click on Hunting -> Advanced hunting
- Fill in the KQL query -> run query
For more information; below interesting sources.
Maris Sanbu: https://msandbu.org/printnightmare-cve-2021-1675/