ALPS blog

Detecting PrintNightmare Exploit Attempts using Trend Micro Vision One and Cloud One

PrintNightmare is one of the latest set of exploits abused for the Print Spooler vulnerabilities that have been identified as CVE-2021-1675, CVE-2021-34527, and CVE-2021-34481. It is a code execution vulnerability (both remote and local) in the Print Spooler service that affects all Windows versions running the said service. A number of researchers have come up with multiple exploit variants based on different implementations (over TCP and Server Message Block or SMB). By using different function calls for Print System Asynchronous Remote Protocol (MS-PAR) misusing RpcAsyncAddPrinterDriver, PrintNightmare can be exploited on servers and workstations, while abusing Print System Remote Protocol (MS-RPRN) allows PrintNightmare to misuse RpcAddPrinterDriverEx for an impacket implementation.

In this analysis, we look into the implementations of PrintNightmare and the visibility enabled by Trend Micro Vision One™ and Trend Micro Cloud One™ to mitigate the risks brought on by critical gaps found in systems such as the Print Spooler service. Using the indicators and attributes of exploitation attempts logged from network and endpoints, both platforms allow security teams and analysts a wider view of attack attempts for immediate and actionable response.

The timeline of PrintNightmare is as follows:

1.       June 8: As part of the June security update, the bug identified as an elevation of privilege (EOP) in the Print Spooler service was patched. The vulnerability was tagged as CVE-2021-1675.

2.       June 21: The same bug was later classified as both a remote code execution (RCE) and an EOP vulnerability.

3.       June 29: Researchers with different RCE and EOP proofs of concept accidentally disclosed these publicly as a result of the assumption that their findings were exactly the same and that the bug had already been mitigated as part of the June security update. However, it had not been mitigated yet, and though the researchers deleted their proofs of concept, these had already been replicated and eventually cached by search engines.

4.       July 1: A new vulnerability, considered a zero-day flaw, was assigned as CVE-2021-34527.

5.       July 6: Microsoft released an out-of-band patch to mitigate CVE-2021-34527, but it only prevented a part of the RCE. Specifically, the patch only blocked DLLs from path implementations like “\\server\share\”.

6.       July 7: Researchers reported the bypass, along with information that the universal naming convention (UNC) form of denoting paths, “\??\UNC\”, rather than the use of “\\”, could evade the patch.

7.       July 15: Microsoft disclosed that a new EOP vulnerability in the Print Spooler service was found and assigned it as CVE-2021-34481.

8.       August 10: Microsoft updated CVE-2021-34481 and released the patches to prevent exploitation.

figure1-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 1. The PrintNightmare exploit and the development timeline of patches

Following the different implementations and proofs of concept that are already out in the public, here we detail our observations of PrintNightmare. In the following sections, we identify the potential indicators of compromise (IOCs) in a user’s environment, as well as the protection and visibility offered by both Trend Micro Vision One and Trend Micro Cloud One platforms.

Print Spooler Service

The Print Spooler service enables clients and servers to carry out tasks related to printing. On a print server, the Spooler shares print queues that are exposed to print clients. On a print client, the Spooler service exposes printing APIs to applications, receives the print output of an application, and sends it to a shared print queue or a print server.

figure2-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 2. The Print Spooler service

To view the details of the Spooler service, we use Sysinternals’ Process Explorer, wherein the binary (“spoolsv.exe”) runs with the highest privilege (that is, the privilege of the SYSTEM user). The service has been riddled with vulnerabilities in the past, and successful exploitation can lead to code execution in the context of the system user. The vulnerabilities revolve around how Print Spooler loads printer drivers. Since the service itself runs with the highest privilege, the code execution also occurs in the highest privilege.

There has been an indication from the Certified Information Systems Auditor (CISA) regarding the active exploitation of this vulnerability by threat actors. Since the attack is network-based, it can be executed even by other users with lower system privileges since the spooler service is not disabled by default on most machines (such as domain controllers and print servers). Upon exploiting this vulnerability, an attacker can execute code in the context of the system, making the vulnerability a go-to technique to escalate privileges.

Routine

We observed that there are a few indicators suggesting potential exploitation. We detail them in this section for future reference with regard to ensuring robust protection.

figure3-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 3. PrintNightmare exploit

The exploitation of the Spooler service can be broken down into the following:

1.       The vulnerability in the Print Spooler service is exploited by the attacker.

2.       A malicious DLL file on the attacker-controlled SMB share is accessed by the victim machine.

3.       The DLL file is written to the disk.

4.       The DLL file is loaded and executed by the Print Spooler service.

5.       In cases where the DLL file is malformed, the Print Spooler service crashes.

6.       Based on the DLL code, command and control (C&C) or privilege escalation is observed.

In case event logging for the Print Spooler service is not enabled by default, we advise administrators and/or users to enable it using the following PowerShell command:

 

$logs = Get-LogProperties ‘Microsoft-Windows-PrintService/Operational’

$logs.Enabled = $true

Set-LogProperties -LogDetails $logs

Administrators can also navigate to “Application and Services” logs and enable both Admin and Operational events to detect attempts of abuse.

figure4-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 4. Navigating the “Application and Services” logs

Upon the exploitation of PrintNightmare, we observed the following activities logged on the vulnerable machine. The malicious DLL file is fetched from the attacker-controlled SMB share and written to the disk of the targeted machine.  When a DLL file is injected into the memory of a process (in this case “spoolsv.exe”), then the operation “Load Image” is observed on Process Monitor. Once the DLL is loaded in the process, the malicious code is executed.

figure5-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 5. The malicious DLL file is fetched from the attacker-controlled SMB.
figure6-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 6. Creation of the attacker DLL in the victim host.

The attack is made up of two stages:

A.      Stage 0

1.       The DLL path in the SMB share makes a single call to “RpcAddPrinterDriver” with the value of “pDataFile”.

2.       The DLL is looked for in the path “%windir%\System32\spool\drivers\x64\3\”.

3.       A new file handle is opened at “%windir%\System32\spool\drivers\x64\3\New\<name_of_dll>.dll”.

4.       Once the “WriteFile” operation has been completed, the path is renamed to “%windir%\System32\spool\drivers\x64\3\<name_of_dll>.dll”.

5.       The DLL finally resides at the aforementioned renamed path.

figure7-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 7. In Stage 0, the DLL resides in the renamed path once the “WriteFile” operation is complete.

A.      Stage 1

1.       After completing stage 0, the DLL already resides at the path “%windir%\System32\spool\drivers\x64\3\”.

2.       To load the DLL in the Print Spooler service, the “RpcAddPrinterDriver” call is done, specifying the “pConfigFile” as the local path to the uploaded DLL.

3.       When the DLL is loaded in the process “spoolsv.exe”, the “Load Image” operation is observed.

figure8-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 8. Loading the DLL in the Print Spooler service
figure9-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 9. In Stage 1, the DLL observed is loaded in the process “spoolsv.exe”.

Using Process Explorer, we see the process lineage identifying the order in which the processes have been spawned. When “spoolsv.exe” loads the malicious DLL, rundll32 executes the DLL. Based on the code of the DLL (in this case, it will give a reverse shell to the attacker), “cmd.exe” is spawned from “rundll32.exe”, which in turn is spawned from “spoolsv.exe”. From the process lineage, analysts and IT teams can understand where a certain activity originates. This is also helpful in narrowing the processes involved in threat hunting.

figure10-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 10. Visualizing the hierarchy of “spoolsv.exe”

When there are attempts to load a DLL in the Print Spooler service, the following event IDs are observed in the event logs for printer service:

1.       When the DLL is malformed, event ID 808 is observed from the event source “Microsoft-Windows-PrintService/Operational”. Here we see the path to the DLL that is malformed in the details, indicating that Print Spooler failed to load the malicious DLL. This event ID is a high-confidence indicator of a possible PrintNightmare exploitation (Stage 1).

figure11-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 11. Event ID 808

2.       When a new printer driver is added or updated in the Print Spooler, event ID 316 is observed. We can see the name of the DLL file in the details, and the event is logged for both successful and unsuccessful attempts of exploitation (Stage 0).

figure12-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 12. Event ID 316

Trend Micro Cloud One™ – Workload Security

The modules in this section are packaged in a single bundle as part of the Trend Micro Deep Security Agent (DSA). To know more about the onboarding of Cloud One and Trend Micro Vision One, check our guide here.

From your Trend Micro Cloud One console, enable the following modules with the following configuration:

1.       Antimalware module with real-time scanning turned on

2.       Log Inspection module: Rule 1011017 – Microsoft Windows – Print Spooler Failed Loading Plugin Module (PrintNightmare)

3.       Intrusion prevention system (IPS) module in “Prevent Mode”

a.       Rule 1011016 – Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol

b.       Rule 1011018 – Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol

4.       Activity monitoring

The modules enable insight into the workloads and provide visibility for the events that we observed previously. We leverage the detections in a comprehensive manner in Trend Micro Vision One. The images and descriptions in the following section illustrate how the detections appear on the platform once enabled.

Cloud One Detections

The Log Inspection rule “1011017 – Microsoft Windows – Print Spooler Failed Loading Plugin Module (PrintNightmare)” is triggered when a malformed DLL is loaded by the Print Spooler service. The event source is seen as “Microsoft-Windows-PrintService/Admin” and the event ID is 808.

figure13-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 13. The malformed DLL triggers the Log Inspection rule.

The implementations MS-RPRN and MS-PAR of PrintNightmare trigger the IPS events log when the agreed dialect for communication between the attacker and the victim is SMBv1 or SMBv2 without encryption.

figure14-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 14. The PrintNightmare implementations trigger the Cloud One IPS events.

Additionally, the antimalware module is triggered when there are known malicious signatures observed in the DLL created on the disk. The advanced File Reputation Services, along with Trend Micro™ Smart Protection Network™ (SPN), enables real-time monitoring of new files being created on the machine and flags malicious files based on patterns maintained by SPN.

figure15-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 15. Malicious signatures trigger the antimalware module in order to block them.

Trend Micro Vision One™ Workbench App

figure16-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 16. Detecting and tracking the suspicious outbound traffic as seen on the Trend Micro Vision One Workbench
figure17-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 17. Using the Trend Micro Vision One Workbench to map the PrintNightmare exploit in the system

Looking at the Trend Micro Vision One Workbench’s root cause analysis (RCA), we see the process lineage where “msfvenom.dll” was created by the Print Spooler service (“spoolsv.exe”). This was followed by the spawning of “rundll32.exe”, which executes the malicious DLL.

Upon execution, there is a callback from the child process of the Print Spooler service to the attacker machine that has a meterpreter handler listening on port 4444. Upon getting the meterpreter callback, we drop a command prompt (“cmd.exe”) shell and run “whoami”.

figure18-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 18. Process lineage from Trend Micro Vision One Workbench

Every single object shown in the RCA has specific attributes associated with them. For example, the object “msfvenom.dll” is associated with the following Observed Attack Techniques (OATs): “Suspicious DLL Created In Print Spooler Driver Folder” and “Non-signed DLL Dropped In Windows Folder,” as seen on the upper right-hand corner of Figure 18.

We also highlight the hash of the DLL, which can be subsequently used to look up possible occurrences within the organization. Other fields such as “First Seen,” “Last Seen,” and empty “Signer” fields give more insights into the metadata of the DLL.

figure19-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 19. Hashes and field information seen on the Workbench can be used to check for similar occurrences in other systems within the company.

The RCA shows the activities observed from the executable “rundll32.exe” in the Print Spooler service. From the log, we can understand the following:

1.       The executable “rundll32.exe” came from “spoolsv.exe”.

2.       This event was followed by an outbound connection originating from “rundll32.exe”.

3.       Four seconds after the outbound activity was observed, “cmd.exe” was spawned from “rundll32.exe”.

4.       Two seconds after “cmd.exe” was observed, “whoami” was run by the attacker.

figure20-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 20. Tracking the logged activities from executable “rundll32.exe”

Trend Micro Vision One™ Hunting Queries 

To hunt down potential IOCs in the environment from PrintNightmare, the following Trend Micro Vision One search queries are useful:

1.       Creation of DLL files in the folders under “%windir%\System32\spool\drivers\x64\3\New”

eventSubId:101 AND (objectFilePath:\\windows\\system32\\spool\\drivers\\x64\\3\\New AND objectFilePath:*.dll) AND NOT (objectFilePath:winhttp.dll OR objectFilePath:unidrv.dll)

figure21-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 21. Using Trend Micro Vision One search queries for DLL files created

2.      Spawning of suspicious processes from the Print Spooler service

eventSubId:2 AND (parentFilePath:spoolsv.exe AND processFilePath:rundll32.exe)

figure22-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 22. Finding suspicious processes originating from the spooler service

3.      Outbound connections originating from child processes of the Print Spooler service

eventSubId:204 AND parentFilePath:spoolsv.exe AND (processFilePath: (*cmd.exe* OR *powershell.exe* OR *rundll32.exe*))

figure23-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 23. Finding connections from external and unknown systems

4.     Malware detection from the file path ‘\\Windows\\System32\\spool\\drivers\\x64\\3\\’

eventName: “MALWARE_DETECTION” AND

filePath:\\Windows\\System32\\spool\\drivers\\x64\\3

figure24-detecting-printnightmare-exploit-attempts-with-trend-micro-vision-one-and-cloud-one
Figure 24. Finding malware from the Print Spooler service drivers

Conclusion

PrintNightmare started out as a confusion among individual studies by security researchers, ranging from incoherent disclosures to the bypassing of official patches. Proofs of concept have already been accommodated in various frameworks like the Metasploit Framework (MSF) and tools like Mimikatz. Additionally, exploitation of PrintNightmare will soon become an attacker’s go-to method for privilege escalation and lateral movement since the attack vector contains both RCE and local privilege escalation capabilities, does not require user interaction, and can be triggered from the context of a low-privileged user.

Since the Print Spooler service is enabled by default on most Windows versions and is left open in most corporate environments, there is an increased susceptibility for exploitation by a malicious actor. If there is a compromised endpoint in an Active Directory (AD) environment, the threat actor can get the highest privilege on any system (including domain controllers and print servers) running the Print Spooler service.

Through this blog, we attempt to describe how the advanced visibility provided by Trend Micro Vision One and Trend Micro Cloud One thwarts attacks that abuse such critical vulnerabilities. We take into account metrics from the network and endpoints that would indicate potential attempts of exploitation. The Trend Micro Vision One Workbench shows a holistic view of the activities that are observed in a user’s environment by highlighting important attributes related to the attack. Using the RCA feature, a user can look into the details of the attack per step. Lastly, Trend Micro Smart Protection Network (SPN) for threat intelligence creates a lookout for recent advanced threats that are at large to keep users’ assets safe.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn

Featured News