Detect PrintNightmare (CVE-2021-1675) Exploitation Attempts

June 30, 2021 · 3 min read

A notorious remote code execution (RCE) bug in Windows Print Spooler allows attackers to achieve full system compromise on the unpatched instances. The vulnerability, dubbed PrintNightmare (CVE-2021-1675), was initially rated as a low-severity issue that enables privilege escalation to admin on the targeted hosts. However, after deep-dive research by experts who discovered the potential for RCE,  the impact was re-assessed to critical.

CVE-2021-1675 Description

PrintNightmare flaw occurs due to misconfigurations in Print Spooler (spoolsv.exe), a dedicated Windows utility leveraged by app maintainers to proceed with print jobs. In case successfully exploited, the vulnerability provides adversaries with full control over the affected host. Yet, to achieve RCE on the targeted machine, hackers need to be authenticated to the system. In case there is no ability for authentication, threat actors can exploit the bug to escalate their privileges to admin, which makes this flaw an important asset in the attack scenario.

CVE-2021-1675 was disclosed and patched by Microsoft during its June Patch Tuesday release, with the research credited to Zhipeng Huo of Tencent Security Xuanwu Lab, Piotr Madej of AFINE, and Yunhai Zhang of NSFOCUS TIANJI Lab. 

Initially, it was declared that the vulnerability is low-severity and might be exploited for privilege escalation only. Nevertheless, on June 27, 2021, a group of independent researchers from QiAnXin described the successful CVE-2021-1675 exploitation that allows reaching RCE on the targeted systems. Although QiAnXin researchers didn’t provide any technical details in their video demo, the fully-fledged proof-of-concept (PoC) exploit was accidentally released on GitHub. Particularly, on June 29, 2021, security experts from Sanghor published a full technical description of the bug accompanied by PoC source code. The GitHub repository was taken offline in a couple of hours, however, that was enough to clone the code and share it publicly.

CVE-2021-1675 Detection and Mitigation

The vulnerability impacts all Windows OS versions supported today and might allow compromising the older Windows version, including XP and Vista. Users are urged to apply the patch as soon as possible due to the critical severity of the flaw and the availability of working PoC.

To detect CVE-202101675 exploitation attempts and protect your organization from intrusion, you can download a behavior-based Sigma rule already released in Threat Detection Marketplace by the SOC Prime Team: 

https://tdm.socprime.com/tdm/info/hk7bRwla5EX5/#sigma

The rule has translations to the following languages:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye

EDR: SentinelOne, Carbon Black

MITRE ATT&CK: 

Tactics: Privilege Escalation

Techniques: Exploitation for Privilege Escalation (T1068), Exploitation of Remote Services (T1210)

Sign up to Threat Detection Marketplace to reach over 100K qualified, cross-vendor, and cross-tool SOC content items tailored to 20+ market-leading SIEM, EDR, NTDR, and XDR technologies. Enthusiastic to participate in threat hunting activities and enrich our library with new Sigma rules? Join our Threat Bounty Program for a safer future!

Go to Platform Join Threat Bounty

Was this article helpful?

Like and share it with your peers.

Related Posts