CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

PrintNightmare, SMB3 encryption, and your network

CVE-2021-1675, also tracked in CVE-2021-34527, is a remote code execution vulnerability that targets the Windows Print Spooler service. In a nutshell, there is a Distributed Computing Environment / Remote Procedure Call (DCE/RPC) that allows authenticated users to add printer drivers to the spooler service. A malicious DLL instead can be included, which allows a user to take over the machine running the spooler. In the event this machine is also the domain controller, the implications are worse, as the included code will run at a higher level of privilege.

Existing approaches for detection rely on hunting for Windows events or system-level artifacts, but detecting on the network presents unique challenges. The attack relies on adding a printer driver using the DCE/RPC commands RpcAddPrinterDriver or RpcAddPrinterDriverEx. Unfortunately, there are legitimate uses of this, so relying fully on this command completing successfully as a detection could be error prone. To make matters worse, one POC in the wild wraps the DCE/RPC calls in SMB3 encryption. Compare the first screenshot that clearly shows the relevant RPC call versus the second from the aforementioned POC that only shows encrypted payloads.
pcap-in-wireshark-showing-printnightmare-exploit
Figure 1: PCAP in Wireshark showing PrintNightmare exploit carried over DCE/RPC in the clear.
printnightmare-poc-written-in-impacket
Figure 2: PrintNightmare POC written in impacket with payloads encrypted by SMB3. Graciously shared with us by Zander Work.

So in order to identify the DCE/RPC commands, one must either somehow intercept and decrypt the payloads or somehow infer the commands from encrypted communications, as we have done with other protocols.

Given the severity of the issue, we are releasing a Zeek package that identifies printer driver additions that occur in the clear over DCE/RPC. While this isn’t guaranteed to only identify this exploit, the command appears to occur rarely on our test networks. Your mileage may vary, however. We hope this helps the NDR community identify potential instances of the exploit and as always, we appreciate any comments or feedback you may have. As of July 6 Microsoft has released additional patches to address this issue, as well as other mitigations if updating a system is not feasible.

 

Recent Posts