On June 29, 2021, proof of concept code for CVE-2021-1675 (dubbed PrintNightmare) was posted on Github.
This CVE was partially patched by Microsoft on June 8, 2021 as a part of the June 2021 Patch Tuesday, which initially was described as local privilege escalation. On June 21, Microsoft corrected the advisory to include remote code execution and increased the CVE severity to critical.
This blog will help you proactively search for related indicators of compromise (IOCs) and attack techniques using Cortex XDR.
| config case_sensitive = false timeframe=14d
| dataset = xdr_data | filter event_type = FILE and (event_sub_type = FILE_WRITE or event_sub_type = FILE_CREATE_NEW) and action_file_path contains "Windows\System32\spool\drivers\" | fields event_timestamp, action_file_path, event_type, event_sub_type, actor_process_image_name, agent_hostname | comp count(event_timestamp) as event_count, count_distinct(agent_hostname) as distinct_host_count by agent_hostname, action_file_path, event_type, event_sub_type, actor_process_image_name | filter (action_file_path contains "\3\old") // Looking for a file path that contains something similar to C:\Windows\System32\spool\drivers\x64\3\old\1\ // The above path indicates the backup driver feature of the upgrade system was used, which is required by the original posted POC for this attack |
| config case_sensitive = false timeframe=30d
| dataset = xdr_data | filter actor_process_image_name = "spoolsv.exe" | fields event_timestamp, action_file_path, event_type, event_sub_type, actor_process_image_name, actor_remote_ip, agent_hostname | alter note = "Print Spooler activity observed on this host in the past 30 days" | comp count(event_timestamp) as event_count by agent_hostname, note |
| config case_sensitive = false timeframe=14d
| dataset = xdr_data | filter event_type = PROCESS and event_sub_type = PROCESS_START and action_process_image_name = "werfault.exe" and actor_process_image_name = "spoolsv.exe" and agent_os_sub_type ~= "^Windows Server.*" | fields agent_hostname, action_process_image_name, actor_process_image_name, agent_os_sub_type | alter note = "spoolsv.exe spawns werfault.exe" |
The Cortex XDR Managed Threat Hunting team proactively hunted for threats and activities related to the event in Managed Threat Hunting customers and notified them with a detailed Impact Report.
Cortex XDR alerts that detect this attack
| Source | Description |
| Cortex XDR Agent | Behavioral Threat Protection |
Due to the high impact of a potential attack and the prevalence and ease of use of the PrintNighmare exploit, we highly advise Palo Alto Networks customers to upgrade to Cortex XDR agent 7.3.2 or newer and download the most recent content update to take advantage of the latest protection mechanisms within Cortex XDR. They should also hunt for threats using the XQL queries described in this blog. We also recommend disabling the Windows Print Spooler service in systems where it's not required as a precautionary measure.
For more information on remediating this CVE, please read our supporting blog "Remediating PrintNightmare (CVE-2021-1675) Using Cortex XSOAR"
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.