Hunting PrintNightmare (CVE-2021-1675) Using Cortex XDR

Executive Summary

On June 29, 2021, proof of concept code for CVE-2021-1675 (dubbed PrintNightmare) was posted on Github.

This CVE was partially patched by Microsoft on June 8, 2021 as a part of the June 2021 Patch Tuesday, which initially was described as local privilege escalation. On June 21, Microsoft corrected the advisory to include remote code execution and increased the CVE severity to critical.

This blog will help you proactively search for related indicators of compromise (IOCs) and attack techniques using Cortex XDR.

 

Hunting for This Attack in Your Environment

 

Hunt for the attack using XQL Search in Cortex XDR

 

  • Detect PrintNightmare exploitation attempts by searching for any files added to the specific path indicating the backup function of driver upgrade process was used, which is required for this exploit:
config case_sensitive = false timeframe=14d

| dataset = xdr_data

| filter event_type = FILE and (event_sub_type = FILE_WRITE or event_sub_type = FILE_CREATE_NEW) and action_file_path contains "Windows\System32\spool\drivers\"

| fields event_timestamp, action_file_path, event_type, event_sub_type, actor_process_image_name, agent_hostname

| comp count(event_timestamp) as event_count, count_distinct(agent_hostname) as distinct_host_count by agent_hostname, action_file_path, event_type, event_sub_type, actor_process_image_name

| filter (action_file_path contains "\3\old") // Looking for a file path that contains something similar to C:\Windows\System32\spool\drivers\x64\3\old\1\

// The above path indicates the backup driver feature of the upgrade system was used, which is required by the original posted POC for this attack

 

  • To reduce the attack surface, we suggest to check if the Print Spooler service process (spoolsv.exe) is running on any critical systems that it shouldn't run on and disable it:

 

config case_sensitive = false timeframe=30d

| dataset = xdr_data

| filter actor_process_image_name = "spoolsv.exe"

| fields event_timestamp, action_file_path, event_type, event_sub_type, actor_process_image_name, actor_remote_ip, agent_hostname

| alter note = "Print Spooler activity observed on this host in the past 30 days"

| comp count(event_timestamp) as event_count by agent_hostname, note

 

  • Detect possible PrintNightmare exploitation attempts on Windows Servers by looking for errors generated by the Print Spooler which could indicate that an exploitation attempt happened. However, this query also has some false positives where the Print Spooler crashes due to an unrelated error.

 

config case_sensitive = false timeframe=14d

| dataset = xdr_data

| filter event_type = PROCESS and event_sub_type = PROCESS_START and action_process_image_name = "werfault.exe" and actor_process_image_name = "spoolsv.exe" and agent_os_sub_type ~= "^Windows Server.*"

| fields agent_hostname, action_process_image_name, actor_process_image_name, agent_os_sub_type

| alter note = "spoolsv.exe spawns werfault.exe"

 

Cortex XDR Product Response

 

Cortex XDR Managed Threat Hunting

The Cortex XDR Managed Threat Hunting team proactively hunted for threats and activities related to the event in Managed Threat Hunting customers and notified them with a detailed Impact Report.

Cortex XDR alerts that detect this attack

Source Description
Cortex XDR Agent Behavioral Threat Protection

 

Conclusion

Due to the high impact of a potential attack and the prevalence and ease of use of the PrintNighmare exploit, we highly advise Palo Alto Networks customers to upgrade to Cortex XDR agent 7.3.2 or newer and download the most recent content update to take advantage of the latest protection mechanisms within Cortex XDR. They should also hunt for threats using the XQL queries described in this blog. We also recommend disabling the Windows Print Spooler service in systems where it's not required as a precautionary measure.

 

For more information on remediating this CVE, please read our supporting blog "Remediating PrintNightmare (CVE-2021-1675) Using Cortex XSOAR"