I'm sure most of you have heard about the recent remote code execution (RCE) exploit dubbed as PrintNightmare. It is an attack against the printer spool service that allows an attacker, with normal user credentials, to execute with SYSTEM level privileges on a remote or local system. This means that an attacker would need to have credentials in order to exploit this, but they are trivial for an attacker to obtain if they are already in your network.
As this exploit works against the printer spooler service, we would want to place our focus on the binary, spoolsv.exe, so we can view what actions it performs. In doing so, we can see that spoolsv.exe has written a few DLL's to disk, two of which are legitimate and part of the normal process, unidrv.dll and kernelbase.dll, and one suspect DLL named, dhsyuebf.dll:
It is common for spoolsv.exe to write DLL’s to disk, so just relying on this behaviour would not be enough, it would require the defender to hunt through those DLL’s in order to identify those that look out of place, or endpoints this is occurring on that it typically does not. The following queries can be used to slim the dataset down to these events:
Further analysis shows that spoolsv.exe seldom writes the kernelbase.dll file, looking for this activity should make for a higher fidelity indicator for this exploit. The following query can be used to identify this behaviour:
We can detect this behaviour in NetWitness Packets by looking at SMB traffic that is communicating with the named pipe, spoolss (filename = 'spoolss'). In doing so, we can see the various actions associated with the communication to that named pipe. The ones we are interested in are the, rpcenumprinterdrivers and rpcaddprinterdriverex. This is because the exploit works by adding a printer driver:
The parser that generates this metadata is currently undergoing maintenance, until that parser is officially released, this metadata may not be generated.
The following logic could be used in order to detect this behaviour:
While this exploit is somewhat trivial to detect, there are a number of caveats with the detections outlined above. If you are using NetWitness Network, it requires that you are capturing lateral traffic, which is not overly common. Furthermore, if your organisation uses encrypted SMBv3, you won’t be able to see the actions and pipe name. So, it is important to have at least the PrintService-Operational event channel enabled, or the endpoint agent installed in order to have some visibility into the print service. This exploit also does not have to take place over the network, and can be performed locally in order to escalate privileges on that endpoint. In this scenario, you would not see any activity over the network and would need to rely on log or EDR visibility in order to detect it.