Please be aware, Red Piranha’s Security Operations Centre has detected a critical remote code execution and privilege escalation vulnerability known as PrintNightmare has had a proof of concept leaked as security researchers had confused a patch by Microsoft for a separate issue with their reported vulnerability. This vulnerability targets an issue within the Print Spooler Service, which allows drivers to be installed within a sub-directory of system32, which will be executed as the Spooler Service. This will execute as NT_SYSTEM on a domain controller, which will provide an attacker access to all hashed domain credentials.
Path traversal has been demonstrated, which may allow for additional modalities of exploitation via files uploaded as NT_SYSTEM. The researchers discovered this vulnerability advising that they have further discoveries regarding the Print Spooler, which they will disclose during their BlackHat conference talk.
The leaked proof of concept is written to exploit Windows Server 2019. However, it is likely that all current NT based Windows operating systems, potentially as far back as Windows 2000, will be affected. As a result, the current mitigation strategy is to disable the Print Spooler Service, which can be accomplished manually through the Services Microsoft Management Console Snap-in or through group policy. This will remove the ability for Print-To-PDF drivers to function, and domain-joined printers will no longer receive print jobs.
Indicators of compromise include:
Write entries within Sysmon Event ID 11 (spoolsv.exe),
Delete entries Sysmon Event ID 23 on dll (Dynamic Link Library) files within %windir%\System32\spool\drivers\
If you have noticed any strange activities, have discovered events as detailed above or require any assistance regarding a breach or compromise of systems, please do not hesitate to contact Red Piranha at [email protected] or call us directly, and we’ll be able to assist.