Detecting Windows PrinterNightmare Bug Exploit Code
Jason Wheeler, VP Customer Service of HAWK.io, discusses his approach to creating detection rules for the PrinterNightmare exploit. He will also discuss what to look for in the raw Windows event logs, and demonstrate the time saving benefits of HAWK vTTAC™ data enrichment for automatically capturing critical information needed for efficient digital forensics and incident response (DFIR).
As Microsoft releases patches for various zero-day vulnerabilities, including the dangerous Windows PrinterNightmare Bug, SecOp pros have been busy researching the most efficient methods to detect evidence of exploitation. Tracked as CVE-2021-1675, this attack targets the Windows Print Spooler service and can for allow a total compromise of Windows systems.
Following the June 29th disclosure of a fully working PoC exploit on GitHub, researchers have been scrambling to update SIEM and MDR systems with reliable rules to detect and alert on this exploit. Below, we will share the research methodologies used to detect not only the PrinterNightmare exploitation code, but also show you how we detected the system used to launch the attack.
Using the PoC exploit code found on GitHub, the attack is launched.
Once we have logged into the targeted server, we started with analyzing the event logs:
Performed a “diff” and then filtered out unrelated events
Analyzed all events related directly to the targeted attack and discovered that eventID 5145 (“Detailed File Share”) showed the system accessing the spool service using a unique access mask vs. a typical user access workflow
That is how we began to determine the difference between typical user behavior and the exploit behavior. From there, using our HAWK.io MDR service, we went through previous logs for historical reference and identified zero false positives and high accuracy.
With the information accumluated, we were able to create the following detection rule.
Using HAWK.io’s BDSA platform with (vStream) and utilizing the new analytic rule (above), we are now able to see the full payload of event data in context with the detected exploit.
Using HAWK’s patented vTTAC™ technology, the event stream is enriched with related events and also performs automatic lookups to get values of referenced items at the time of the event creation. This saved us significant time and effort with the DFIR process by also providing the SMB server that was serving the files. The same process can be executed against historical logs to determine if this specific event has occurred before.
Learn more at HAWK.io
Jason Wheeler, VP Customer Services
Jason Wheeler joined HAWK in 2014 and has been appointed Vice President of Security Services. In this role, Mr. Wheeler will oversee all areas of Customer Services and lead the organization dedicated to providing excellent customer satisfaction.
Mr. Wheeler is well known in the Information Security field as an expert in hardware, web applications, and mobile applications exploit research. This research has been featured on Forbes, TechCrunch, and Popular Mechanics. Jason frequently speaks at security events, and is involved with several open source projects.
Jason’s broad experience in IT infrastructure and passion for information security, especially offensive security and threat modeling will continue to influence HAWK’s innovation in both product and services to ensure overall customer success.