Microsoft is aware of public proof-of-concept (PoC) code for an unpatched, authenticated remote code execution vulnerability in the Windows Print Spooler service and has assigned it CVE-2021-34527. Microsoft researchers have discovered active exploitation of this vulnerability by attackers.

An attacker who has or obtains the ability to execute code on the target network and successfully exploits the vulnerability could run arbitrary code with SYSTEM privileges. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft is currently investigating the full impact and applicability of the vulnerability (which researchers are also referring to as ‘PrintNightmare’). This report will be updated as new information becomes available. All versions of Windows are believed to be affected. While public reports may identify this vulnerability as CVE-2021-1675, which was addressed in the June 8, 2021 Windows security updates, Microsoft has confirmed it is a distinct vulnerability.

Customers are advised to consider immediately mitigating this vulnerability by disabling the Print Spooler service on domain controllers. This report also provides hunting guidance for locating possible exploitation activity connected to this vulnerability.

Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.

Recommendations for IMMEDIATE action

• Prioritize installation of the security update for CVE-2021-34527 when it becomes available.  We also recommend prioritizing the installation of the security update for CVE-2021-1675. Customers with automatic updates turned on don’t need to take additional action.
• Disable the Windows Print Spooler service in domain controllers (and any other system that does not need the printing capability). There are several methods for doing this, and Microsoft advises to proceed with extra caution to ensure these actions don’t disrupt normal business operations as printing will be disabled. Microsoft Defender for Identity and Microsoft Cloud App Security customers can refer to this guidance when disabling the Print Spooler service.
  • Via the registry
    • Run this command, and then restart the machine: REG ADD  “HKLM\SYSTEM\CurrentControlSet\Services\Spooler”  /v “Start ” /t REG_DWORD /d “4” /f  
  • Via PowerShell
    • Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled
• If the Print Spooler service can’t be disabled, you can use Group Policy to disable inbound remote printing.
  • In Computer Configuration / Administrative Templates / Printers, disable the ”Allow Print Spooler to accept client connections” policy. Disabling this policy blocks the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print server, but local printing to a directly attached device is still possible.
• To reduce the attack surface and as an alternative to disabling printing, check membership and nested group membership in the groups listed below. Attempt to reduce membership as much as possible, or completely empty the groups where possible. Due to legacy configurations and backwards compatibility, some of these groups may contain Authenticated Users or Domain Users, which would allow anyone in the domain to exploit the domain controller.
  • Administrators
  • Domain Controllers
  • Read Only Domain Controllers
  • Enterprise Read Only Domain Controllers
  • Certificate Admins
  • Schema Admins
  • Enterprise Admins
  • Group Policy Admins
  • Power Users
  • System Operators
  • Print Operators
  • Backup Operators
  • RAS Servers
  • Pre-Windows 2000 Compatible Access
  • Network Configuration Operators Group Object
  • Cryptographic Operators Group Object
  • Local account and member of Administrators group
• Check Point and Print settings, which may impact the security of your environment as well. If “NoWarningNoElevationOnInstall” is set to “1”, it overrides the security settings introduced in CVE-2021-1675 and leaves the system vulnerable to CVE-2021-34527, even when members have been removed from the listed groups. To mitigate these issues, set the key to “0” or “Not defined”.
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint] – “NoWarningNoElevationOnInstall”=dword:00000000

Additional recommendations

• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
• Microsoft Defender customers can turn on attack surface reduction rules to prevent common attack techniques used in ransomware attacks. Attack surface reduction rules are sweeping settings that are effective at stopping entire classes of threats.
  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion

You can assess how an attack surface reduction rule might impact your network by opening the security recommendation for that rule in threat and vulnerability management. In the recommendation details pane, check the user impact to determine what percentage of your devices can accept a new policy enabling the rule in blocking mode without adverse impact to user productivity.

Endpoint detection and response (EDR)

The following alerts may also indicate threat activity associated with this threat. These alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.

• Possible exploitation of Print Spooler EoP vulnerability
• Suspicious print monitor registration

NOTE: The following sample queries let you search for a week’s worth of events. To explore up to 30 days’ worth of raw data to inspect events in your network and locate potential related indicators, go to the Advanced Hunting page > Query tab, select the calendar drop-down menu to update your query to hunt for the Last 30 days.

To locate possible exploitation activity, run the following queries in Microsoft 365 security center.

Creation of suspicious DLLs in \spool\ folder

Look for the creation of suspicious DLL files spawned in the \spool\ folder along with DLLs that were recently loaded afterwards from \Old\. Run query

DeviceFileEvents
| where FolderPath contains @"\system32\spool\drivers\x64\3\"
| where FileName endswith ".dll"
| where ActionType in ("FileCreated", "FileRenamed")
| join kind=inner DeviceImageLoadEvents on DeviceId,DeviceName,FileName,InitiatingProcessFileName
| where Timestamp1 >= Timestamp and FolderPath1 contains @"\system32\spool\drivers\x64\3\Old"  

Creation of suspicious files in /spool/driver/ folder

Monitor for creation of suspicious files in the /spool/driver/ folder. This is a broad search that will surface any creation or modification of files in the folder targeted by this exploit. False positives for legitimate driver activity (when that activity should be present) in this folder are possible. Run query

DeviceFileEvents
| where FolderPath has @"System32\spool\drivers"
| project DeviceName,Timestamp,ActionType,FolderPath,FileName,SHA1

Creation of suspicious processes by the spoolsv.exe process

Monitor for creation of processes by spoolsv that may be related to suspicious behaviors. Run query

DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where FolderPath has @"spool\drivers"
| extend LoadFileTime = Timestamp
| distinct DeviceId, LoadFileTime, FileName, SHA256
| join DeviceProcessEvents on $left.DeviceId == $right.DeviceId  
| where Timestamp > ago(7d)
| where Timestamp < LoadFileTime +5m
| where InitiatingProcessFileName =~ "spoolsv.exe"
| where ProcessIntegrityLevel =~ 'SYSTEM'
| where (FileName in~("gpupdate.exe", "whoami.exe", "nltest.exe", "taskkill.exe",
           "wmic.exe", "taskmgr.exe", "sc.exe", "findstr.exe", "curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "accesschk.exe",
           "wevtutil.exe", "bcdedit.exe", "fsutil.exe", "cipher.exe", "schtasks.exe", "write.exe", "wuauclt.exe") or  
// Processes with specific FPs removed          
(FileName =~ "net.exe" and ProcessCommandLine !has "start") or  
(FileName =~ "cmd.exe" and not(ProcessCommandLine has_any(".spl", "route add", "program files"))) or  
(FileName =~ "netsh.exe" and not(ProcessCommandLine has_any("add portopening", "rule name")))) or
(FileName =~ "powershell.exe" and ProcessCommandLine!has ".spl")

Spooler service launches rundll32.exe with empty command line

Look for the spoolsv.exe launching rundll32.exe with an empty command line. Run query

DeviceProcessEvents  
| where InitiatingProcessParentFileName has "spoolsv.exe"  
| where InitiatingProcessFileName =~ "rundll32.exe"  
| where isempty(InitiatingProcessCommandLine) or InitiatingProcessCommandLine endswith "rundll32.exe" //either commandline is empty or just "rundll32.exe"  
| where FileName !in~ ("WerFault.exe")