forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathprintnightmare_cve_2021_34527.yml
42 lines (37 loc) · 2 KB
/
printnightmare_cve_2021_34527.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: PrintNightmare CVE-2021-34527
id: fd79470a-da88-11eb-b803-acde48001122
version: 1
date: '2021-07-01'
author: Splunk Threat Research Team
description: The following analytic story identifies behaviors related PrintNightmare,
or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation
on the vulnerable machine.
narrative: 'This vulnerability affects the Print Spooler service, enabled by default
on Windows systems, and allows adversaries to trick this service into installing
a remotely hosted print driver using a low privileged user account. Successful exploitation
effectively allows adversaries to execute code in the target system (Remote Code
Execution) in the context of the Print Spooler service which runs with the highest
privileges (Privilege Escalation). \
The prerequisites for successful exploitation consist of: \
1. Print Spooler service enabled on the target system \
1. Network connectivity to the target system (initial access has been obtained)
\
1. Hash or password for a low privileged user ( or computer ) account. \
In the most impactful scenario, an attacker would be able to leverage this vulnerability
to obtain a SYSTEM shell on a domain controller and so escalate their privileges
from a low privileged domain account to full domain access in the target environment
as shown below.'
references:
- https://github.com/cube0x0/CVE-2021-1675/
- https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/
- https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/
- https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes
tags:
analytic_story: PrintNightmare CVE-2021-34527
category:
- Vulnerability
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection