Special thanks to Thomas Bouve and Billy O'Brien for working so hard on the payload execution to provide the most relevant information possible
On June 8th 2021, Microsoft published the CVE-2021-1675. The vulnerability also known as PrintNightmare has been updated on June 21st and it's severity became critical.
Depending on it's execution, the exploitation can be fairly silent and a nightmare to detect (yes I did dare). But my teammates Thomas, Billy and I are here to help and will try to provide you some information so you can implement correlation rules that will help to detect the exploit.
In one line, the vulnerability affects the print spooler service and enables remote code execution capability. The first advise provided by the CISA (Cybersecurity & Infrastructure Security Agency) in their advisory is for "administrators to disable the Windows Print spooler service in Domain Controllers and systems that do not print". Maybe a little classic, but very valid you'll have to admit!
The behaviour we're looking at might generate a lot of false positives, rules catching authentication to the Spooler service or SMB connection to download the payload might be something to look at but not be the easiest way to go in this particular case.
But we still have two rules to propose ! You can implement them today to start monitoring this CVE as quick as possible, all you need is to configure Sysmon on your Server by following our procedure described here, and download the Windows Custom Properties on the App Exchange here.
The first rule catches when rundll32.exe is spawned by spoolsv.exe.
Apply rundll32 spawned by spoolsv on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following System.Process Creation Success
and when the event matches Username is any of SYSTEM
and when the event matches Parent Process Name (custom) is any of spoolsv.exe
and when the event matches Process Name (custom) is any of rundll32.exe |
This would catch an event similar to the following
The second rule catches when a suspicious file has been created by spoolsv.exe
For this one, you'll need to create one additional custom property with the following parameters:
Regex: Image:.*\\(.*?)\sTargetFilename
Apply Malicious DLL created by spoolsv on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event category for the event is one of the following System.File Created, Audit.Object Load Success
and when the event matches File Extension (custom) is any of dll
and when the event matches Process Name (custom) is any of spoolsv.exe
and when the event matches LOWER("Filename") MATCHES '(myexploit|evil|addcube|rev|rev2 main64|mimilib)\.dll' AQL filter query |
This rule would trigger on an event like this one:
Thanks again to the X-Force team for jumping on this so quick and provide all this essential information!
If you are directly impacted and in need of expert assistance, you can contact the IBM Security X-Force Incident Response team, who is available to assist 24×7, at US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.