Possible PrintNightmare Print Driver Install

 1title: Possible PrintNightmare Print Driver Install
 2id: 7b33baef-2a75-4ca3-9da4-34f9a15382d8
 3related:
 4    - id: 53389db6-ba46-48e3-a94c-e0f2cefe1583
 5      type: derived
 6status: stable
 7description: |
 8    Detects the remote installation of a print driver which is possible indication of the exploitation of PrintNightmare (CVE-2021-1675).
 9    The occurrence of print drivers being installed remotely via RPC functions should be rare, as print drivers are normally installed locally and or through group policy.    
10references:
11    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29
12    - https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek
13    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
14    - https://github.com/corelight/CVE-2021-1675
15    - https://old.zeek.org/zeekweek2019/slides/bzar.pdf
16    - https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/
17
18author: '@neu5ron (Nate Guagenti)'
19date: 2021-08-23
20modified: 2022-07-07
21tags:
22    - attack.execution
23    - cve.2021-1678
24    - cve.2021-1675
25    - cve.2021-34527
26logsource:
27    product: zeek
28    service: dce_rpc
29detection:
30    selection:
31        operation:
32            - 'RpcAsyncInstallPrinterDriverFromPackage' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x3e
33            - 'RpcAsyncAddPrintProcessor' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x2c
34            - 'RpcAddPrintProcessor' # "12345678-1234-abcd-ef00-0123456789ab",0x0e
35            - 'RpcAddPrinterDriverEx' # "12345678-1234-abcd-ef00-0123456789ab",0x59
36            - 'RpcAddPrinterDriver' # "12345678-1234-abcd-ef00-0123456789ab",0x09
37            - 'RpcAsyncAddPrinterDriver' # "76f03f96-cdfd-44fc-a22c-64950a001209",0x27
38    condition: selection
39fields:
40    - id.orig_h
41    - id.resp_h
42    - id.resp_p
43    - operation
44    - endpoint
45    - named_pipe
46    - uid
47falsepositives:
48    - Legitimate remote alteration of a printer driver.
49level: medium

References

• [MS-PAR]: Message Processing Events and Sequencing Rules

  

  An implementation of the Print System Asynchronous Remote Protocol MUST indicate the following to the remote procedure

  
  Read More

• zeek/scripts/base/protocols/dce-rpc/consts.zeek at 691b099de13649d6576c7b9d637f8213ff818832 · zeek/zeek

  

  Zeek is a powerful network analysis framework that is much different from the typical IDS you may know. - zeek/zeek

  
  Read More

• Security Update Guide - Microsoft Security Response Center

  
  Read More

• GitHub - corelight/CVE-2021-1675

  

  Contribute to corelight/CVE-2021-1675 development by creating an account on GitHub.

  
  Read More

• AU-ûì|£4ãFœ«ZLœãQ¥MðYÙ×È¥»J[‘c—9÷^$dd²5“`O˜Ùcõ„z"4›†!•.?<÷£l¨ ­Â&͈9Áp·ˆÆæP�c§iB d#JJ_ãZ.‹µ „ûqǽG{à-/ÝAˆo\Q"GfabæÞ'ù®j9ÿV•Õ5U”É݃0Wñ+|Â=œ|š{8Zás×äøÂÝ9ÒŸ-ýÙì‘~f¾HxØrÓmªpc#ÆŠ)%...

  
  Read More

• Security Advisory: MSRPC Printer Spooler Relay (CVE-2021-1678)

  

  On Patch Tuesday, January 12, 2021, Microsoft released a patch for CVE-2021-1678, an important vulnerability discovered by CrowdStrike researchers.

  
  Read More

Related rules

• CVE-2021-1675 Print Spooler Exploitation IPC Access
• PrinterNightmare Mimikatz Driver Name
• CVE-2021-1675 Print Spooler Exploitation
• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript