Product: ENS
- Expert Rule:
The following ENS Expert Rule can prevent exploitation and allow monitoring of this vulnerability. This rule detects when files are written from the spool service into the directory that known exploits are using to drop files on victim systems.
NOTE: Before you implement the recommendation below, you must test the rule thoroughly. Thorough testing ensures rule integrity. It also makes sure that no legitimate application, in-house developed or otherwise, is deemed malicious and prevented from functioning in your production environment. You can set the suggested rule in report-only mode for testing purposes to check whether it causes any conflict in your environment, and to monitor for target behavior without blocking. After you determine that the rule doesn't block any activity from legitimate applications, you can set the rule to block and apply the setting to relevant systems.
Rule class : Files
Rule {
Process {
Include OBJECT_NAME { -v "spoolsv.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"
}
}
}
- Exploit Prevention content Signature 6210:
You can enable Exploit Prevention content Signature 6210 to detect attempts by spoolsv.exe to load a malicious DLL that can be used to gain Remote Code Execution or Local Privilege Escalation. This behavior occurs with the PrintNightmare vulnerability.
Product: MVISION EDR
We've generated MVISION EDR rules 3.4.0.461 to detect behaviors of the exploitation of this vulnerability; they're available from the ePO Software Catalog. We recommend that you deploy this content package to MVISION EDR 3.4 endpoints, and it will become active on the endpoints at the next reboot. MVISION EDR rules 3.4.0.461 have already been deployed to MVISION ePO EDR endpoints.
PrintNightmare Detections in EDR rules 3.4.0.461 will appear in EDR monitoring.
Product: Network Security Platform
Sigset version: 10.8.22.7
Attack ID: 0x43c0f400
Attack Name: NETBIOS-SS: Windows Print Spooler Service RCE Vulnerability AKA PrintNightmare (CVE-2021-34527)
Released date: July 6, 2021.
NOTE: This signature is unable to detect an exploit occurring over encrypted SMB traffic. This issue is applicable to SMBv3, where encryption is enabled by default.
Product: VirusScan Enterprise (VSE)
You can implement the following Access Protection (AP) rules to mitigate exploit behavior by preventing write access to the directories that the Print Spooler technique uses.
NOTE: When creating a user-defined AP rule in VSE, an asterisk (*) is pre-populated in Processes to include, and must be removed and replaced with spoolsv.exe. We recommend that you thoroughly test the rule to ensure integrity and make sure that there are no application conflicts.
| New rule type |
File/Folder Blocking Rule |
| Rule name |
Block new files from being created or written to by Spoolsv.exe in the OLD drivers directory |
| Processes to include |
Spoolsv.exe |
| Processes to exclude |
<blank> |
| File or folder name to block |
%systemroot%\System32\spool\drivers\**\Old\* |
| File actions to prevent |
Write access to files
New files from being created
|
| New rule type |
File/Folder Blocking Rule |
| Rule name |
Block new files from being created or written to by Spoolsv.exe in the NEW drivers directory |
| Processes to include |
Spoolsv.exe |
| Processes to exclude |
<blank> |
| File or folder name to block |
%symroot%\System32\spool\drivers\**\New\* |
| File actions to prevent |
Write access to files
New files from being created
|
You can use the following rule to block
spoolsv.exe from creating files in the paths that the technique uses:
NOTE: We recommend that you thoroughly test the rule to ensure integrity and make sure that there are no application conflicts.
Rule {
tag PrintNightmare_Custom_Rule
Class Files
Id 4001
level 4
attributes -v
files { Include "*\\System32\\spool\\drivers\\*\\New\\&.dll" "*\\System32\\spool\\drivers\\*\\Old\\&\\&.dll" }
Executable { Include { -path "*\\spoolsv.exe" } }
user_name { Include "*" }
directives files:create
}
For more information about implementing custom signatures in Host IPS, see the
Host IPS Product Guide.
Other Recommendations:
To disable PrintSpooler through Group Policy Objects (GPOs) (Recommended for servers, except dedicated print servers):
NOTE: Disabling the print spooler service disables the ability to print both locally and remotely.
- To manage this setting, modify your GPO or create a GPO.
- When you edit the GPO, go to Computer Configuration, Policies, Windows Settings, System Services, Print Spooler.
- Right-click the Print Spooler System Service option, and select Properties.
- Set the System Service to Disabled.
To block only the remote attack vector, administrators can disable inbound remote printing through GPOs (Recommended for workstations):
- To manage this setting, modify your GPO or create a GPO.
- When you edit the GPO, go to Computer Configuration, Administrative Templates, Printers.
- Right-click the Allow Print Spooler to accept client connections policy option, and select Edit.
- Set the policy to Disabled.
