There’s been some recent flurry around what folks are calling #PrintNightmare. This has been identified as a Print Spooler flaw with POC code available.
For those customers wanting to know more about this, see: Windows Admins Scrambling to Contain ‘PrintNightmare’ Flaw Exposure | SecurityWeek.Com
There’s a couple things you can do to start:
- Install the June 2021 updates. This doesn’t fully resolve the current situation, but it does protect your environment against the other items covered for this month.
- If you can’t install the updates right now, you can at least turn off the Print Spooler service.
To monitor for this in your environment with Azure Sentinel, here’s a couple options:
- Connect the Security Events connector. Configure the agent to capture the Microsoft-Windows-PrintService/Admin log and build a query to look for EventID 808.
- Collect the extra DeviceFileEvents log in the M365 Defender Connector and use the following query: SentinelKQL/PrintNightmare.txt at master · rod-trent/SentinelKQL (github.com)
Also, please see the following guidance around the Print Spooler service and domain controllers and Active Directory admin systems:
BTW: This is in no way intended to be a definitive answer to this situation. I’m only supplying some things I’ve used. Choose your own best path forward and if you identify something excellent — share it. Its Security. We’re all in this together.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]