Microsoft has added support for PrintNightmare exploit detection to Microsoft Defender for Identity to help security operations teams detect attempts by attackers to abuse this critical vulnerability.
As revealed by Microsoft’s program manager Daniel naim, Defender of identity now identify Exploiting the Windows Print Spooler service (including actively exploited PrintNightmare bug CVE-2021-34527) and helps to block lateral movement attempts within an organization’s network.
If exploited successfully, this critical flaw allows attackers to take over affected servers by elevating privileges to Domain Administrator, stealing domain credentials, and distributing malware such as Domain Administrator via Remote Code Execution (RCE) with SYSTEM privileges.
Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory tokens.
This enables SecOps teams to detect and investigate compromised identities, advanced threats, and malicious insider activity targeting enrolled organizations.
Defender for Identity is included with Microsoft 365 E5, but if you don’t already have a subscription, you can get one Security E5 test right now to put a spin on this new feature.
Last week, Microsoft clarified the PrintNightmare patch guide and shared the steps required to successfully patch the critical vulnerability after several security researchers tagged the patches issued to fix the bug as incomplete.
CISA also issued an emergency directive on Tuesday, directing federal agencies to mitigate the PrintNightmare vulnerability actively exploited on their networks.
In related news, Defender for Identity was updated in November to detect exploitation of Zerologon as part of local attacks attempting this critical vulnerability.
Microsoft will release another update later this month that will allow security operations teams (SecOps) to block attack attempts by locking the Active Directory accounts of compromised users.
New Windows spooler vulnerability
On Thursday night, Microsoft shared a mitigation guide on a new Windows Print Spooler elevation of privilege vulnerability tracked as CVE-2021-34481 and discovered by Dragos security researcher Jacob Baines.
Unlike Print Nightmare, this security flaw can only be exploited by attackers with local access to vulnerable systems to gain elevated privileges.
“The attack is not really related to PrintNightmare. As you know PN can be run remotely and this is a local vulnerability,” Baines told Bleeping Computer.
If you are here for information on CVE-2021-34481, you will have to wait for my DEF CON talk. I don’t consider it a variant of PrintNightmare. The EM / CVE notice came as a surprise to me and as far as I am concerned it was not a coordinated disclosure.
– Jacob Baines (@Junior_Baines) July 16, 2021
While Microsoft shared very little information about this bug (including the versions of Windows that are vulnerable), Baines said the security flaw is related to the printer driver.
Redmond is still investigating this vulnerability and working on security updates to address the underlying weaknesses of the Windows Print Spooler service.
Until a patch CVE-2021-34481 is available, Microsoft advises administrators to disable the Print Spooler service on Windows devices exposed to attack.