Home
/
/
Active Threat: Print Nightmare

Active Threat: Print Nightmare

  • January 31, 2025

Share

Active Threat

While our clients with EDR should be protected from this kind of attack we are still going to be actively threat hunting until a patch is pushed out by Microsoft.

Print Nightmare (CVE-2021-34527) is a vulnerability that allows an adversary with a standard domain user account to escalate privileges to Domain Admin via the Windows Print Spooler service. This service runs on every Windows Operating System by default.

How does the exploit work?

The exploit allows an attacker to load a DLL with elevated privileges in a subdirectory under C:\Windows\System32\spool\drivers. Due to a logic flaw in spoolsv.exe, the exploit circumvents the usual security checks performed by SeLoadDriverPrivilege.

This means that an attacker with access to a standard domain joined account can take over the entire Active Directory in seconds. The issue is Microsoft’s June 8th patch was supposed to remediate this vulnerability. We have tested it against fully patched servers and unfortunately, it is still exploitable.

Recommendations:

1. We recommend disabling the Print Spooler service on all systems (especially Domain Controllers).

If you can’t disable the service there are 3 alternatives. As always, please test these before implementation

2. With credit to TrueSec, they wrote a small PowerShell script to restrict ACLs on the directory and subdirectories that would allow an attacker to exploit this vulnerability.

The following script adds a Deny rule to the “drivers” directory and all subdirectories, which will prevent the user SYSTEM from being allowed to drop malicious DLLs into them.

$Path = “C:\Windows\System32\spool\drivers”

$Acl = Get-Acl $Path

$Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”, “None”, “Deny”)

$Acl.AddAccessRule($Ar)

Set-Acl $Path $Acl

3. Instead of disabling the service, you can configure it via GPO to not accept Client Connections which is under Computer Configuration -> Administrative Templates -> Printers -> Allow Print Spooler to accept client connections: disabled

4. You can remove all “Authenticated Users” from the “Pre-Windows 2000 Compatible Access” group in AD.

Subscribe to Our Newsletter

Related Topics

Assessor Spotlight

(2)

Cloud Security

(1)

Compliance and Regulations

(3)

Employee Spotlight

(1)

Managed Security

(1)

Network Security

(1)

PCI Compliance

(3)

Penetration Testing

(1)

Security & Compliance

(58)

Security Operations

(1)

ON WATCH, ALL THE TIME

Featured Articles

Compliance and Regulations

P2PE vs E2EE: Common Pitfalls and Deployments

Point-to-Point Encryption (P2PE) in the payment card industry involves deploying a recognized solution by the PCI council, where hardware, processes, and technology undergo rigorous testing against the current P2PE Standard v3.1 or earlier versions. The P2PE standard combines a recognized and certified PTS device with software and encryption methods to allow cardholder data to be encrypted upon swipe and transmitted encrypted throughout the merchant environment until decrypted within a decryption environment, inaccessible to the merchant.
Learn More
Compliance and Regulations

2025 PCI Compliance Checklist

In today’s rapidly evolving cybersecurity landscape, achieving and maintaining PCI compliance is more critical than ever. With the latest update to PCI DSS 4.0.1, businesses must adapt to meet new standards designed to enhance security and flexibility. This updated PCI Compliance Checklist outlines the essential steps for staying compliant while optimizing your organization’s security posture.
Learn More
Cloud Security

PCI Data Security Standard Myths

As with many things in popular culture, the PCI Data Security Standard (PCI DSS) has many myths associated with it. The PCI DSS has existed for many years and despite the efforts of the PCI Security Standards Council (PCI SSC) and industry experts, many misconceptions and myths persist. Below we will cover some common PCI DSS myths vs. the reality.
Learn More
Compliance and Regulations

Understanding Scope for PCI DSS

Learn More
Employee Spotlight

Get Prepared For PCI DSS v4.0

The PCI DSS standard is largely responsible for dictating the way organizations all over the world approach cybersecurity and the protection of credit card data. As v4.0 of the standard approaches, organizations should aim to identify and plan updates for the aspects of their security and compliance programs that are most likely to be affected.
Learn More
Managed Security

How your Remote Workforce impacts PCI DSS Compliance

Employees of companies of all sizes are now either required to shelter in place or State and Government lock-downs are forcing companies to require their employees to work remotely. How will this impact your PCI-DSS Compliance?
Learn More

MegaplanIT

Services

Resources

Contact

18700 N Hayden Rd #340, Scottsdale, AZ 85255

800-891-1634

[email protected]

Open 24/7/365 days

If you have a security or compliance emergency, contact us immediately.

MEGAPLANIT HOLDINGS, LLC. © 2025 | ALL RIGHTS RESERVED.

PRIVACY POLICY