MegaplanIT

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data, secure in-scope networks, systems, and website applications.

Managed Security Solutions >

Compliance Assessments>

Security Testing >

Consulting Services >

Customer Reviews

we are grateful to receive their feedback on our service.

Who We Are

we are grateful to receive their feedback on our service.

Managed Security Solutions >

Powerful, optimized SIEM running 24/7/365.

Real-time active threat intelligence. Rapidly find and contain intrusions.

Powerful, optimized SIEM running 24/7/365.

Track & Respond To Suspicious Activity In Your Network Traffic

Empower your incident response and security operations functions with real-time active threat intelligence.

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data, secure in-scope networks, systems, and website applications.

Managed Security Solutions >

Compliance Assessments>

Security Testing >

Consulting Services >

Customer Reviews

we are grateful to receive their feedback on our service.

Who We Are

we are grateful to receive their feedback on our service.

Managed Security Solutions >

Powerful, optimized SIEM running 24/7/365.

Real-time active threat intelligence. Rapidly find and contain intrusions.

Powerful, optimized SIEM running 24/7/365.

Track & Respond To Suspicious Activity In Your Network Traffic

Empower your incident response and security operations functions with real-time active threat intelligence.

Full Spectrum

Solutions

We specialize in over 48 technically advanced cybersecurity and compliance services designed to protect cardholder and other sensitive data, secure in-scope networks, systems, and website applications.

Managed Security Solutions >

Compliance Assessments>

Security Testing >

Consulting Services >

Customer Reviews

we are grateful to receive their feedback on our service.

Who We Are

we are grateful to receive their feedback on our service.

Managed Security Solutions >

Powerful, optimized SIEM running 24/7/365.

Real-time active threat intelligence. Rapidly find and contain intrusions.

Powerful, optimized SIEM running 24/7/365.

Track & Respond To Suspicious Activity In Your Network Traffic

Empower your incident response and security operations functions with real-time active threat intelligence.

Why Choose Us?

Our expert security consultants and QSAs are fully certified across multiple disciplines and have decades of experience helping businesses stay protected against an ever-evolving cyber threat landscape. We build long-term relationships with our clients and provide holistic service offering to meet all their security and compliance needs while outlining a path to continued improvements within their internal security program(s).

Why Choose Us?

Our expert security consultants and QSAs are fully certified across multiple disciplines and have decades of experience helping businesses stay protected against an ever-evolving cyber threat landscape. We build long-term relationships with our clients and provide holistic service offering to meet all their security and compliance needs while outlining a path to continued improvements within their internal security program(s).

Active threat vulnerability exposed through a blog.
Picture of MegaplanIT

MegaplanIT

Security & Compliance

Active Threat: Print Nightmare

By: Andrew Haslett LinkedIn_logo_initials

Security Engineer – Incident Response Specialist 

 

Active Threat

While our clients with EDR should be protected from this kind of attack we are still going to be actively threat hunting until a patch is pushed out by Microsoft.

Print Nightmare (CVE-2021-34527) is a vulnerability that allows an adversary with a standard domain user account to escalate privileges to Domain Admin via the Windows Print Spooler service. This service runs on every Windows Operating System by default.

How does the exploit work?

The exploit allows an attacker to load a DLL with elevated privileges in a subdirectory under C:\Windows\System32\spool\drivers. Due to a logic flaw in spoolsv.exe, the exploit circumvents the usual security checks performed by SeLoadDriverPrivilege.

This means that an attacker with access to a standard domain joined account can take over the entire Active Directory in seconds. The issue is Microsoft’s June 8th patch was supposed to remediate this vulnerability. We have tested it against fully patched servers and unfortunately, it is still exploitable.

 

Recommendations:

1. We recommend disabling the Print Spooler service on all systems (especially Domain Controllers).

If you can’t disable the service there are 3 alternatives. As always, please test these before implementation

2. With credit to TrueSec, they wrote a small PowerShell script to restrict ACLs on the directory and subdirectories that would allow an attacker to exploit this vulnerability.

The following script adds a Deny rule to the “drivers” directory and all subdirectories, which will prevent the user SYSTEM from being allowed to drop malicious DLLs into them.

 


   

   $Path = “C:\Windows\System32\spool\drivers”

   $Acl = Get-Acl $Path

   $Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule(“System”, “Modify”, “ContainerInherit, ObjectInherit”,        “None”, “Deny”)

   $Acl.AddAccessRule($Ar)

   Set-Acl $Path $Acl

 


 

3. Instead of disabling the service, you can configure it via GPO to not accept Client Connections which is under Computer Configuration -> Administrative Templates -> Printers -> Allow Print Spooler to accept client connections: disabled

4. You can remove all “Authenticated Users” from the “Pre-Windows 2000 Compatible Access” group in AD.

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Share this post

Industry Leading Certified Experts

PCI QSA
The PCI logo on a white background with a Software Security emphasis.
Pci approved scanning vendor logo for software security.
Pci point-to-point encryption with robust Software Security.
A man is riding a bike on a hill.
The logo for aicpa soc.
A logo with the words, a l a, and a blue globe.
A badge with the words gba certified penetration tester.

Subscribe

Subscribe To Our Newsletter & Stay Up-To-Date

Explore Our Blogs

Whitepaper | 10 min Read

Developing And Maintaining An Effective Compliance Program.

Developing An Effective Compliance Program

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.

New Service Offering | Contact Us

MegaplanIT's Ransomware Assessment

Ransomware Preparedness Assessment

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems. 

ResourceGuide | 8 min Read

Cybersecurity Roadmap For 2022

Cybersecurity Roadmap For 2022

Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals. 

We're Here To Help

We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services. 

A blue logo with the letter m on it.

Make Our Team, Your Team!

Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.

MegaplanIT's Ransomware Assessment

Ransomware Assessment Preparedness

Cybersecurity Roadmap For 2022

Cybersecurity Roadmap For 2022

Developing And Maintaining An Effective Compliance Program.

Developing And Maintaining An Effective Compliance Program

As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? 

A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions

This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business