This same behavior is taken advantage of in this attack. Typically, when a regular user creates a print job, the print job will be stored by the print spooler service (spoolsv.exe) to a dedicated folder, System32\SPOOL\Printers, as two files: the file, which contains the content to be printed, and the shadow job file (SHD), which contains the metadata of the print job, including the path of the printer port that was created. Step 2: Print content to a restricted file The analyst will see the following alert:įigure 6. Since Defender for Endpoint monitors registry operations, it will detect this action as a suspicious registry activity right off the bat. In the background, whenever a printer port is added, the spooler service adds a registry key containing the value of the path the user pointed to and where they would like to insert content. device timeline event showing the printer port was added It is then associated to a new printer port which points to our targeted system file c:\windows\system32\wbem\browcli.dll.įigure 5. The first phase of our exploitation scenario is for the attacker to add a new printer on this device called MS Publisher Color Printer. Let’s say an attacker was able to determine that one of the devices in our fictional network has not yet been patched for CVE-2020-1048 and was able to log on to the device through an effective social engineering lure. Step 1: Add a new printer and a printer port
Detailed alert story showing steps of the attack and affected assets
#Endpoint has duplicate windows 10 spooler full#
The incident page providing the full context of the attackįigure 3. This blog will cover the phases of the attack and how Defender for Endpoint correlates these to a single view of an incident, providing the full context of the related alerts, impacted entities, and the investigation.įigure 2. Microsoft Defender for Endpoint blocks, detects, and remediates the attack. We will use this scenario in our simulation. Malicious actors can thus use this vulnerability to create a malicious DLL, for instance, print it to the system folder, and wait for the system to run it in a classic DLL hijacking attack. Before the vulnerability was patched, this means that any user could print to folders they don’t have access to. When the port is a file path, the printer creates a file on the file system and prints content to it. The catch is that the printer port, instead of being an actual port, could instead be a path to a file. Every printer is then associated to a port. Unprivileged users could easily add new printers in Windows. Since this is a common service that comes preinstalled, any suspicious activity initiated by the spooler might be easily missed. Specifically, it can write or modify files in the System32 folder. The print spooler is a Windows component that manages the printing process and runs with system privileges. Attack phases of a sample attack using CVE-2020-1048 The actual exploitation details have already been discussed extensively in other blogs, but in summary, this vulnerability allows an unprivileged user to modify a file that they should not have been able to access, or to create a file in a folder they should not have write access to.įigure 1. Interesting case study because of the prevalence of the print spooler mechanism, and the vulnerability’s involvement in a widely covered high-profile attack in the past. This vulnerability, assigned CVE-2020-1048, has already been patched. SafeBreach, one of our evaluation lab partners for breach and attack simulation solutions, discovered an elevation of privilege vulnerability in the Windows print spooler mechanism. In this scenario, we use the updated Microsoft Defender for Endpoint alert page, which has features to make the investigation experience better and more effective.
#Endpoint has duplicate windows 10 spooler update#
We are excited to share a short attack simulation to highlight how Microsoft Defender for Endpoint can alert analysts for every suspicious system event that’s related to an intrusion and how analysts can mitigate the attacker’s actions right from the alert page. We’ve chosen a relatively straightforward exploitation scenario which we believe still carries significant risk for organizations that have not been able to update their operating systems.
0 kommentar(er)
