Simply enable the WinHostMon input from the Splunk Add-On for Windows to report on the status of services on each server. If you want a very quick way of understanding your exposure to this vulnerability, you can do so if you have Universal Forwarders deployed across your server fleet. The Splunk Threat Research team recommends taking immediate actions to mitigate this vulnerability using the documented workarounds as no official patches have been released yet. Successful exploitation to obtain a reverse meterpreter shell on a Domain Controller In the most impactful scenario, an attacker would be able to leverage this vulnerability to escalate their privileges in an Active Directory environment from a low privileged domain user to full domain administrator privileges by executing malicious code on a Domain Controller as shown below. Hash or password for a low privileged user (or computer) account.Network connectivity to the target system (initial access has been obtained).Print Spooler service enabled on the target system.The prerequisites for successful exploitation consist of: Successful exploitation effectively allows adversaries to execute code in the target system ( Remote Code Execution) in the context of the Print Spooler service which runs with SYSTEM privileges ( Privilege Escalation). The vulnerability affects the Print Spooler service, which is enabled by default on Windows systems, and allows adversaries to trick this service into installing a remotely hosted print driver using a low privileged user account. No patch is available at the time of writing. Update 07/15: Microsoft reported a new privilege escalation vulnerability, CVE-2021–34481, that could allow attackers to execute malicious code as SYSTEM. An attacker can still use the local privilege escalation component to gain SYSTEM level privileges. Update 07/06: Microsoft released an emergency patch to address this vulnerability, but it did not fully resolve the issue as the patch only addresses the Remote Code Execution component. Yesterday, July 1, Microsoft assigned this flaw a new CVE, CVE-2021–34527. On Tuesday, June 29th, a security researcher posted a working proof-of-concept named PrintNightmare that affects virtually all versions of Windows systems. On Monday, June 21st, Microsoft updated a previously reported vulnerability ( CVE-2021–1675) to increase its severity from Low to Critical and its impact to Remote Code Execution.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |