.png?width=700&height=200&name=logo-binalyze-reversed%20(1).png){kind=logo}
Microsoft recently released a patch for this vulnerability. Please get more information using the link below:
We have released a FREE version of DRONE that scans the machine against indicators of the Print Nightmare exploit (CVE-2021-34527) and applies a workaround of stopping Spool Service so that even if the machine is unexploited now, future attempts of exploitation would be prevented until Microsoft releases a patch for this vulnerability.
Note: If you have Chrome installed on the machine, you can also run DRONE in Tower mode in the browser by simply double clicking the executable and enabling the CVE scanner and Event Records Analyzer (See Image 2 below).
Optionally, you can enable all analyzers (auto-pilot mode) to have an automated compromise assessment in parallel.
If you want to monitor exploited machines via your SIEM, you can enable Syslog option for forwarding the findings to your SIEM (–syslog). Refer to help drone.exe /h for more information.
Does DRONE apply the workaround?
Yes. Once the analysis completes, DRONE will automatically stop the Spool Service and disable the auto-start setting of the Spool Service as a temporary workaround until Microsoft releases a patch.
How will I re-enable the Spool Service? (do not perform this action until a security patch is available)
From the command line, issue the following commands to reenable the Spool Service:
Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service that can allow a total compromise of Windows systems.
The vulnerability impacts Print Spooler (spoolsv.exe), a Windows service that serves as a generic universal interface between the Windows OS, applications, and local or networked printers, allowing app developers to easily initiate print jobs.
The service has been included in Windows since the 90s and is one of the operating system’s most buggy processes, with many vulnerabilities being discovered across the years, including bugs such as PrintDemon, FaxHell, Evil Printer, CVE-2020-1337, and even some of the zero-days used in the Stuxnet attacks.
CVE-2021-1675, the latest in this long line of Print Spooler bugs, and was initially discovered by security researchers from Tencent Security, AFINE, and NSFOCUS earlier this year.
Amina Zilic : Nov 19, 2021 2:16:02 PM
Compromise assessment is an analysis of a network of endpoints or a single endpoint to uncover unknown security breaches, malware, and any sign of...
Amina Zilic : Nov 11, 2021 7:26:02 PM
UPDATE 15.11.2021.
Microsoft patches actively exploited Exchange, Excel zero-days (CVE-2021-42321). Please refer to their site for more details.
...
Amina Zilic : Nov 3, 2021 9:59:03 AM
When we plan our incident response strategies and forensic readiness steps, we strongly pay attention to digital evidence acquisition, storage,...
Emre Tınaztepe