Printnightmare

Stage a local agent configuration definition file and ingress an agent DLL. Query the system registry and check installed hotfixes to see if the system is vulnerable. If vulnerable, installed a custom printer driver that spawns a new agent as NT AUTHORITY/SYSTEM.

Execute this chain

Download Operator (1.7.0)
Learn about Operator

TTPs

Stage agent configuration file
Ingress Pneuma DLL with exported LaunchPneuma function
Query registry for PrintNightmare vulnerable key
Check if specific patch is installed
Exploit PrintNightmare vulnerability to spawn elevated agent

Tags

kaseya vsa attack

User-Set Custom Variables

  • patch.HotFixID: KB5004945