cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Daveb3d
MVP
Report Inappropriate Content
Message 21 of 50
‎07-16-2021 11:49 AM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

I'm not sure how your effort to exclude all the files is going, but this might work better for you if it is a struggle.  You can just exclude needed sources where spoolsv.exe needs to red from to drop a compromised file into the needed folders, rather than all the legitimate files themselves. This is confirmed to block the RCE, but should also block the LPE.

Rule {
    Process {
        Include OBJECT_NAME { -v "spoolsv.exe" }
    }
    Target {
        Match FILE {
            Include OBJECT_NAME { -v "**.dll" }
            Exclude OBJECT_NAME { 
				-v "%windir%\\System32\\**"
				-v "C:\\Program Files\\McAfee\Endpoint Security\\Threat Prevention\\IPS\\EpMPThe.dll"
				-v "C:\\Program Files\\Common Files\\McAfee\\SystemCore\\*"
				-v "C:\\Program Files\\McAfee\\MAR\\mvcairo_x64.dll"
			}
            Include -access "READ"
        }
    }
}

 

If RCE is your only concern, change the target to "\\\\**\\*.dll" and then you only need to allow print shares where drivers may load from.  

Dave

0 Kudos
Reply
dhunt03
Level 8
Report Inappropriate Content
Message 22 of 50
‎07-07-2021 04:34 PM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

How do I fix this error? Admittedly, this is my first attempt at an expert rule:

2021-07-07 23:17:54.553Z |Error |ApBl |mfeesp | 6864| 9916|BOPAP |ApState.cpp(287) | Syntax error: -v: Invalid number of arguments
while executing
"-v "
invoked from within
"Include OBJECT_NAME { -v
"%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }"
invoked from within
"Match FILE {
Include OBJECT_NAME { -v
"%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v
..."
invoked from within
"Target {
Match FILE {
Include OBJECT_NAME { -v
"%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { - ..."
invoked from within
"Rule -id "20000" {
Reaction ALLOW
Group "ExPExpertRules"
Description "PrintNightmare Exploit Monitoring 20210707"

Process {
Include OBJECT_NAM ..."
invoked from within
"Policy {

 

Rule -id "20000" {
Reaction ALLOW
Group "ExPExpertRules"
Description "PrintNightmare Exploit Monitoring 20210707"

Process {
Inclu ..."LastErr 0x000010dd The operation identifier is not valid.

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 23 of 50
‎07-07-2021 07:18 PM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Can I just see your exact rule?  I'm not sure from the log.  

0 Kudos
Reply
dhunt03
Level 8
Report Inappropriate Content
Message 24 of 50
‎07-08-2021 06:50 AM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hi Daveb3d,

 

Thanks for they response.

 

It was a direct copy from KB94659. Testing was accomplished by adding a printer to my machine.

 

Rule {

Process {

Include OBJECT_NAME { -v "spoolsv.exe" }

}
Target {

Match FILE {

Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\New\\*.dll" }
Include OBJECT_NAME { -v "%systemroot%\\System32\\spool\\drivers\\**\\Old\\*\\*.dll" }
Include -access "CREATE"

}

}

}

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 25 of 50
‎07-08-2021 07:24 AM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

It compiles fine for me when I copy and pasted it from your post. Make sure you don't have a blank line or something at the top of the rule, which will cause it to fail.

0 Kudos
Reply
Glenn_Bolton
Level 12
Report Inappropriate Content
Message 26 of 50
‎07-12-2021 10:41 AM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Hello,

I added the Expert Rule to my Exploit Prevention Policy as detailed below. Presently this is in Report Mode. Would it be safe to say that if any detections occurred that information would be written to the Threat Event Log with the Event ID of 20001?

Thank you.

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 27 of 50
‎07-12-2021 10:48 AM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

The event ID would be 18060, the Analyzer Rule ID would probably be 20001, depending upon the signature ID assigned to the rule in your policy.

Reply
Glenn_Bolton
Level 12
Report Inappropriate Content
Message 28 of 50
‎07-12-2021 11:17 AM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Thank you for the quick response.

 

0 Kudos
Reply
Glenn_Bolton
Level 12
Report Inappropriate Content
Message 29 of 50
‎07-12-2021 12:49 PM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Thank you again for the quick response. So I implemented the rules as documented in the KB article and choose the option to Report rather than block. 

Within a very short amount of time, I captured 165 events across 16 workstations, There is very little information to go on as far as next steps. What would the next steps be please

I am capturing activity that is occurring in the following locations:

Threat Target File Path and Target Path

 

The Evet Log shows: message states:

NT AUTHORITY\SYSTEM ran C:\Windows\System32\spoolsv.exe, which accessed the file C:\Windows\System32\spool\drivers\x64\3\Old\1\FXSAPI.DLL, violating the rule “PrintNightmare – CVE 2021-1675”. Access was allowed because the rule wasn’t configured to block.

 

Thank you,

0 Kudos
Reply
Daveb3d
MVP
Report Inappropriate Content
Message 30 of 50
‎07-12-2021 12:52 PM

Re: McAfee coverage on - CVE-2021-1675 (PrintNightmare 0-day exploit)

Jump to solution

Yeah, if you used the McAfee provided rule, this isn't a surprise, honestly, as the rule is too generic. It is good for servers, but going to cause a workstation issue. You can try to tune it out, though you can probably just block anything in the OLD folder as I'm guessing it isn't really necessary, but that is 100% a guess.  

Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC