Technical Tip: How to use FortiDeceptor to Detect and Mitigate the Microsoft CVE-2021-34527 (PrintNightmare)

This article describes how FortiDeceptor Decoys can detect activities related to The Microsoft CVE-2021-34527 (PrintNightmare) remote code execution vulnerability.

 A remote code execution vulnerability exists in Windows OS when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.

Cyber Deception Against cyber attacks that try to leverage CVE-2021-34527

1.      FortiDeceptor starts by deploying network decoys across the network segments that create a fake environment that simulates the real network and assets. The "PrintNightmare" exploit looks to attack Windows systems, so Network decoys like windows 7, 10, 2016, 2019 (endpoints & servers) will be deployed across the network.

2.      In addition, the FortiDeceptor customization module allows to generate a  decoy template from the customer gold image and deploy it across the network and in the customer data center. The ability to deploy a Decoy that runs the customer gold image and part of the customer domain network will expand the attack surface for any malware or threat actor trying to leverage the CVE-2021-34527 (PrintNightmare) vulnerability. In addition, this decoy will generate accurate threat intelligence and IOC's against the attack.

3.      FortiDeceptor generates and deploys Deception Lures like fake network drive and fake user & pass across every endpoint/server in your network based on the network decoys deployment.

4.      To exploit this vulnerability, an attacker would need to access the internal network by compromising an internal endpoint and leveraging the compromised endpoint access and credentials. The idea behind using Deception lures is to expand the attack surface and reduce the Dwell time.

5.      Deception lures will detect the threat actor early in the kill chain and before trying to attack the windows system running the Windows Print Spooler service by placing the following Deception Lures on the network endpoint that the threat actor will use to attack the windows systems (endpoints & servers). The Deception lure to deploy are:

a.      SMB Deception Lure will generate a fake network drive with fake files. This network drive will deceive the threat actor while using windows commands like "NET." This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.

b.      Cache Credentials Deception Lure will deploy fake user & passwords to the endpoint & Server. This fake user & password will deceive the threat actor while using tools like mimikatz and use the fake credentials to move laterally and engage with a network Decoy. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.

c.       RDP Deception Lure will deploy fake windows RDP Credentials in the windows Credentials manager. This fake user & password will deceive the threat actor while using MIMIKATZ and RDP clients to move laterally and engage with a network Decoy that runs the Windows Print Spooler service. This malicious engagement will trigger alerts and also mitigation responses to isolated the malicious endpoint from the network.

Cyber Deception Against Microsoft CVE-2021-34527 (PrintNightmare) attacks:

1.      Configure network segments under the "Deployment Network" section that FortiDeceptor will use to deploy network decoys. (due to the nature of the attack, verify that you cover the data center segments where windows DC servers located)

2.      Use the "Customization" feature to deploy windows2016/2019 Decoy that runs Windows Print Spooler service. (see this video for technical instruction on how to use the customization module-> https://video.fortinet.com/products/fortideceptor/3.0/fortideceptor-windows-customization )

3.      Deploy network Decoys (template & custom) across the network VLANs segments that are configured under the "Deployment Network" section.

4.      Download the Deception lure package from the Decoy configuration section

5.      Deploy the Deception lure package across your endpoint using the A/D Logon script. Keep in mind that the Deception lure package is an "Agent-Less" technology. (see FortiDeceptor Admin guide - > https://docs.fortinet.com/document/fortideceptor/3.3.1/administration-guide/821523/deploying-tokens-... )

6.      To verify the Deception lure package deployment, please run the command "net use" on any endpoint that is part of the domain. You should see the network drive map configuration in place or access the windows credentials manager to verify that the fake credentials exist.

7.      Once a threat actor or malware penetrated the network and infected the endpoint, any interaction with Deception Decoy & lure will trigger a real-time alert.

8.      FortiDeceptor will leverage the Fortinet Fabric to execute a threat mitigation response to isolated the threat.

FortiDeceptor is Part of the Fortinet Security Fabric.

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiSIEM, FortiAnalyzer, and other Fabric solutions to automate the mitigation response based on attack detection.

For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolated an infected machine device that has been targeted by ransomware malware.

https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s

Another example, FDC  leveraging FortiGate to automatically isolated an infected machine device that has been compromised by a threat actor or malware