Views:

Mitigation and Protection

First and foremost, the first line of protection against this vulnerability is to ensure that all affected systems are patched with Microsoft's latest security updates and mitigation strategies from the vendor. This continues to be the primary recommendation for protection against any exploit that that may arise from these vulnerabilities.

Trend Micro Protection

To assist customers, Trend Micro has created and released some additional layers of protection in the form of rules and filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take time or is not feasible.

IPS Rules

Deep Security and Cloud One - Workload Security, Vulnerability Protection, Apex One Vulnerability Protection (iVP) and Worry-Free Business Security Services Rules

  • Rule 1011016 - Identified DCERPC AddPrinterDriverEx Call Over TCP Protocol
  • Rule 1011018 - Identified DCERPC AddPrinterDriverEx Call Over SMB Protocol

Please note that due to the nature of the vulnerability, a valid Windows function/call (AddPrinterDriverEx), these Intrusion Prevention Rules are set to DETECT by default. This is to minimize potential false positives to the IT environment. Trend Micro recommends IT managers review and test these rules in their own IT environment and change to PREVENT (if applicable on their solution) .

Trend Micro Cloud One – Network Security and TippingPoint ThreatDV Malware Detection Filters

  • 39940: RPC: Microsoft Windows AddPrinterDriverEx Request Detected

Trend Micro Deep Discovery Inspector (DDI) Rules

  • Rule 4588: CVE-2021-34527_SMB_POSSIBLE_RCE_REQUEST_SB
  • Rule 4589: CVE-2021-34527_DCE_POSSIBLE_RCE_REQUEST_SB

Other Inspection / Detection Rules

Deep Security Log Inspection

  • Rule 1011017 - Microsoft Windows - Print Spooler Failed Loading Plugin Module (PrintNightmare)

Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.

Using Trend Micro Products for Invesitgation

The following highlights several post-exploitation detections that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Micro Vision One™

Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.

Using Detection Models

Trend Micro Vision One triggers alerts based on matched detection models and sends the alerts to Workbench.

The detection models, which generate the alert triggers, combine multiple rules and filters using a variety of analysis techniques including data stacking and machine learning. Moreover, Trend Micro regularly refines and adds detection models and filters to improve threat detection capabilities and reduce false positive alerts.

Detection Models

Zero Trust Risk Insights (pre-release feature)

The Zero Trust Risk Insights app allows you to quickly assess the cloud access activities and vulnerabilities related to users and devices and determine how to mitigate the risks found in your network.

Risk Insights

CVE Detection

References

Keywords: PrinterNightmare Technical Analysis (CVE-2021-1675 & CVE-2021-34527), RCE Vulnerabilities, Windows Security Patches, Security Exploit Details, Technical Security Resources