Our notes about #printnightmare zero-day and Kaseya
As you have already heard, there is a zero-day vulnerability in the print spooler service. Microsoft also posted the official CVE-2021-3452 on their page Security Update Guide – Loading – Microsoft. Defender for Endpoint customers can see all the related information through the M365 Security portal as well.
In this blog post, we want to show you how to configure various settings using the Azure Automation DSC service. Besides that, a few examples around Change Tracking and Inventory feature as well.
Just to point out that Azure Automation offers 4 different services. Today we are focusing on configuration management and Inventory and Change Tracking.
Azure Automation services
All data you will collect from your servers will be stored in the Azure Log Analytics Workspace. If you have the data, you can use KQL queries for hunting, alerts, and workbooks.
Azure Automation DSC
One of the recommendations around the latest zero-day was to stop and disable the print spooler service on all servers. For example, in PowerShell, we can simply do this:
We can also invoke the same commands remotely as well.
This requires that PowerShell remoting is enabled on your servers.
So how can we use Azure Automation DSC to achieve the same thing? The good thing about the DSC is that we can configure different servers in different locations using the same tool. There is no difference if the server is domain joined or not. Thirdly we have built-in reporting as well.
To disable the print spooler service on your servers, you can use the following configuration document
Currently, I’m keeping this example really simple. You can always add more things. Every configuration you would like to add must be compiled first, and then you can assign it to different nodes.
In the second example, we are going to enable Microsoft-Windows-PrintService/Operational logging. By default, it is not enabled.
In PowerShell you can simply do this:
That should enable the logging, and after that, you can configure your SIEM to collect these. In DSC, we can do this.
In this example, we are using a different module. You need to import the ComputerManagementDsc module from the PowerShell gallery directly to your Azure Automation Account.
Deploy to Azure Automation
Truesec recommended in their blog post to add temporary deny permission for system account on C:\Windows\System32\spool\drivers folder. We can achieve the same thing through DSC as well.
This example is more complex and requires more know-how and testing. This requires us to import the AccessControlDSC module from the PowerShell Gallery.
As you see from these different examples, we can configure different elements using the Azure Automation DSC service. You can combine these examples together into one configuration document and configure multiple things at the same time.
Inventory and Change Tracking
During the Kaseya attack, they disabled the Defender Antivirus and also added different exceptions. If you are using Defender for Endpoint EDR solution, you can track changes, configure custom alerts, etc. Not everybody uses Defender for Endpoint, and you may have different reasons why aren’t you using it. You can also track changes and collect extra inventory using the Change Tracking and Change feature in Azure Automation.
Change Tracking and Inventory solution allows you to add custom registry keys as well.
Custom registry keys
You can add both of these keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
Both of these keys should give an overview of which exclusions are configured on your servers. Based on this data, you can also create reports and alerts because the data is in Azure Log Analytics Workspace.
You can always write custom KQL queries.
All examples are also posted on our Github page – Kaidja/AzureAutomation: DSC, PowerShell etc. (github.com)
PS! Always test these configurations in a lab environment.