* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Hunting PrintNightmare (C... # Hunting PrintNightmare (CVE-2021-1675) Using Cortex XDR [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunting-printnightmare%2F) [](https://twitter.com/share?text=Hunting+PrintNightmare+%28CVE-2021-1675%29+Using+Cortex+XDR&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunting-printnightmare%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fhunting-printnightmare%2F&title=Hunting+PrintNightmare+%28CVE-2021-1675%29+Using+Cortex+XDR&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/hunting-printnightmare/&ts=markdown) \[\](mailto:?subject=Hunting PrintNightmare (CVE-2021-1675) Using Cortex XDR) Link copied By [Unit 42](https://www.paloaltonetworks.com/blog/author/unit-42/?ts=markdown "Posts by Unit 42") Jul 01, 2021 4 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [CVE-2021-1675](https://www.paloaltonetworks.com/blog/tag/cve-2021-1675/?ts=markdown) [indicators of compromise](https://www.paloaltonetworks.com/blog/tag/indicators-of-compromise/?ts=markdown) [IOCs](https://www.paloaltonetworks.com/blog/tag/iocs/?ts=markdown) [Threat Hunting](https://www.paloaltonetworks.com/blog/tag/threat-hunting/?ts=markdown) [Vulnerabilities](https://www.paloaltonetworks.com/blog/tag/vulnerabilities/?ts=markdown) [Windows](https://www.paloaltonetworks.com/blog/tag/windows/?ts=markdown) [zero-day](https://www.paloaltonetworks.com/blog/tag/zero-day/?ts=markdown) ## Executive Summary On June 29, 2021, proof of concept code for [CVE-2021-1675](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675) (dubbed PrintNightmare) was posted on [Github](https://github.com/cube0x0/CVE-2021-1675). This CVE was partially patched by Microsoft on June 8, 2021 as a part of the June 2021 Patch Tuesday, which initially was described as local privilege escalation. On June 21, Microsoft corrected the advisory to include remote code execution and increased the CVE severity to critical. This blog will help you proactively search for related indicators of compromise (IOCs) and attack techniques using Cortex XDR. ## Hunting for This Attack in Your Environment #### Hunt for the attack using XQL Search in Cortex XDR * Detect PrintNightmare exploitation attempts by searching for any files added to the specific path indicating the backup function of driver upgrade process was used, which is required for this exploit: |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | config case\_sensitive = false timeframe=14d | dataset = xdr\_data | filter event\_type = FILE and (event\_sub\_type = FILE\_WRITE or event\_sub\_type = FILE\_CREATE\_NEW) and action\_file\_path contains "Windows\\System32\\spool\\drivers\\" | fields event\_timestamp, action\_file\_path, event\_type, event\_sub\_type, actor\_process\_image\_name, agent\_hostname | comp count(event\_timestamp) as event\_count, count\_distinct(agent\_hostname) as distinct\_host\_count by agent\_hostname, action\_file\_path, event\_type, event\_sub\_type, actor\_process\_image\_name | filter (action\_file\_path contains "\\3\\old") // Looking for a file path that contains something similar to C:\\Windows\\System32\\spool\\drivers\\x64\\3\\old\\1\\ // The above path indicates the backup driver feature of the upgrade system was used, which is required by the original posted POC for this attack | * To reduce the attack surface, we suggest to check if the Print Spooler service process (spoolsv.exe) is running on any critical systems that it shouldn't run on and disable it: |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | config case\_sensitive = false timeframe=30d | dataset = xdr\_data | filter actor\_process\_image\_name = "spoolsv.exe" | fields event\_timestamp, action\_file\_path, event\_type, event\_sub\_type, actor\_process\_image\_name, actor\_remote\_ip, agent\_hostname | alter note = "Print Spooler activity observed on this host in the past 30 days" | comp count(event\_timestamp) as event\_count by agent\_hostname, note | * Detect possible PrintNightmare exploitation attempts on Windows Servers by looking for errors generated by the Print Spooler which could indicate that an exploitation attempt happened. However, this query also has some false positives where the Print Spooler crashes due to an unrelated error. |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | config case\_sensitive = false timeframe=14d | dataset = xdr\_data | filter event\_type = PROCESS and event\_sub\_type = PROCESS\_START and action\_process\_image\_name = "werfault.exe" and actor\_process\_image\_name = "spoolsv.exe" and agent\_os\_sub\_type ~= "^Windows Server.\*" | fields agent\_hostname, action\_process\_image\_name, actor\_process\_image\_name, agent\_os\_sub\_type | alter note = "spoolsv.exe spawns werfault.exe" | ## Cortex XDR Product Response #### Cortex XDR Managed Threat Hunting The [Cortex XDR Managed Threat Hunting](https://www.paloaltonetworks.com/cortex/managed-threat-hunting) team proactively hunted for threats and activities related to the event in Managed Threat Hunting customers and notified them with a detailed Impact Report. Cortex XDR alerts that detect this attack |------------------|------------------------------| | **Source** | **Description** | | Cortex XDR Agent | Behavioral Threat Protection | ## Conclusion Due to the high impact of a potential attack and the prevalence and ease of use of the PrintNighmare exploit, we highly advise Palo Alto Networks customers to upgrade to Cortex XDR agent 7.3.2 or newer and download the most recent [content update](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/endpoint-security/about-content-updates.html) to take advantage of the latest protection mechanisms within Cortex XDR. They should also hunt for threats using the XQL queries described in this blog. We also recommend disabling the Windows Print Spooler service in systems where it's not required as a precautionary measure. For more information on remediating this CVE, please read our supporting blog "[Remediating PrintNightmare (CVE-2021-1675) Using Cortex XSOAR](https://www.paloaltonetworks.com/blog/security-operations/remediating-printnightmare-cve-2021-1675-using-cortex-xsoar/)" *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### PrintNightmare Prevention Update with Cortex XDR](https://www2.paloaltonetworks.com/blog/security-operations/printnightmare-prevention-update-with-cortex-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [#### Prevention, Hunting and Playbooks for MSDT Zero-Day (CVE-2022-30190)](https://www2.paloaltonetworks.com/blog/security-operations/prevention-hunting-and-playbooks-for-msdt-zero-day-cve-2022-30190/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Hunting Confluence Atlassian RCE (CVE-2021-26084) by the Cortex XDR Managed Threat Hunting Experts](https://www2.paloaltonetworks.com/blog/security-operations/hunting-confluence-atlassian-rce-cve-2021-26084-by-the-cortex-xdr-managed-threat-hunting-experts/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Exploring the Art and Science of Threat Hunting with Oded Awaskar](https://www2.paloaltonetworks.com/blog/security-operations/exploring-the-art-and-science-of-threat-hunting-with-oded-awaskar/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Forrester Names Palo Alto Networks a Leader in XDR](https://www2.paloaltonetworks.com/blog/2024/06/forrester-names-palo-alto-networks-a-leader-in-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Hunt and Investigate Removable Drive Threats with Cortex XDR](https://www2.paloaltonetworks.com/blog/security-operations/hunt-and-investigate-removable-drive-threats-with-cortex-xdr/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language