Update Microsoft Defender for Identity now detects PrintNightmare attacks

CyberTech

Level 36
Verified
Nov 10, 2017
2,491
Microsoft has added support for PrintNightmare exploitation detection to Microsoft Defender for Identity to help Security Operations teams detect attackers' attempts to abuse this critical vulnerability.

As revealed by Microsoft program manager Daniel Naim, Defender for Identity now identifies Windows Print Spooler service exploitation (including the actively exploited CVE-2021-34527 PrintNightmare bug) and helps block lateral movement attempts within an org's network.

If successfully exploited, this critical flaw enables attackers to take over affected servers by elevating privileges to Domain Administrator, stealing domain credentials, and distribute malware as a Domain Admin via remote code execution (RCE) with SYSTEM privileges.

Microsoft Defender for Identity (previously known as Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory signals.
This allows SecOps teams to detect and investigate compromised identities, advanced threats, and malicious insider activity targeting enrolled orgs.

Defender for Identity is bundled with Microsoft 365 E5 but, if you don't have a subscription already, you can get a Security E5 trial right now to give this new feature a spin.

The rest
 

Nightwalker

Level 22
Verified
Trusted
Content Creator
May 26, 2014
1,157
Off topic rant

Oh how not to feel "grateful" for the researchers who made all this fuss again in a totally responsible way, never motivated by the ego, totally focused on improving the security of the user and companies in general, so much so that they made a point of explaining how this affects a home user rather than throwing him into unnecessary paranoia through feeding flashy news.

How can you not be grateful for those researchers who worked directly with Microsoft to verify that the vulnerability is fixed before disclosing more information to criminals to prepare for targeted attacks?

How not to admire these researchers right? right?
 
Last edited:

CyberTech

Level 36
Verified
Nov 10, 2017
2,491
Since employees have switched to remote working during the COVID-19 pandemic, home printers and removable devices have expanded the attack surface to their companies' data and daily business operations.

To address this increased security exposure, Microsoft has added new removable storage device and printer controls to Microsoft Defender for Endpoint, the enterprise version of its Windows 10 Defender antivirus.

These new capabilities available in the enterprise endpoint security platform (previously known as Microsoft Defender Advanced Threat Protection) will allow access restrictions to removable devices and blocking printing tasks via non-corporate or non-approved printers.

"We are excited to announce new device control capabilities in Microsoft Defender for Endpoint to secure removable storage scenarios on Windows and macOS platforms and offer an additional layer of protection for printing scenarios," Microsoft said.

The rest
 
Top