Add files via upload

Author: heikovoegeli

PrintNightmare_dll_check.ps1

@@ -0,0 +1,52 @@
+# 2021-07-06 HV PrintNightmare dll check
+# a quick script to recursively scan for unsigned dll in %windir%\system32\spool\drivers
+
+# According to https://github.com/afwu/PrintNightmare a successful PrintNightmare attack places a malicious dll in %windir%\system32\spool\drivers
+# These dll are most likely unsigned (neither AuthentiCode nor directly signed)
+
+# VARIABLES
+# printer directory where attacks with dll occur / malicious dll are planted
+$srcpath = "$env:windir\system32\spool\drivers\*.dll"
+# output directory where to copy unsigned dll for further check with Sysinternals sigcheck.exe
+$2nd_check_path = "$PSScriptRoot\PrintNightmare_2nd_check_path"
+# get current date / time
+$now = Get-Date -Format "yyyyMMdd-HHmm"
+# logfile name
+$logfile = $PSScriptRoot + "\PrintNightmare_dll_check_" + $now + ".txt"
+
+# create logfile
+Add-Content -Path $logfile -Value $now -Encoding UTF8
+Add-Content -Path $logfile -Value "script start" -Encoding UTF8
+Add-Content -Path $logfile -Value "" -Encoding UTF8
+
+# create further check directory
+md $2nd_check_path
+
+# search for unsigned dll (authenticode nor directly signed) and copy unsigned dll for further check
+gci -Path $srcpath -Recurse | Get-AuthenticodeSignature | Where-Object {$_.Status -eq "NotSigned"} | cpi -Destination $2nd_check_path
+
+# if unsigned dll are detected 
+if (Test-Path $2nd_check_path\*.dll)
+{
+    $unsigned_dll_found=1
+    # update logfile with name of unsigned dll(s)
+    Add-Content -Path $logfile -Value "dll files without authenticode nor directly signed:" -Encoding UTF8
+    gci $2nd_check_path | Add-Content -Path $logfile -Encoding UTF8
+    Add-Content -Path $logfile -Value "" -Encoding UTF8
+    # Check unsigned dll(s) with sigcheck and do external check with Virustotal.com; Internet connection required
+    & $PSScriptRoot\sigcheck64.exe -accepteula -e -s -h -v -vt $2nd_check_path | Add-Content -Path $logfile -Encoding UTF8
+    Add-Content -Path $logfile -Value "" -Encoding UTF8
+}
+else
+{
+    # otherwise if all dll are signed
+    $unsigned_dll_found=0
+    Add-Content -Path $logfile -Value "all dll files provide authenticode or are directly signed" -Encoding UTF8
+    Add-Content -Path $logfile -Value "NO suspicious dll files detetcted" -Encoding UTF8
+    Add-Content -Path $logfile -Value "" -Encoding UTF8
+}
+# update logfile
+Add-Content -Path $logfile -Value "script end" -Encoding UTF8
+
+# exit script; %errorcode% = 0 -> NO unsigned dll found; %errorcode% = 1 -> unsigned dll found!
+EXIT $unsigned_dll_found

README.md

@@ -0,0 +1,97 @@
+# PrintNightmare_dll_check.ps1
+
+A quick PowerShell script to recursively scan for unsigned dll in %windir%\system32\spool\drivers.
+The scan path can be quickly changed within the script to any other location.
+
+According to https://github.com/afwu/PrintNightmare a successful PrintNightmare attack places a malicious dll in %windir%\system32\spool\drivers.
+These dll are most likely unsigned (neither AuthentiCode nor directly signed) but this approach will also show up false-positives as well.
+
+
+Manual download of 3rd party tools
+----------------------------------
+
+For licensing reasons we can't provide the script fully operational including sigcheck64.exe.
+Please manually download sigcheck64.exe from the offical Sysinternal website and place it next to PrintNightmare_dll_check.ps1.
+
+|Download URL: | Extracted filename: |
+| ------------ | ------------------- |
+|https://download.sysinternals.com/files/Sigcheck.zip |	SigCheck64.exe |
+
+
+Requirements
+------------
+-Download of Sysinternals Sigcheck.zip
+-Extracting of sigcheck64.exe from Sigcheck.zip
+-local user rights (Admin permission NOT required)
+-Internet connection for external check of unsigned dll with Virustotal.com (or remove the sigcheck parameters '-v -vt' to stay local)
+
+
+How to run
+----------
+1. place PrintNightmare_dll_check.ps1 to any directory where the executing user has write permission (e.g. C:\temp or C:\users\%username%\Documents)
+2. place sigcheck64.exe next to PrintNightmare_dll_check.ps1 in the same directory
+3. `cmd`
+4. `powershell.exe -executionpolicy bypass C:\path_to\PrintNightmare_dll_check.ps1`
+
+
+Returncode (%errorlevel%) of script
+-----------------------------------
+0 = NO unsigned dll found
+1 = unsigned dll found -> check logfile for more details
+
+
+Outputs of script
+-----------------
+logfile: C:\path_to\PrintNightmare_dll_check_YYYYMMDD-HHMM.txt
+copy of unsigned dlls: C:\path_to\PrintNightmare_2nd_check_path\
+
+
+Example of logfile - NO unsigned dll found
+------------------------------------------
+20210707-1142
+script start
+
+all dll files provide authenticode or are directly signed
+NO suspicious dll files detetcted
+
+script end
+
+
+Example of logfile - unsigned dll found
+---------------------------------------
+20210707-1138
+script start
+
+dll files without authenticode nor directly signed:
+Vix64AllProductsDyn.dll
+
+
+Sigcheck v2.81 - File version and signature viewer
+Copyright (C) 2004-2021 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+c:\test\printnightmare_2nd_check_path\Vix64AllProductsDyn.dll:
+	Verified:	Unsigned
+	Link date:	14:15 30/04/2021
+	Publisher:	n/a
+	Company:	VMware, Inc.
+	Description:	VMware application library
+	Product:	VMware Workstation
+	Prod version:	16.1.2 build-17966106
+	File version:	16.1.2 build-17966106
+	MachineType:	64-bit
+	MD5:	22F4B8122EBE333200E833E05C2E357C
+	SHA1:	B858B78C22ECCF9B7DA408C297BB53FAEFED6426
+	PESHA1:	5F20D482AE71A3B78CCF39D98991E2DA6F14DB6F
+	PE256:	35AE6215FEAA28DB3A2F4CD5111CE61747481162B013DFCE3377EC4BE9748D0F
+	SHA256:	985E8F96133B794A66CB1AF894AC5ED509AC3DE4A54DB73FD85C96505CC5D890
+	IMP:	9FB9711F21857F89F61E06F13A427CA8
+	VT detection:	0/73
+	VT link:	https://www.virustotal.com/gui/file/985e8f96133b794a66cb1af894ac5ed509ac3de4a54db73fd85c96505cc5d890/detection
+
+script end
+
+
+How to test the script
+----------------------
+Copy any unsigned dll from any local installed app (from C:\Program Files) to C:\Windows\System32\spool\drivers and run the script.