Skip to main content
Support
IntermediateT1547.012

Print Spooler Abuse & PrintNightmare

The Windows Print Spooler service has been a goldmine for attackers — from coercing Domain Controller authentication to achieving remote code execution as SYSTEM.

The Windows Print Spooler is a service that manages printing. It runs on virtually every Windows machine, including Domain Controllers. Attackers have found two major ways to abuse it. First, the "Printer Bug" (also called SpoolSample): any authenticated user can ask the Spooler on a remote machine to send a notification back to them. When it does, the remote machine authenticates using its computer account — and the attacker can capture or relay those credentials. Second, PrintNightmare (CVE-2021-1675 and CVE-2021-34527): a vulnerability in how the Spooler handles driver installations that allowed any authenticated user to execute code as SYSTEM on remote machines, including Domain Controllers. Together, these attacks made the Print Spooler one of the most exploited services in AD environments.

Imagine an office where the fax machine automatically calls back anyone who asks it to confirm receipt. An attacker sends a fax and requests a callback to their own line. When the office fax calls back, it identifies itself with the office's secure caller ID — which the attacker can now record and replay to impersonate the office. The Print Spooler works similarly: it can be tricked into authenticating to an attacker's server, revealing the computer account's credentials. PrintNightmare goes further — it is like the fax machine accepting and executing any attachment sent to it, giving the attacker full control.

Key Takeaways

  1. The Printer Bug forces any machine to authenticate to an attacker-chosen target — no admin rights needed.
  2. PrintNightmare (CVE-2021-34527) allowed remote code execution as SYSTEM on Domain Controllers.
  3. The Print Spooler should be DISABLED on all Domain Controllers and servers that do not need to print.
  4. Coercion attacks (PrinterBug, PetitPotam, DFSCoerce) are building blocks for relay and delegation chains.
  5. SpoolFool (CVE-2022-21999) bypassed initial PrintNightmare patches — staying current on patches is critical.
  6. The combination of coercion + relay + AD CS (ESC8) is one of the most reliable domain compromise chains.
Why Should I Care?

The Print Spooler runs by default on every Windows machine, including Domain Controllers. A single overlooked service that "nobody thinks about" has produced some of the most devastating AD attack chains in recent years.

Defense Recommendations

Disable the Print Spooler on all servers that do not require printing, especially Domain Controllers, and apply all cumulative patches.

  1. 1Disable the Print Spooler on all DCs and servers: Stop-Service -Name Spooler; Set-Service -Name Spooler -StartupType Disabled.
  2. 2Apply the latest Windows cumulative updates to patch PrintNightmare and SpoolFool.
  3. 3Restrict driver installation to administrators: GPO → "Limits print driver installation to Administrators".
  4. 4Enable EPA (Extended Protection for Authentication) on AD CS web enrollment endpoints.
  5. 5Monitor for coerced authentication: unusual SMB/RPC connections from DCs to non-DC machines.
  6. 6Use Sysmon to monitor file creation in C:\Windows\System32\spool\drivers\.
  7. 7Audit which machines still have the Spooler running: Get-Service -Name Spooler | Where Status -eq Running.

Related Topics

Kerberos Delegation AbuseNTLM Relay AttacksAD CS Abuse (Certificate Attacks)DCSync Attack
Sources
ACL/ACE Abuse Attack Paths
MSSQL Server & AD Abuse
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org