The Print Nightmare Vulnerability
It references two similar vulnerabilities (CVE-2021-1675 & CVE-2021-34527) affecting the Print Spooler service in Windows. It allows for Local Privilege Escalation (LPE) from a normal user account to NT AUTHORITY\SYSTEM privileges. The vulnerability can also be remotely exploited—Remote Code Execution (RCE)—to acquire NT AUTHORITY\SYSTEM privileges on a remote system by using a normal domain user. This means a normal domain user can exploit a vulnerable Print Spooler service on a domain controller remotely to compromise the entire domain.
What is the SYSTEM account?
The NT AUTHORITY\SYSTEM is also known as the computer account—the one the Operating System uses. It has the highest privileges on a Windows endpoint, and it is more powerful than the local Administrator account. The SYSTEM account, for example, can read the SAM hive in the Registry which contains the local users' password hashes. The local Administrator cannot—however, there are ways to elevate to SYSTEM if you have an Administrator account.
When communicating with other endpoints using the SYSTEM account, you communicate as the computer itself. So if the computer object itself is granted permissions on other objects in the environment, you can access those permissions when you run as SYSTEM—a potential for lateral movement. Other endpoints will see the host name followed by a dollar sign (COMPUTER$) when you connect to them as the computer account, i.e., SYSTEM: