Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials

Microsoft details Forest Blizzard’s post-compromise tool GooseEgg, which exploits CVE-2022-38028 in the Windows Print Spooler to execute a malicious DLL as SYSTEM and enable credential theft and persistence. The report explains how the actor redirects Print Spooler loads via a symbolic link and custom protocol handler to run wayzgoose.dll, then uses scheduled tasks and registry modifications to maintain access. #ForestBlizzard #GooseEgg

Keypoints

Forest Blizzard (STRONTIUM) uses a custom tool called GooseEgg to exploit CVE-2022-38028 in the Windows Print Spooler to gain SYSTEM privileges.
GooseEgg is typically deployed with batch scripts (execute.bat, doit.bat, servtask.bat) that create a scheduled task for persistence.
The binary copies Windows driver store files to an actor-controlled subdirectory under C:ProgramData and replaces the C: symbolic link so Print Spooler loads attacker-controlled files.
Registry keys are created to register a rogue protocol handler/CLSID that causes MPDW-constraints.js to invoke the handler and load wayzgoose.dll under spoolsv.exe context.
wayzgoose.dll functions as a SYSTEM-level launcher capable of spawning arbitrary executables or DLLs for credential theft, backdoors, lateral movement, and remote code execution.
Microsoft provides detections (HackTool:Win64/GooseEgg) and hunting queries for file creation, scheduled task creation, registry changes, and JS constrained file creation.

MITRE Techniques

[T1068] Exploitation for Privilege Escalation – GooseEgg exploits a Print Spooler vulnerability to run code as SYSTEM (‘wayzgoose.dll launching in the context of the PrintSpooler service with SYSTEM permissions.’)
[T1574] Hijack Execution Flow – the actor replaces the C: drive symbolic link in the object manager to redirect Print Spooler to an attacker-controlled directory (‘replace the C: drive symbolic link in the object manager to point to the newly created directory.’)
[T1112] Modify Registry – registry keys are created to generate a custom protocol handler and register a new CLSID acting as a COM server for the rogue protocol (‘registry keys are created, effectively generating a custom protocol handler and registering a new CLSID’)
[T1053.005] Scheduled Task – GooseEgg setups persistence by creating scheduled tasks that run servtask.bat or execute.bat as SYSTEM (‘sets up persistence as a scheduled task designed to run servtask.bat.’)
[T1003] OS Credential Dumping – batch scripts save/compress registry hives to enable credential extraction (‘servtask.bat, which contains commands for saving off/compressing registry hives.’)
[T1105] Ingress Tool Transfer – the binary copies driver store files from FileRepository into an actor-controlled install directory to stage malicious JS and DLLs (‘the binary then copies the following driver stores to this directory: C:WindowsSystem32DriverStoreFileRepositorypnms003.inf_* … pnms009.inf_*’)

Indicators of Compromise

[Filenames] batch scripts and DLLs used for deployment and persistence – execute.bat, servtask.bat (used to invoke GooseEgg and save/compress registry hives), and wayzgoose23.dll (embedded malicious DLL).
[Scheduled Task] persistence task name – MicrosoftWindowsWinSrv (created with schtasks to run servtask.bat/execute.bat as SYSTEM).
[SHA-256 hashes] GooseEgg binaries and DLLs – 6b311c0a977d21e7… (justice.exe), c60ead92cd376b68… (DefragmentSrv.exe), and 41a9784f8787ed86… (wayzgoose[%n].dll).
[PDB/artifacts] development symbols tied to GooseEgg builds – justice.pdb, wayzgoose.pdb (observed in artifact metadata).
[Registry/CLSID] custom protocol handler registration – CLSID {026CC6D7-34B2-33D5-B551-CA31EB6CE345} and protocol handler key for “rogue” (used to invoke the COM server that loads wayzgoose.dll).

GooseEgg’s technical procedure begins with an initial binary (observed as justice.exe or DefragmentSrv.exe) deployed alongside batch scripts (execute.bat, doit.bat, servtask.bat). The batch script writes servtask.bat to save and compress registry hives and invokes the GooseEgg executable, which copies specific driver store packages (pnms003.inf_*, pnms009.inf_*) into a randomly named subdirectory under C:ProgramData (e.g., C:ProgramDataAdobev2.116.4405). GooseEgg then creates registry entries to register a rogue protocol handler and CLSID, and alters object manager symbolic links so that Print Spooler loads files from the actor-controlled directory instead of the legitimate FileRepository path.

Within the actor-controlled directory a patched MPDW-constraints.js modifies convertDevModeToPrintTicket to call a “rogue” protocol, triggering the COM handler during RpcEndDocPrinter. This causes wayzgoose.dll to be loaded in the Print Spooler (spoolsv.exe) context with SYSTEM privileges. wayzgoose.dll operates as a simple launcher that spawns specified executables or DLLs under SYSTEM, enabling credential collection, backdoor installation, lateral movement, and remote command execution. Persistence is maintained by creating scheduled tasks (e.g., MicrosoftWindowsWinSrv) that run the deployed batch scripts as SYSTEM.

Detection and response should focus on the described artifacts and behaviors: unexpected driver store file copies into ProgramData, creation of MPDW-constraints.js or other JS files in FileRepository paths, registry changes creating protocol handlers/CLSID entries, scheduled task creation that runs ProgramData scripts as SYSTEM, and the specific GooseEgg hashes and filenames. Collected registry hives and spawned SYSTEM processes should be prioritized for forensic analysis to confirm credential exfiltration and follow-on activity.