feat(rules): Add Potential NTLM hash leak via shortcut file rule

Identifies potential NTLM hash leakage via malicious shortcut (.lnk) file processing. By crafting a .lnk file with a default icon from shell32.dll and the target path pointing to a remote SMB-hosted binary file, the explorer.exe process will fetch the remote file to extract the icon from the PE resource directory, leading to NTLM hash leak.

Author: rabbitstack

rules/credential_access_potential_ntlm_hash_leak_via_shortcut_file.yml

@@ -0,0 +1,42 @@
+name: Potential NTLM hash leak via shortcut file
+id: 2217339b-19d0-45ac-9ec5-26b0a968bdf1
+version: 1.0.0
+description: |
+  Identifies potential NTLM hash leakage via malicious shortcut (.lnk) file processing.
+  By crafting a .lnk file with a default icon from shell32.dll and the target path pointing
+  to a remote SMB-hosted binary file, the explorer.exe process will fetch the remote file to
+  extract the icon from the PE resource directory, leading to NTLM hash leak.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1187
+  technique.name: Forced Authentication
+  technique.ref: https://attack.mitre.org/techniques/T1187/
+references:
+  - https://github.com/rubenformation/CVE-2025-50154
+
+condition: >
+  sequence
+  maxspan 1m
+  by ps.uuid
+    |open_file and
+     ps.name ~= 'explorer.exe' and file.extension ~= '.lnk' and
+     thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|SHCore.dll|windows.storage.dll|shell32.dll|SHCore.dll|*' and
+     thread.callstack.symbols iin ('shell32.dll!SHELL32_CNetFolderUI_CreateInstance')
+    |
+    |open_file and
+     file.path istartswith '\\Device\\Mup\\' and
+     file.extension iin
+                    (
+                      '.exe',
+                      '.dll',
+                      '.ocx',
+                      '.cpl',
+                      '.sys'
+                    )
+    |
+
+severity: high
+
+min-engine-version: 3.0.0