Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:). An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource. When a UNC path is used (e.g. \attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash. HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access. The URI can be delivered via a malicious hyperlink, phishing email, or web page.

Read More