Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI

 1title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
 2id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
 3status: test
 4description: |
 5    Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
 6    An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
 7    When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
 8    HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
 9    The URI can be delivered via a malicious hyperlink, phishing email, or web page.    
10references:
11    - https://x.com/BlackArrowSec/status/2044374743491424508
12    - https://x.com/SBousseaden/status/2044417029721997635
13author: Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-04-28
15tags:
16    - attack.credential-access
17    - attack.t1187
18    - detection.emerging-threats
19    - cve.2026-33829
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        Image|endswith: '\SnippingTool.exe'
26        CommandLine|contains:
27            # '\\\\'  = literal double backslash (UNC path start); '%5C' and '%%5C' are URL-encoded variations of the same backslash character
28            - 'ms-screensketch:edit?&filePath=\\\\'
29            - 'ms-screensketch:edit?&filePath=%%5C'
30            - 'ms-screensketch:edit?&filePath=%5C'
31            - 'ms-screensketch:edit?&filePath=http'
32    condition: selection
33falsepositives:
34    - Unknown
35level: high
36regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml