Attachment: Link file with UNC path

calendarApr 25, 2023 · Suspicious attachment Windows exploit  ·
Share on: linkedincopy

Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.

Sublime rule (View on GitHub)

 1name: "Attachment: Link file with UNC path"
 2description: |
 3    Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.
 4references:
 5  - "https://twitter.com/fuzz_sh/status/1640041674058416129"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound 
10  and any(attachments, .file_extension in ("lnk", "url")
11      and any(file.explode(.), 
12          any(.scan.strings.strings, regex.icontains(., '\\\\([a-zA-Z0-9_:%.$-]+)\\([a-zA-Z0-9_:%.$-]+)')) // normal UNC paths
13          or any(.scan.strings.strings, regex.icontains(., '%5C%5C([a-zA-Z0-9_:%.$-]+)%5C([a-zA-Z0-9_:%.$-]+)')) // percent-encoded UNC paths
14      )
15  )  
16tags: 
17  - "Suspicious attachment"
18  - "Windows exploit"

Related rules

to-top