Attachment: Link file with UNC path

calendar Aug 21, 2023  ·
Share on: linkedin copy

Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.

Sublime rule (View on GitHub)

 1name: "Attachment: Link file with UNC path"
 2description: |
 3    Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.
 4references:
 5  - "https://twitter.com/fuzz_sh/status/1640041674058416129"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and any(attachments,
11          .file_extension in ("lnk", "url")
12          and any(file.explode(.),
13                  any(.scan.strings.strings,
14                      regex.icontains(., '\\\\([a-zA-Z0-9_:%.$-]+)\\([a-zA-Z0-9_:%.$-]+)')
15                  ) // normal UNC paths
16                  or any(.scan.strings.strings,
17                         regex.icontains(., '%5C%5C([a-zA-Z0-9_:%.$-]+)%5C([a-zA-Z0-9_:%.$-]+)')
18                  ) // percent-encoded UNC paths
19          )
20  )  
21attack_types:
22  - "Credential Phishing"
23tactics_and_techniques:
24  - "Evasion"
25  - "LNK"
26detection_methods:
27  - "File analysis"
28id: "3b7ee0fb-3540-51b6-a5db-9b21fdd3c9af"
to-top