Attachment: Link file with UNC path
Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.
Sublime rule (View on GitHub)
1name: "Attachment: Link file with UNC path"
2description: |
3 Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.
4references:
5 - "https://twitter.com/fuzz_sh/status/1640041674058416129"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and any(attachments,
11 .file_extension in ("lnk", "url")
12 and any(file.explode(.),
13 any(.scan.strings.strings,
14 regex.icontains(., '\\\\([a-zA-Z0-9_:%.$-]+)\\([a-zA-Z0-9_:%.$-]+)')
15 ) // normal UNC paths
16 or any(.scan.strings.strings,
17 regex.icontains(., '%5C%5C([a-zA-Z0-9_:%.$-]+)%5C([a-zA-Z0-9_:%.$-]+)')
18 ) // percent-encoded UNC paths
19 )
20 )
21attack_types:
22 - "Credential Phishing"
23tactics_and_techniques:
24 - "Evasion"
25 - "LNK"
26detection_methods:
27 - "File analysis"
28id: "3b7ee0fb-3540-51b6-a5db-9b21fdd3c9af"