← Back to Explore
sublimemediumRule
Attachment: Link file with UNC path
Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.
Detection Query
type.inbound
and any(attachments,
.file_extension in ("lnk", "url")
and any(file.explode(.),
any(.scan.strings.strings,
regex.icontains(.,
'\\\\([a-zA-Z0-9_:%.$-]+)\\([a-zA-Z0-9_:%.$-]+)'
)
) // normal UNC paths
or any(.scan.strings.strings,
regex.icontains(.,
'%5C%5C([a-zA-Z0-9_:%.$-]+)%5C([a-zA-Z0-9_:%.$-]+)'
)
) // percent-encoded UNC paths
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Link file with UNC path"
description: |
Attached link file contains a UNC path. This can be used to relay NTLM password hashes; Windows will attempt to authenticate against the path even without the file being opened.
references:
- "https://twitter.com/fuzz_sh/status/1640041674058416129"
type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
.file_extension in ("lnk", "url")
and any(file.explode(.),
any(.scan.strings.strings,
regex.icontains(.,
'\\\\([a-zA-Z0-9_:%.$-]+)\\([a-zA-Z0-9_:%.$-]+)'
)
) // normal UNC paths
or any(.scan.strings.strings,
regex.icontains(.,
'%5C%5C([a-zA-Z0-9_:%.$-]+)%5C([a-zA-Z0-9_:%.$-]+)'
)
) // percent-encoded UNC paths
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "LNK"
detection_methods:
- "File analysis"
id: "3b7ee0fb-3540-51b6-a5db-9b21fdd3c9af"