From 60b39ccd7698a5f0f688e6173f2954e454a818c3 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Wed, 28 Jan 2026 13:43:02 +0100
Subject: [PATCH] feat(rules): Add Potential NTLM hash leak via MS Photos rule

Detects a potential NTLM hash disclosure via abuse of the ms-photos: URIscheme with a UNC path parameter. An attacker can craft a specially formatted link that, when opened, launches Microsoft Photos directly from a browser and triggers outbound authentication, potentially leaking NTLM credentials.
---
 ...potential_ntlm_hash_leak_via_ms_photos.yml | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 rules/credential_access_potential_ntlm_hash_leak_via_ms_photos.yml

diff --git a/rules/credential_access_potential_ntlm_hash_leak_via_ms_photos.yml b/rules/credential_access_potential_ntlm_hash_leak_via_ms_photos.yml
new file mode 100644
index 000000000..5785b2266
--- /dev/null
+++ b/rules/credential_access_potential_ntlm_hash_leak_via_ms_photos.yml
@@ -0,0 +1,37 @@
+name: Potential NTLM hash leak via MS Photos
+id: b5b70c6d-e265-477e-bd62-b4d05089e2ab
+version: 1.0.0
+description: |
+  Detects a potential NTLM hash disclosure via abuse of the ms-photos: URI
+  scheme with a UNC path parameter. An attacker can craft a specially formatted
+  link that, when opened, launches Microsoft Photos directly from a browser and
+  triggers outbound authentication, potentially leaking NTLM credentials.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1187
+  technique.name: Forced Authentication
+  technique.ref: https://attack.mitre.org/techniques/T1187/
+references:
+  - https://github.com/rubenformation/ms-photos_NTLM_Leak
+
+condition: >
+  sequence
+  maxspan 1m
+    |spawn_process and
+     ps.parent.name ~= 'explorer.exe' and ps.name ~= 'Photos.exe' and
+     ps.cmdline imatches '*ms-photos:viewer?fileName=%5C%5C*%5C*%5C*'
+    |
+    |connect_socket and
+     evt.pid = 4 and net.dport = 445 and not cidr_contains(net.dip,
+                                                  '127.0.0.0/8',
+                                                  '10.0.0.0/8',
+                                                  '172.16.0.0/12', '192.168.0.0/16')
+    |
+
+output: >
+  Potential NTLM hash leak via MS Photos UNC path at address $2.net.dip
+severity: high
+
+min-engine-version: 3.0.0