From f67610bbc989ff9300e7207fa94f760c87a99912 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Fri, 3 Jul 2026 18:20:39 +0200 Subject: [PATCH] refactor(rules): Define full paths in the share Potential NTLM hash leak via shortcut file defined a list of extensions to be matched against the share. This can negatively impact the approver as opening executable, dlls, and other file formats, can be quite noisy. Make it more approver-friendly to discard those events early in the processing pipeline. --- ..._potential_ntlm_hash_leak_via_shortcut_file.yml | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/rules/credential_access_potential_ntlm_hash_leak_via_shortcut_file.yml b/rules/credential_access_potential_ntlm_hash_leak_via_shortcut_file.yml index 5591fb18a..82f5d5f1b 100644 --- a/rules/credential_access_potential_ntlm_hash_leak_via_shortcut_file.yml +++ b/rules/credential_access_potential_ntlm_hash_leak_via_shortcut_file.yml @@ -1,6 +1,6 @@ name: Potential NTLM hash leak via shortcut file id: 2217339b-19d0-45ac-9ec5-26b0a968bdf1 -version: 1.0.0 +version: 1.0.1 description: | Identifies potential NTLM hash leakage via malicious shortcut (.lnk) file processing. By crafting a .lnk file with a default icon from shell32.dll and the target path pointing @@ -25,17 +25,7 @@ condition: > thread.callstack.summary imatches 'ntdll.dll|KernelBase.dll|SHCore.dll|windows.storage.dll|shell32.dll|SHCore.dll|*' and thread.callstack.symbols iin ('shell32.dll!SHELL32_CNetFolderUI_CreateInstance') | - |open_file and - file.path istartswith '\\Device\\Mup\\' and - file.extension iin - ( - '.exe', - '.dll', - '.ocx', - '.cpl', - '.sys' - ) - | + |open_file and file.path imatches ('\\Device\\Mup\\*.exe', '\\Device\\Mup\\*.dll', '\\Device\\Mup\\*.ocx', '\\Device\\Mup\\*.cpl', '\\Device\\Mup\\*.sys')| severity: high