Intelligence
highVulnerabilityActive

Windows Snipping Tool NTLMv2 Hash Interception – Local Credential Relay Risk

The Snipping Tool can be abused to trigger NTLM authentication flows that leak NTLMv2 hashes to attacker-controlled network locations. Defenders must monitor for suspicious UNC path access and enforce network segmentation to prevent hash relay attacks.

S
Sebastion

Affected

Microsoft/Windows Snipping Tool

Vulnerability Description: This vulnerability exploits the Windows Snipping Tool's handling of file paths and network resources. When the Snipping Tool processes certain input—such as UNC paths (\\attacker-server\share)—it can be coerced into initiating NTLM authentication. The tool runs under the user's security context, causing the user's NTLMv2 hash to be transmitted to attacker-controlled SMB servers. This is a local attack vector; it requires user interaction or prior code execution, but the hash interception enables downstream credential relay attacks (e.g., LLMNR/NBNS spoofing, NTLM relay to domain services).

PoC Significance: The PoC demonstrates that a seemingly benign UI tool can become a vector for credential leakage. Its value to defenders lies in exposing how legacy NTLM flows remain exploitable through unexpected application entry points. The attack is reliable if user interaction or UI automation is available, though it requires local access or social engineering. The low barrier to exploitation (crafted file paths, screenshot requests) makes this meaningful for insider threat scenarios and post-compromise lateral movement.

Detection Guidance: Monitor for:

  • Unexpected UNC path access initiated by SnippingTool.exe (Event ID 5145 on SMB shares).
  • Outbound SMB/NTLM authentication attempts from non-standard processes; enable NTLM auditing (Event ID 8004 for failed NTLM relays).
  • Unusual network connections from SnippingTool.exe to non-enterprise servers using YARA rules targeting process name + network behavior correlation.
  • File access logs showing attempts to access high-value shares via the Snipping Tool.

Mitigation Steps:

  1. Enforce NTLMv2 enforcement and disable NTLMv1 (Group Policy: Network security: Restrict NTLM: NTLM authentication in this domain = Deny all).
  2. Implement NTLM relay protections: require signing on SMB (Enforce message signing), use EPA (Extended Protection for Authentication) where available.
  3. Restrict outbound SMB (port 445) from user workstations to sensitive infrastructure; segment networks to prevent relay to domain controllers or critical services.
  4. Apply Windows Snipping Tool updates and consider AppLocker/WDAC policies limiting its network access.
  5. Educate users against interacting with untrusted file paths or sharing screenshots with unverified sources.

Risk Assessment: Likelihood of exploitation in the wild is moderate: the attack requires local access or social engineering but offers a low-noise way to harvest credentials for relay attacks. Nation-state and organized cybercrime groups actively pursue NTLM relay chains; this PoC will attract interest from lateral movement operators post-breach. Organizations with weak segmentation or legacy NTLM reliance face elevated risk.

Sources

pocntlmcredential-theftlocal-privilege-escalationhash-relaywindowssnipping-tool
Back to intelligence