From 22451a5ffbe49f8599e2daba799325f5822c81c9 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Fri, 2 Jan 2026 18:10:32 +0100
Subject: [PATCH] feat(rules): Add Potential NTLM hash leak via MS Photos rule

Identifies a potential NTLM hash leak via ms-photos URI scheme parameter which can be submitted with UNC path. Adversaries can craft a specially formatted link and coerce a victim into launching the Microsoft Photos directly from the browser.
---
 ...potential_ntlm_hash_leak_via_ms_photos.yml | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 rules/credential_access_potential_ntlm_hash_leak_via_ms_photos.yml

diff --git a/rules/credential_access_potential_ntlm_hash_leak_via_ms_photos.yml b/rules/credential_access_potential_ntlm_hash_leak_via_ms_photos.yml
new file mode 100644
index 000000000..0dd413b6c
--- /dev/null
+++ b/rules/credential_access_potential_ntlm_hash_leak_via_ms_photos.yml
@@ -0,0 +1,37 @@
+name: Potential NTLM hash leak via MS Photos
+id: b5b70c6d-e265-477e-bd62-b4d05089e2ab
+version: 1.0.0
+description: |
+  Identifies a potential NTLM hash leak via ms-photos URI scheme parameter which
+  can be submitted with UNC path. Adversaries can craft a specially formatted link 
+  and coerce a victim into launching the Microsoft Photos directly from the browser.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1187
+  technique.name: Forced Authentication
+  technique.ref: https://attack.mitre.org/techniques/T1187/
+references:
+  - https://github.com/rubenformation/ms-photos_NTLM_Leak
+
+condition: >
+  sequence
+  maxspan 1m
+    |spawn_process and
+     ps.parent.name ~= 'explorer.exe' and ps.name ~= 'Photos.exe' and
+     ps.cmdline imatches '*ms-photos:viewer?fileName=%5C%5C*%5C*%5C*'
+    |
+    |connect_socket and
+     evt.pid = 4 and net.dport = 445 and
+     not cidr_contains(net.dip,
+               '127.0.0.0/8',
+               '10.0.0.0/8',
+               '172.16.0.0/12', '192.168.0.0/16')
+    |
+
+output: >
+  Potential NTLM hash leak via MS Photos UNC path at address $2.net.dip
+severity: high
+
+min-engine-version: 3.0.0