feat(rules): New Potential NTLM hash leak via MS Photos rule

rules/credential_access_potential_ntlm_hash_leak_via_ms_photos.yml

@@ -0,0 +1,37 @@
+name: Potential NTLM hash leak via MS Photos
+id: b5b70c6d-e265-477e-bd62-b4d05089e2ab
+version: 1.0.0
+description: |
+  Identifies a potential NTLM hash leak via ms-photos URI scheme parameter which
+  can be submitted with UNC path. Adversaries can craft a specially formatted link 
+  and coerce a victim into launching the Microsoft Photos directly from the browser.
+labels:
+  tactic.id: TA0006
+  tactic.name: Credential Access
+  tactic.ref: https://attack.mitre.org/tactics/TA0006/
+  technique.id: T1187
+  technique.name: Forced Authentication
+  technique.ref: https://attack.mitre.org/techniques/T1187/
+references:
+  - https://github.com/rubenformation/ms-photos_NTLM_Leak
+
+condition: >
+  sequence
+  maxspan 1m
+    |spawn_process and
+     ps.parent.name ~= 'explorer.exe' and ps.name ~= 'Photos.exe' and
+     ps.cmdline imatches '*ms-photos:viewer?fileName=%5C%5C*%5C*%5C*'
+    |
+    |connect_socket and
+     evt.pid = 4 and net.dport = 445 and
+     not cidr_contains(net.dip,
+               '127.0.0.0/8',
+               '10.0.0.0/8',
+               '172.16.0.0/12', '192.168.0.0/16')
+    |
+
+output: >
+  Potential NTLM hash leak via MS Photos UNC path at address $2.net.dip
+severity: high
+
+min-engine-version: 3.0.0