Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI

Rule Info

Name
Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
Author
Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:). An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource. When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash. HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access. The URI can be delivered via a malicious hyperlink, phishing email, or web page.
Reference
https://x.com/BlackArrowSec/status/2044374743491424508
Date
2026-04-28 00:00:00
Modified
None
Id
7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
Tags
attack.credential-access attack.t1187 detection.emerging-threats cve.2026-33829
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5942 from @swachchhanda000 - Add `Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI`
2026-04-28
3305d11c8
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022