.. /.Library-ms

Phishing
Native

Author:

John Smith

Description:

Windows Library files are a virtual container for user content and a .library-ms file can be used to point to a remote or local storage location. Abuse of these files has previously been talked about within the CIA Vault7 leaks. As hinted within the Vault 7 leak, the SearchConnectorDescription section of the library-ms file can point to a remote location which will again force authentication through explorer when opening the container folder and that would be used for NTLMhash harvesting.

OS:

Windows

Recommendation:

“DisableThumbnailsOnNetworkFolders” and “DisableThumbnails” group policy settings.

Resources:

https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/

File Samples:

Contributions: