.. /.SearchConnector-ms

Phishing
Native

Author:

John Smith

Description:

Search Connector files are used to connect users with data stored in remote locations and are similar to the aforementioned library-ms file. The Search Connector file format also allows an icon to be used to customise how the connector is displayed, this can be hosted on a remote URI such as our Farmer WebDAV server by using the iconReference XML tag. Simply opening a folder containing the .searchConnector-ms file will again force explorer to authenticate and that would be used for NTLMhash harvesting.

OS:

Windows

Recommendation:

“DisableThumbnailsOnNetworkFolders” and “DisableThumbnails” group policy settings.

Resources:

https://www.mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/

File Samples:

Contributions: