来源

关联漏洞

介绍

# NTLM/SMB Hardening & Threat Hunt Toolkit

**Author:** w01f  
**Version:** 1.0  
**Purpose:** Audit, harden, and hunt for insecure NTLM/SMB usage to mitigate risks such as **CVE-2025-50154**.

---

## CVE-2025-50154 Overview

**Severity:** High  
**Type:** NTLM Credential Leak + Patch Bypass (Zero-Click)  
**Affected:** Windows 10/11, Windows Server  
**Summary:**  
CVE-2025-50154 is a bypass of Microsoft's earlier patch for CVE-2025-24054. Even with the previous mitigation, a crafted file or UNC path can trigger **Windows Explorer** to fetch a remote resource and initiate **NTLM authentication without any user interaction** (zero-click).  
This can lead to:
- NTLM hash leakage (offline cracking risk)  
- NTLM relay attacks for privilege escalation/lateral movement  
- Potential execution of untrusted remote resources (via icon parsing)  

**Why it matters:** This bypass shows that attackers can still exploit legacy authentication paths through Explorer’s resource handling. Hardening NTLM and SMB client behavior, plus monitoring for suspicious Explorer-initiated connections, is critical.

---

## Toolkit Features

- Audit Mode:  
  Reads current registry, service, and firewall configs; outputs pass/fail with recommended fixes.
- Harden Mode:  
  Applies security settings (NTLM restrictions, SMB signing, WebClient disable, UNC hardening, SMBv1 disable, firewall blocks).
- Revert Mode:  
  Restores backed-up settings.
- Event Hunting:  
  Gathers:
  - NTLM Operational log events
  - Security Logon events (4624 NTLM)
  - Sysmon EID 3 (Explorer.exe initiating SMB)
  - Filters by allowlist CIDRs
- Benign Connectivity Test:  
  Safe TCP:445 checks to sample hosts (no coercion or exploit).
- Export: JSON/CSV output for reporting/CI pipelines.

---

## Usage

### Audit Example
```powershell
.\NTLM_SMB_HardeningToolkit.ps1 -Mode Audit -AllowlistCIDRs "10.0.0.0/8,192.168.0.0/16" -HoursBack 24 -ExportJson .\ntlm_audit.json
```

### Harden Example
```powershell
.\NTLM_SMB_HardeningToolkit.ps1 -Mode Harden -AllowlistCIDRs "10.0.0.0/8,192.168.0.0/16" -SampleHosts "filesrv01.corp,10.0.5.20"
```

### Revert Example
```powershell
.\NTLM_SMB_HardeningToolkit.ps1 -Mode Revert
```

---

## Hunt & Detection Ideas

Below are drop-in detection queries to identify suspicious NTLM/SMB usage potentially related to CVE-2025-50154 exploitation patterns.

### Microsoft Defender for Endpoint (KQL)

#### 1. Explorer.exe initiating SMB to untrusted
```kusto
DeviceNetworkEvents
| where InitiatingProcessFileName =~ "explorer.exe"
| where RemotePort in (445, 139)
| where not(RemoteIP in ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"))
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
```

#### 2. LNK file drop + SMB connection (within 5 minutes)
```kusto
let lnk = DeviceFileEvents
    | where FileName endswith ".lnk"
    | where FolderPath has @"\Users\" and FolderPath has @"\Desktop";
let smb = DeviceNetworkEvents
    | where RemotePort in (445,139)
    | where InitiatingProcessFileName =~ "explorer.exe";
lnk
| join kind=innerunique (smb) on DeviceId
| where smb.Timestamp between (lnk.Timestamp .. lnk.Timestamp + 5m)
| project DeviceName, lnk.Timestamp, smb.Timestamp, FolderPath, RemoteIP
```

#### 3. NTLM logons to unknown hosts
```kusto
DeviceLogonEvents
| where LogonType == "Network"
| where AuthenticationPackage =~ "NTLM"
| summarize count() by DeviceName, RemoteIP, AccountUpn, bin(Timestamp, 10m)
| order by count_ desc
```

---

### Sysmon (XML Config Needed)

- EID 3 (NetworkConnect) from `explorer.exe` to TCP 445/139 outside allowlist.
- EID 11 (FileCreate) for `.lnk` files on user desktops.
- Correlate the two for zero-click SMB events.

---

### Windows Event Log (Security)

- 4624 (Logon) with:
  - Logon Type = 3 (Network)
  - Authentication Package = NTLM
  - Remote IP outside trusted ranges.

---

## Mitigation Checklist

- Restrict NTLM: Outgoing → Deny All
- Require SMB signing (client/server)
- Harden UNC Paths (NETLOGON, SYSVOL)
- Disable WebClient if unused
- Disable SMBv1 (client/server)
- Block outbound TCP 445/139 to untrusted networks
- Monitor for Explorer.exe SMB connections to non-approved IPs

---

## License
This toolkit is provided for educational and defensive security purposes only.  
Do not use in production environments without change control and testing.

文件快照

 [4.0K]  /data/pocs/fe630e852ca8685996b1aa87611cc7d604f705b5
├── [ 16K]  NTLM_SMB_HardeningToolkit.ps1
├── [4.3K]  README.md
└── [6.1K]  sigma_cve-2025-50154_ntlm_smb_hunting_f86eb3dc.yml

0 directories, 3 files

备注