[remote] Microsoft - NTLMv2 Hash Capture

Key Points:

• A spoofing vulnerability (CVE-2026-32202) in Windows Shell allows attackers to capture NTLMv2 hashes without user interaction by using a malicious .lnk file.
• The vulnerability affects multiple versions of Windows, including Windows 10 and 11, with a CVSS score of 4.3 (Medium). Attackers can exploit this by simply having a user open a folder containing the malicious shortcut.
• Immediate patching is recommended via Microsoft’s April 2026 Patch Tuesday (KB2026-04214). Users should avoid opening untrusted folders and consider implementing network segmentation to limit exposure.

Technical Details: The attack leverages a crafted .lnk file pointing to an SMB server controlled by the attacker, which triggers an NTLMv2 authentication request when the folder is opened, allowing hash capture without any user interaction.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1078 - Valid Accounts (Defense Evasion)

IOCs Mentioned:

• CVE-2026-32202