Capturing NetNTLM Hashes with Office [DOT] XML Documents


使用 Office 的 XML 格式文档泄露账户 NetNTLM Hash


  • Strong Password Policies – Minimize the attackers chance of cracking collected hashes with strong and unique passwords.
  • File Associations – Unless there is a viable business need, consider changing the default association for XML files to a test editor. This Microsoft Docs article provides guidance for using GPO/GPP to configure a “file type preference.”
  • Egress Rules – Outbound traffic, especially SMB (TCP 139/445) is dangerous for any organization (or home). Enforce egress firewall rules and open only what is needed.
  • (Remote) Users – Remote users that leverage webmail or VPNs that do not tunnel all traffic through it may be at risk for such an attack (and others like it). Try to tighten up remote access controls and tunnel traffic through the VPN if possible. Above all, train uses to be as diligent as possible about opening attachments.