Recent developments have shown vulnerabilities associated with the preview pane in Windows File Explorer, where NTLM password hashes can be exposed. Such exploits enable attackers to reuse or crack these credentials offline. In response to this risk, Microsoft has disabled file previews for downloaded content in their latest Windows updates. This guide outlines essential strategies to protect against potential NTLM hash leakage through File Explorer previews.
Understanding the Vulnerabilities of File Explorer Previews
NT LAN Manager (NTLM) serves as an authentication protocol designed by Microsoft for various Windows accounts and services. Although it has been largely superseded by Kerberos due to its security shortcomings, NTLM remains in use for backward compatibility. Unfortunately, its presence creates exploitable conditions.
Attackers can leverage the preview feature in File Explorer to perform NTLM requests that may expose local or domain passwords in hashed form. During the preview, if the file contains instructions for NTLM requests, Windows can inadvertently process these requests, transmitting hashed passwords to malicious servers. Cybercriminals can then either attempt to crack these hashes offline or launch pass-the-hash attacks.
Microsoft has acknowledged ongoing threats related to these attacks. Consequently, with their latest updates, previews for files identified with Mark of the Web (MoTW)—typically files downloaded from the internet—are no longer displayed.
Safeguarding Your System From NTLM Hash Leakage
To minimize the risks associated with NTLM hash leakage, especially from internet-download files, users must adopt certain safety practices, as Microsoft Defender does not conclusively detect NTLM request attempts simply through file scanning. Below are actionable steps to bolster your defenses:
- Keep Windows Updated: Ensure your operating system is up-to-date. The October 14 security update disabled file previews for MoTW files. In Windows 11, navigate to Settings → Windows Update to verify and install any available updates.
- Conduct Online Behavioral Analysis: Standard antivirus scans may not identify harmful NTLM requests. If you suspect a file may be malicious, utilize a behavioral analysis tool to open the file in a secure environment (sandbox) and monitor its behavior. Tools like Joe Sandbox and MetaDefender are excellent options.
- Secure NTLM Credentials: Take proactive steps to safeguard your NTLM credentials and significantly reduce the chances of a successful breach. Detailed methods for securing Windows NTLM credentials are covered in this guide.
- Test File Behavior in a Virtual Machine: Create a virtual environment to evaluate the behavior of suspicious files without risking your main system. You can use either Hyper-V or third-party virtual machine applications to observe any network activity during the preview.
- Disable File Explorer Previews System-Wide: To completely prevent NTLM hash leakage through file previews, consider disabling preview handlers entirely. Open File Explorer, select Options from the See More menu, navigate to the View tab, and uncheck the option labeled Show preview handlers in preview pane.
Previewing Trusted Files Safely
If you ascertain that a downloaded file is secure and wish to preview it despite the changes in the latest Windows update, you will need to unblock the file. Here’s how to do it:
Right-click the file and select Properties. In the General tab, locate the Security section and check the Unblock box before confirming the changes. This will allow you to preview the file.
However, unblocking files individually can be tedious. For bulk unblocking, use a PowerShell command in a designated folder where all files are saved. Hold Shift, right-click in an empty space, and select Open PowerShell window here.
In PowerShell, execute the command below:
Get-ChildItem -File | Unblock-File
This will unblock all the files in the specified folder and enable you to preview them accordingly.
While the inability to preview files by default can be annoying, such measures are crucial for security until NTLM is eventually deprecated in future Windows versions. Additionally, consistently using strong and unique passwords can help mitigate the consequences of any potential NTLM hash exposure.
Leave a Reply