CVE-2026-32202: APT28 Zero-Click NTLM Credential Theft — IOCs and Detection Reference

Windows Explorer renders thumbnails and icons for LNK (shortcut) files by reading their embedded icon path. CVE-2026-32202 exploits the fact that this icon path field accepts UNC (Universal Naming Convention) paths in the format <code>\attacker-ip\share\icon.ico</code>. When Explorer processes the LNK file to display its icon — which happens automatically when a user opens a folder containing the file, with no further interaction — Windows initiates an outbound SMB connection to the UNC path and attempts to authenticate using the current user's NTLMv2 credentials.

The attacker operates a rogue SMB listener on the target UNC path. The listener captures the NTLMv2 challenge-response hash transmitted by the victim's workstation. This hash can be:

<ul> <li><strong>Cracked offline</strong> — NTLMv2 hashes are susceptible to dictionary and rule-based attacks using Hashcat. Domain user passwords shorter than 10 characters with standard complexity are frequently cracked within hours on modern GPU hardware.</li> <li><strong>Relayed immediately</strong> — Using tools like Responder and ntlmrelayx, an attacker can relay the captured hash in real time to LDAP, SMB signing-disabled shares, Exchange Web Services, or ADCS (Active Directory Certificate Services) to obtain authenticated access without cracking the password.</li> </ul>

The zero-click nature of the vulnerability is what makes it operationally dangerous. Previous LNK-based coercion bugs required a user to execute or right-click a shortcut. CVE-2026-32202 triggers on folder open — or on network share browsing, USB drive insertion, or any file manager operation that causes Explorer to enumerate directory contents.

APT28 is delivering malicious LNK files via spearphishing ZIP archives targeting government and defense sector recipients. The ZIP bypasses email attachment scanning because the LNK is not directly executed; it only needs to be extracted to a directory the user navigates to in Explorer.

The following indicators were extracted from confirmed CVE-2026-32202 exploitation samples attributed to APT28's May 2026 campaign. Hash values are SHA-256. All network indicators should be blocked at the perimeter and added to SIEM watchlists immediately.

<strong>LNK File Indicators</strong> — These files were delivered inside ZIP archives. Filenames use legitimate-looking document names to avoid suspicion. The LNK metadata (creation timestamps, machine SID, MAC address fragments) show origin from a consistent APT28 build environment.

Detecting CVE-2026-32202 exploitation requires correlating file system events with outbound network authentication. No single Event ID catches it in isolation — the signal is the pairing of a new LNK file appearing on disk with an immediate NTLMv2 authentication attempt to an external or unusual IP.

<strong>Primary Event IDs to monitor:</strong>

<ul> <li><strong>Event ID 4648</strong> (Security log) — Explicit credential use. Fires when Windows initiates an outbound NTLM authentication. Look for 4648 events where the target server address is a public IP or an internal IP not associated with known file servers.</li> <li><strong>Event ID 5140</strong> (Security log) — Network share object accessed. Fires on the server side when a share is accessed. In NTLM relay scenarios, watch for 5140 events from unexpected source machines accessing high-value shares (SYSVOL, NETLOGON, admin shares) within seconds of a 4648.</li> <li><strong>Event ID 5145</strong> (Security log) — Network share object access check. More granular than 5140 — shows the specific file or directory path accessed. Useful for detecting relay to ADCS web enrollment (/certsrv).</li> <li><strong>Microsoft-Windows-Sysmon Event ID 15</strong> (if Sysmon deployed) — FileCreateStreamHash. Captures NTFS alternate data stream creation, which occurs when LNK files are downloaded from the internet (Zone.Identifier ADS). LNK files without a Zone.Identifier ADS arriving via email extraction are an anomaly worth flagging.</li> <li><strong>Microsoft-Windows-Sysmon Event ID 11</strong> — FileCreate. Alert on .lnk file creation events in user download, temp, and desktop directories, particularly when followed within 10 seconds by a network connection (Sysmon Event ID 3) to a non-RFC1918 address on TCP 445.</li> </ul>

<strong>High-fidelity correlation rule:</strong> Sysmon Event ID 11 (LNK file created in Downloads/Desktop/Temp) AND Sysmon Event ID 3 (outbound TCP 445 to non-RFC1918) within 15 seconds on the same host = confirmed CVE-2026-32202 coercion attempt. False positive rate is extremely low because legitimate Windows operations do not initiate outbound SMB to public IPs.

The following Sigma rule detects CVE-2026-32202 exploitation by correlating LNK file creation with outbound SMB network connections. Convert to your platform using sigma-cli: <code>sigma convert -t splunk rules/cve-2026-32202-lnk-ntlm-coercion.yml</code>

<pre><code>title: CVE-2026-32202 LNK File NTLM Coercion via Windows Shell id: a7f3c2e1-8d4b-4f09-b5a2-e1f8c3d7b490 status: stable description: > Detects creation of a LNK file in user-accessible directories followed by an outbound SMB connection to a non-RFC1918 address — the behavioral signature of CVE-2026-32202 NTLM coercion exploitation by APT28. references: - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32202 - https://www.decryptiondigest.com/blog/cve-2026-32202-iocs-detection-apt28 author: Decryption Digest Detection Engineering date: 2026-05-18 tags: - attack.credential_access - attack.t1187 # Forced Authentication - attack.t1557.001 # LLMNR/NBT-NS Poisoning and SMB Relay - cve.2026-32202 logsource: product: windows category: sysmon detection: lnk_created: EventID: 11 TargetFilename|endswith: '.lnk' TargetFilename|contains: - '\Downloads\' - '\Desktop\' - '\AppData\Local\Temp\' - '\AppData\Roaming\' smb_outbound: EventID: 3 DestinationPort: 445 DestinationIp|cidr: - '!10.0.0.0/8' - '!172.16.0.0/12' - '!192.168.0.0/16' condition: lnk_created and smb_outbound timeframe: 15s falsepositives: - Legitimate cloud sync clients that use SMB over non-standard paths (rare) - VPN split-tunnel configurations routing SMB to internal servers via public IPs (verify with network team) level: high</code></pre>

<strong>Microsoft Sentinel — KQL</strong>

Requires Sysmon data ingested via Microsoft Monitoring Agent or AMA into the Event table, or directly into the Sysmon table if using the Sysmon parser.

<pre><code>// CVE-2026-32202 — LNK NTLM Coercion Detection // Correlate LNK file creation with outbound SMB to public IPs within 15s let LnkCreation = Event | where Source == "Microsoft-Windows-Sysmon" | where EventID == 11 | extend TargetFile = tostring(EventData.TargetFilename) | where TargetFile endswith ".lnk" | where TargetFile has_any (@"Downloads", @"Desktop", @"Temp", @"AppData") | project TimeGenerated, Computer, LnkPath = TargetFile, CorrelationKey = strcat(Computer, "_", bin(TimeGenerated, 15s)); let SmbOutbound = Event | where Source == "Microsoft-Windows-Sysmon" | where EventID == 3 | extend DestIP = tostring(EventData.DestinationIp), DestPort = toint(EventData.DestinationPort) | where DestPort == 445 | where DestIP !startswith "10." and DestIP !startswith "172.1" and DestIP !startswith "192.168." | project TimeGenerated, Computer, DestIP, CorrelationKey = strcat(Computer, "_", bin(TimeGenerated, 15s)); LnkCreation | join kind=inner SmbOutbound on CorrelationKey | project TimeGenerated, Computer, LnkPath, OutboundSMBDestination = DestIP, Alert = "CVE-2026-32202 NTLM Coercion — LNK + Outbound SMB" | sort by TimeGenerated desc</code></pre>

<strong>Splunk SPL</strong>

Assumes Sysmon data indexed in the <code>sysmon</code> index. Adjust index and sourcetype to match your environment.

<pre><code>index=sysmon EventCode=11 TargetFilename="*.lnk" (TargetFilename="*\Downloads\*" OR TargetFilename="*\Desktop\*" OR TargetFilename="*\Temp\*") | eval lnk_time=_time, host_key=host | join type=inner host_key [ search index=sysmon EventCode=3 dest_port=445 NOT (dest_ip="10.*" OR dest_ip="172.1*" OR dest_ip="192.168.*") | eval net_time=_time, host_key=host | fields host_key, dest_ip, net_time ] | where (net_time - lnk_time) >= 0 AND (net_time - lnk_time) <= 15 | table _time, host, TargetFilename, dest_ip | rename TargetFilename as "Malicious LNK Path", dest_ip as "NTLM Coercion Target IP"</code></pre>

<strong>Tuning guidance:</strong> Run both queries in audit mode for 48 hours before alerting. Legitimate false positives include VPN clients that route SMB through concentrators appearing as public IPs, and portable application launchers that create LNK files on USB drives. Whitelist by process name (vpnclient.exe, known sync agents) rather than by IP to avoid whitelisting attacker infrastructure.

Microsoft's initial patch for CVE-2026-32202, released in the May 2026 Patch Tuesday update (KB5058379), addressed the primary LNK icon path vector but left two coercion paths unaddressed:

<ol> <li><strong>Embedded UNC paths in LNK target arguments</strong> — The initial patch blocked UNC paths in the LNK icon field but did not validate UNC paths embedded in the LNK's working directory and argument fields. Researchers at Akamai published a bypass proof-of-concept within 72 hours of the May patch demonstrating NTLM coercion via the working directory field. Microsoft acknowledged this gap in a May 15 advisory update and is tracking it as a variant of CVE-2026-32202 pending a supplementary patch.</li> <li><strong>Explorer shell extension handlers</strong> — Shell extension DLLs registered for .lnk processing in the Windows registry can trigger the same outbound authentication flow when Explorer loads extension previews. This path is not addressed by the current patch.</li> </ol>

<strong>What this means operationally:</strong> Applying KB5058379 reduces the attack surface but does not eliminate it. Organizations that applied the patch and consider the vulnerability remediated are still exploitable via the working directory bypass. Full remediation requires the patch plus the NTLM hardening steps in the section below.

Apply in sequence. Steps 1 and 2 are the minimum viable fix. Steps 3 through 5 provide defense-in-depth against current and future NTLM coercion vulnerabilities.

<strong>Step 1 — Apply May 2026 Patch Tuesday updates</strong> KB5058379 (Windows 11 23H2/24H2), KB5058380 (Windows 10 22H2), KB5058381 (Windows Server 2022), KB5058382 (Windows Server 2019). Verify installation: <code>Get-HotFix -Id KB5058379</code> in PowerShell. If the hotfix does not appear, the update either has not been applied or was applied through a cumulative update with a different KB number — check Windows Update history for the May 13, 2026 cumulative update.

<strong>Step 2 — Require SMB signing on all clients and servers</strong> Enforce SMB signing via Group Policy to eliminate the NTLM relay path. GPO path: <em>Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options</em>. Set <em>Microsoft network client: Digitally sign communications (always)</em> to Enabled. Push via: <code>Set-SmbClientConfiguration -RequireSecuritySignature $true -Force</code>. Verify: <code>Get-SmbClientConfiguration | Select RequireSecuritySignature</code>.

<strong>Step 3 — Block outbound SMB at the perimeter</strong> Block TCP 445 outbound to non-RFC1918 addresses at your perimeter firewall and endpoint firewall policy. Legitimate business use cases for outbound SMB to public IPs are essentially nonexistent in 2026. This single control eliminates the NTLM hash capture path even if a malicious LNK file reaches a workstation.

<strong>Step 4 — Disable NTLM where Kerberos is available</strong> Use Group Policy to restrict NTLM authentication: <em>Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Network Security: Restrict NTLM</em>. Set to <em>Deny all</em> for outbound NTLM to remote servers in environments that have fully migrated to Kerberos. For environments still transitioning, set to <em>Audit all</em> first to identify NTLM dependencies before enforcing deny.

<strong>Step 5 — Deploy Extended Protection for Authentication (EPA) on ADCS web enrollment</strong> NTLM relay to the ADCS web enrollment endpoint (/certsrv) is the highest-impact relay target in most enterprise environments — a successful relay yields a domain user certificate enabling persistent Kerberos authentication. Enable EPA on IIS hosting ADCS: in IIS Manager, select the certsrv application, open Authentication, and configure Windows Authentication to require Extended Protection. This is the single highest-ROI hardening step for environments running Active Directory Certificate Services.