Potential CVE-2026-33829 Exploitation - Windows Snipping Tool Remote File Path URI

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects potential exploitation of CVE-2026-33829, a vulnerability in the Windows Snipping Tool URI handler (ms-screensketch:)

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Process started" AND ( ( PROCESSNAME endswith "\SnippingTool.exe" OR ORIGINALFILENAME = "SnippingTool.exe" ) AND COMMANDLINE contains "ms-screensketch:edit?&filePath=\\,ms-screensketch:edit?&filePath=%%5C,ms-screensketch:edit?&filePath=%5C,ms-screensketch:edit?&filePath=http" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Samir Bousseaden, Swachchhanda Shrawan Poudel (Nextron Systems)