RenderShock: Critical 0-Click Flaw Delivers Payloads Silently

Attack Mechanism

Unlike phishing, which relies on a user clicking, RenderShock attacks start immediately when a malicious file is passively processed by the system.

The flaw targets automatic file-handling services, including:

• Windows Explorer Preview Pane
• macOS Quick Look
• Windows Search Indexer

By embedding malicious code in files like PDFs, Office documents, and even basic LNK files, the attacker can silently trigger actions when the system attempts to generate a preview thumbnail or index the content.

Attackers’ Primary Goal

The primary goal of RenderShock is initial access and information theft. Key capabilities include:

1. NTLM Credential Theft: By leveraging UNC paths in a file’s metadata, the attack forces the system to automatically send NTLMv2 password hashes to an attacker’s remote server when the file is simply previewed.
2. Remote Code Execution: Advanced payloads can execute code by exploiting flaws in preview handlers, achieving full system compromise.

Action for Defenders

Since this is a fundamental design weakness, security teams must implement immediate mitigations:

• Disable Preview Features: Turn off the Preview Pane in Windows Explorer and Quick Look on macOS.
• Block SMB Traffic: Restrict outbound Server Message Block (SMB) traffic (TCP 445) to untrusted networks to prevent NTLM hash leaks.
• Behavioral Monitoring: Deploy EDR and behavioral tools to detect unusual network connections from typically “safe” processes like explorer.exe and searchindexer.exe.

Key Takeaways

The Threat: RenderShock is a 0-Click attack that requires no user action.

The Vulnerability: Exploits systems that automatically preview and index files (e.g., Quick Look).

The Result: Silent NTLM credential harvesting and remote code execution.

The Fix: Disable system preview features and block outbound SMB.