CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction
CVE-2024-43451 is a Windows NTLM hash disclosure vulnerability (NTLMv2 spoofing) affecting Windows 10, Windows 11, and Windows Server 2008-2025. Minimal user interaction with a malicious file (right-click, open, or preview) triggers an outbound NTLM authentication request to an attacker-controlled server, leaking the victim's NTLMv2 hash. The hash can be cracked offline or used in relay attacks. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Windows
- Versions
- Windows 10, Windows 11, Windows Server 2008-2025
Weakness (CWE)
Timeline
- Disclosed
- November 12, 2024
- Patched
- November 12, 2024
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
What is CVE-2024-43451 CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction?
CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction (CVE-2024-43451) maps to the Credential Access and Lateral Movement tactics — the adversary is trying to steal account names and passwords in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, Azure AD Sign-In Logs. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let suspiciousExtensions = dynamic(['.url', '.lnk', '.scf', '.library-ms', '.searchConnector-ms']);
let internalSubnets = dynamic(['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']);
union DeviceNetworkEvents, imNetworkSession
| where TimeGenerated >= ago(24h)
| where RemotePort == 445 or RemotePort == 139
| where not(ipv4_is_private(RemoteIPv4))
| join kind=inner (
DeviceFileEvents
| where TimeGenerated >= ago(24h)
| where FileName has_any (suspiciousExtensions)
| project DeviceId, FileEventTime=TimeGenerated, FileName, FolderPath, InitiatingProcessFileName
) on DeviceId
| where abs(datetime_diff('second', TimeGenerated, FileEventTime)) < 30
| project TimeGenerated, DeviceId, DeviceName, RemoteIPv4, RemotePort, FileName, FolderPath, InitiatingProcessFileName
| summarize EventCount=count(), Files=make_set(FileName), RemoteIPs=make_set(RemoteIPv4) by bin(TimeGenerated, 5m), DeviceName, InitiatingProcessFileNameDetects outbound SMB connections to non-private IP addresses within 30 seconds of a user interacting with suspicious file types known to trigger NTLM authentication (e.g., .url, .lnk, .scf). Correlates DeviceFileEvents with DeviceNetworkEvents to surface likely CVE-2024-43451 exploitation attempts.
Data Sources
Required Tables
False Positives
- Legitimate remote shares accessed via .lnk shortcuts pointing to external partners
- Network scanners or vulnerability assessment tools generating outbound SMB traffic
- Developer tools or CI/CD pipelines accessing remote UNC paths during build processes
- Roaming profiles or folder redirection configured to external SMB endpoints
Sigma rule & cross-platform mapping
The detection logic for CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction (CVE-2024-43451) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2024-43451
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTLM Hash Disclosure via Malicious .url File
Expected signal: Sysmon EventID 11 (file creation for .url file), Sysmon EventID 3 (network connection from explorer.exe to ATTACKER_IP:445), Windows Security EventID 4648 (explicit credential use targeting ATTACKER_IP), Responder captures NTLMv2 hash
- Test 2NTLM Hash Disclosure via Malicious .lnk Shortcut
Expected signal: Sysmon EventID 11 (LNK creation), Sysmon EventID 3 (explorer.exe → ATTACKER_IP:445), Windows Security EventID 4648 with LogonType=3 and TargetServerName=ATTACKER_IP
- Test 3NTLM Hash Disclosure via Malicious .scf (Shell Command File)
Expected signal: Sysmon EventID 3 from explorer.exe to ATTACKER_IP:445 without any explicit user action beyond folder view, Windows Security EventID 4648 capturing NTLMv2 exchange, network PCAP showing full NTLM handshake
Unlock Pro Content
Get the full detection package for CVE-2024-43451 including response playbook, investigation guide, and atomic red team tests.