Detect CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction in Google Chronicle
CVE-2024-43451 is a Windows NTLM hash disclosure vulnerability (NTLMv2 spoofing) affecting Windows 10, Windows 11, and Windows Server 2008-2025. Minimal user interaction with a malicious file (right-click, open, or preview) triggers an outbound NTLM authentication request to an attacker-controlled server, leaking the victim's NTLMv2 hash. The hash can be cracked offline or used in relay attacks. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2024_43451_ntlm_hash_disclosure {
meta:
author = "df00tech Detection Engineering"
description = "Detects NTLM hash disclosure via malicious file interaction (CVE-2024-43451)"
severity = "HIGH"
confidence = "HIGH"
cve = "CVE-2024-43451"
mitre_attack = "T1187"
events:
$file_event.metadata.event_type = "FILE_OPEN"
$file_event.target.file.full_path = /\.(url|lnk|scf|library-ms|searchConnector-ms)$/i nocase
$file_event.principal.hostname = $host
$net_event.metadata.event_type = "NETWORK_CONNECTION"
$net_event.network.application_protocol = "SMB"
$net_event.target.port = 445
not $net_event.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
$net_event.principal.hostname = $host
match:
$host over 30s
condition:
$file_event and $net_event
}Chronicle YARA-L 2.0 rule correlating file interaction events on shortcut-type files (.url, .lnk, .scf) with outbound SMB network connections to external IPs within a 30-second window on the same host, detecting the core behavior of CVE-2024-43451.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate cloud storage sync tools interacting with .lnk files and connecting to external SMB endpoints
- Application packaging systems (MSIX, Installshield) that process shortcut files during build
- Network-attached storage devices with external-facing IPs accessed via Windows shortcuts
- Domain-joined machines with split-DNS configurations causing internal hosts to appear external
Other platforms for CVE-2024-43451
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTLM Hash Disclosure via Malicious .url File
Expected signal: Sysmon EventID 11 (file creation for .url file), Sysmon EventID 3 (network connection from explorer.exe to ATTACKER_IP:445), Windows Security EventID 4648 (explicit credential use targeting ATTACKER_IP), Responder captures NTLMv2 hash
- Test 2NTLM Hash Disclosure via Malicious .lnk Shortcut
Expected signal: Sysmon EventID 11 (LNK creation), Sysmon EventID 3 (explorer.exe → ATTACKER_IP:445), Windows Security EventID 4648 with LogonType=3 and TargetServerName=ATTACKER_IP
- Test 3NTLM Hash Disclosure via Malicious .scf (Shell Command File)
Expected signal: Sysmon EventID 3 from explorer.exe to ATTACKER_IP:445 without any explicit user action beyond folder view, Windows Security EventID 4648 capturing NTLMv2 exchange, network PCAP showing full NTLM handshake
Unlock Pro Content
Get the full detection package for CVE-2024-43451 including response playbook, investigation guide, and atomic red team tests.