CVE-2024-43451 Elastic Security · Elastic

Detect CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction in Elastic Security

CVE-2024-43451 is a Windows NTLM hash disclosure vulnerability (NTLMv2 spoofing) affecting Windows 10, Windows 11, and Windows Server 2008-2025. Minimal user interaction with a malicious file (right-click, open, or preview) triggers an outbound NTLM authentication request to an attacker-controlled server, leaking the victim's NTLMv2 hash. The hash can be cracked offline or used in relay attacks. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Credential Access Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=30s
  [file where event.action in ("open", "creation", "access") and
   file.extension in ("url", "lnk", "scf", "library-ms", "searchConnector-ms") and
   not file.path like~ "C:\\Windows\\*"]
  [network where event.action == "connection_attempted" and
   destination.port in (445, 139) and
   not cidr_match(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "::1/128")]
high severity high confidence

EQL sequence rule correlating suspicious file access (.url, .lnk, .scf, etc.) with a subsequent outbound SMB connection to a non-RFC1918 IP within 30 seconds on the same host, the behavioral signature of CVE-2024-43451 exploitation.

Data Sources

Elastic Endpoint SecurityWinlogbeatPacketbeat

Required Tables

logs-endpoint.events.file-*logs-endpoint.events.network-*

False Positives & Tuning

  • Legitimate internet-facing file servers accessed via mapped drives using shortcut files
  • Antivirus or EDR solutions scanning shortcut files and triggering network lookups
  • Browser downloads of .url files immediately followed by SMB beacon to referrer host
  • IT asset management tools enumerating LNK files alongside network discovery probes

Other platforms for CVE-2024-43451

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1NTLM Hash Disclosure via Malicious .url File

    Expected signal: Sysmon EventID 11 (file creation for .url file), Sysmon EventID 3 (network connection from explorer.exe to ATTACKER_IP:445), Windows Security EventID 4648 (explicit credential use targeting ATTACKER_IP), Responder captures NTLMv2 hash

  2. Test 2NTLM Hash Disclosure via Malicious .lnk Shortcut

    Expected signal: Sysmon EventID 11 (LNK creation), Sysmon EventID 3 (explorer.exe → ATTACKER_IP:445), Windows Security EventID 4648 with LogonType=3 and TargetServerName=ATTACKER_IP

  3. Test 3NTLM Hash Disclosure via Malicious .scf (Shell Command File)

    Expected signal: Sysmon EventID 3 from explorer.exe to ATTACKER_IP:445 without any explicit user action beyond folder view, Windows Security EventID 4648 capturing NTLMv2 exchange, network PCAP showing full NTLM handshake

Last updated: 2026-06-20 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-43451 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0008Lateral Movement

Related Techniques

T1187Forced AuthenticationT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1078.002Domain Accounts

Same Tactic: Credential Access

Popular Detections