Detect CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction in CrowdStrike LogScale
CVE-2024-43451 is a Windows NTLM hash disclosure vulnerability (NTLMv2 spoofing) affecting Windows 10, Windows 11, and Windows Server 2008-2025. Minimal user interaction with a malicious file (right-click, open, or preview) triggers an outbound NTLM authentication request to an attacker-controlled server, leaking the victim's NTLMv2 hash. The hash can be cracked offline or used in relay attacks. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName IN ("NetworkConnectIP4", "ProcessRollup2", "FileOpenInfo")
| FileOpenInfo.FileName = /\.(url|lnk|scf|library-ms|searchConnector-ms)$/i
| event_simpleName = "NetworkConnectIP4"
| RemotePort IN (445, 139)
| NOT RemoteIP = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
| join type=inner [
#event_simpleName = "FileOpenInfo"
| FileOpenInfo.FileName = /\.(url|lnk|scf|library-ms|searchConnector-ms)$/i
| fields aid, FileOpenInfo.FileName, ContextProcessId
] where aid=aid AND timestamp_diff(timestamp, FileOpenInfo.timestamp) < 30
| stats count() as smb_connection_count, values(RemoteIP) as remote_ips, values(FileOpenInfo.FileName) as trigger_files by aid, LocalAddressIP4, UserName
| sort smb_connection_count descCrowdStrike Falcon Query Language (CQL) detection correlating file open events on known NTLM-triggering file extensions with outbound SMB connections to non-RFC1918 addresses within 30 seconds, surfacing CVE-2024-43451 exploitation attempts across the Falcon fleet.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor telemetry gaps causing timestamp misalignment between file and network events
- Legitimate IT management consoles opening .lnk files and connecting to external inventory servers
- Red team exercises using NTLM coercion techniques with prior authorization
- Users accessing personal cloud storage via Windows shortcut files resolving to external IPs
Other platforms for CVE-2024-43451
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTLM Hash Disclosure via Malicious .url File
Expected signal: Sysmon EventID 11 (file creation for .url file), Sysmon EventID 3 (network connection from explorer.exe to ATTACKER_IP:445), Windows Security EventID 4648 (explicit credential use targeting ATTACKER_IP), Responder captures NTLMv2 hash
- Test 2NTLM Hash Disclosure via Malicious .lnk Shortcut
Expected signal: Sysmon EventID 11 (LNK creation), Sysmon EventID 3 (explorer.exe → ATTACKER_IP:445), Windows Security EventID 4648 with LogonType=3 and TargetServerName=ATTACKER_IP
- Test 3NTLM Hash Disclosure via Malicious .scf (Shell Command File)
Expected signal: Sysmon EventID 3 from explorer.exe to ATTACKER_IP:445 without any explicit user action beyond folder view, Windows Security EventID 4648 capturing NTLMv2 exchange, network PCAP showing full NTLM handshake
Unlock Pro Content
Get the full detection package for CVE-2024-43451 including response playbook, investigation guide, and atomic red team tests.