Detect CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction in IBM QRadar
CVE-2024-43451 is a Windows NTLM hash disclosure vulnerability (NTLMv2 spoofing) affecting Windows 10, Windows 11, and Windows Server 2008-2025. Minimal user interaction with a malicious file (right-click, open, or preview) triggers an outbound NTLM authentication request to an attacker-controlled server, leaking the victim's NTLMv2 hash. The hash can be cracked offline or used in relay attacks. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip,
destinationip,
destinationport,
username,
CATEGORYNAME(category) AS event_category,
"QID" AS qid,
LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
(category = 5156 OR category = 5158 OR destinationport IN (445, 139))
AND NOT INCIDR(destinationip, '10.0.0.0/8')
AND NOT INCIDR(destinationip, '172.16.0.0/12')
AND NOT INCIDR(destinationip, '192.168.0.0/16')
AND NOT INCIDR(destinationip, '127.0.0.0/8')
)
AND username IN (
SELECT username FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND LONG("Malicious File Extension") = 1
AND devicetime BETWEEN (NOW() - 30 SECONDS) AND NOW()
)
AND devicetime >= NOW() - HOURS 24
GROUP BY sourceip, destinationip, destinationport, username
ORDER BY event_time DESC
LIMIT 500QRadar AQL query detecting outbound SMB connections to external IPs correlated with recent process activity involving known-malicious file extensions. Designed to surface CVE-2024-43451 exploitation attempts in Windows environments.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise applications using DFS namespaces that resolve to external-appearing IPs
- Miscategorized private IPs due to CIDR exclusion gaps in SIEM configuration
- Security awareness training platforms that distribute .url/.lnk files to test users
- Third-party backup agents interacting with shortcut files and connecting to cloud endpoints
Other platforms for CVE-2024-43451
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTLM Hash Disclosure via Malicious .url File
Expected signal: Sysmon EventID 11 (file creation for .url file), Sysmon EventID 3 (network connection from explorer.exe to ATTACKER_IP:445), Windows Security EventID 4648 (explicit credential use targeting ATTACKER_IP), Responder captures NTLMv2 hash
- Test 2NTLM Hash Disclosure via Malicious .lnk Shortcut
Expected signal: Sysmon EventID 11 (LNK creation), Sysmon EventID 3 (explorer.exe → ATTACKER_IP:445), Windows Security EventID 4648 with LogonType=3 and TargetServerName=ATTACKER_IP
- Test 3NTLM Hash Disclosure via Malicious .scf (Shell Command File)
Expected signal: Sysmon EventID 3 from explorer.exe to ATTACKER_IP:445 without any explicit user action beyond folder view, Windows Security EventID 4648 capturing NTLMv2 exchange, network PCAP showing full NTLM handshake
Unlock Pro Content
Get the full detection package for CVE-2024-43451 including response playbook, investigation guide, and atomic red team tests.