CVE-2024-43451 Sumo Logic CSE · Sumo

Detect CVE-2024-43451: Windows NTLM Hash Disclosure via File Interaction in Sumo Logic CSE

CVE-2024-43451 is a Windows NTLM hash disclosure vulnerability (NTLMv2 spoofing) affecting Windows 10, Windows 11, and Windows Server 2008-2025. Minimal user interaction with a malicious file (right-click, open, or preview) triggers an outbound NTLM authentication request to an attacker-controlled server, leaking the victim's NTLMv2 hash. The hash can be cracked offline or used in relay attacks. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Credential Access Lateral Movement

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/security OR _sourceCategory=windows/sysmon
| where EventID in ("4648", "4624", "5156", "4688")
| if (EventID == "4688", CommandLine, "") as process_cmd
| if (matches(process_cmd, "(?i)\.(url|lnk|scf|library-ms|searchConnector-ms)"), 1, 0) as suspicious_file_access
| if (EventID in ("5156", "4648"), DestAddress, "") as dest_ip
| where dest_ip != ""
| where !matches(dest_ip, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\.168\.)") and dest_ip != "127.0.0.1"
| timeslice 5m
| stats count as connection_count, count_distinct(dest_ip) as unique_ext_ips, max(suspicious_file_access) as had_suspicious_file by _timeslice, Computer, SubjectUserName
| where connection_count > 0 and had_suspicious_file == 1
| sort by _timeslice desc
high severity medium confidence

Sumo Logic query identifying hosts that both interacted with suspicious file types (triggering potential NTLM leakage) and initiated outbound SMB connections to non-private IPs within the same 5-minute window, indicative of CVE-2024-43451 exploitation.

Data Sources

Windows Security Event LogSysmonSumo Logic Cloud SIEM

False Positives & Tuning

  • Automated file processing systems handling .lnk files as part of legitimate workflows
  • Remote desktop or virtual desktop infrastructure scenarios with non-standard routing
  • Cloud sync clients (OneDrive, SharePoint) interacting with shortcut files and making SMB calls
  • Penetration test activity conducted without prior notification to the SOC

Other platforms for CVE-2024-43451

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1NTLM Hash Disclosure via Malicious .url File

    Expected signal: Sysmon EventID 11 (file creation for .url file), Sysmon EventID 3 (network connection from explorer.exe to ATTACKER_IP:445), Windows Security EventID 4648 (explicit credential use targeting ATTACKER_IP), Responder captures NTLMv2 hash

  2. Test 2NTLM Hash Disclosure via Malicious .lnk Shortcut

    Expected signal: Sysmon EventID 11 (LNK creation), Sysmon EventID 3 (explorer.exe → ATTACKER_IP:445), Windows Security EventID 4648 with LogonType=3 and TargetServerName=ATTACKER_IP

  3. Test 3NTLM Hash Disclosure via Malicious .scf (Shell Command File)

    Expected signal: Sysmon EventID 3 from explorer.exe to ATTACKER_IP:445 without any explicit user action beyond folder view, Windows Security EventID 4648 capturing NTLMv2 exchange, network PCAP showing full NTLM handshake

Last updated: 2026-06-20 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-43451 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0008Lateral Movement

Related Techniques

T1187Forced AuthenticationT1557.001LLMNR/NBT-NS Poisoning and SMB RelayT1078.002Domain Accounts

Same Tactic: Credential Access

Popular Detections