CVE 2024 43451 Zero Day NTLM Hash Disclosure Spoofing Vulnerability
Query
// CVE-2024-43451 Zero-Day (NTLM Hash Disclosure Spoofing Vulnerability)
// https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43451
// In Microsoft’s November 2024 Patch Tuesday, one of the actively exploited zero-day vulnerabilities is CVE-2024-43451. This flaw exposes a user’s NTLMv2 hash, which is used for credential validation in Windows environments. Attackers can use these hashes to authenticate as legitimate users, gaining access to applications and data they have permissions for. The vulnerability affects all Windows versions and requires minimal user interaction to exploit. Simply selecting or inspecting a file could trigger the vulnerability, according to Microsoft.
// This vulnerability was publicly disclosed by Israel Yeshurun of ClearSky Cyber Security. According to the Microsoft advisory FAQ, it relates to the underlying MSHTML, EdgeHTML, and scripting platforms, which are still supported despite the retirement of Internet Explorer 11 and Microsoft Edge Legacy.
// Based on this advisory information, I have developed an advanced hunting DefenderXDR KQL to monitor MDE endpoints for NTLM hash activity and Edge WebView usage, along with NTLM over SMB connections to the internet. If this rule triggers, Defender should prompt the user to reset their credentials immediately. The KQL code can be downloaded from my SlimKQL GitHub Repository, which is featured on my LinkedIn profile. (Search for “CVE-2024-43451”)
let EndpointWithNTLMHash =
ExposureGraphEdges
| where EdgeLabel == @"has credentials of"
| where EdgeProperties.rawData.ntlmHash.ntlmHash == "true"
// Endpoint with NTLM hash stored
| distinct SourceNodeName;
let VulnerableEndpoint =
DeviceTvmSoftwareInventory
// https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43451 FAQ
| where SoftwareName == "edge_webview2_runtime" or
SoftwareName == "internet_explorer"
| where DeviceName has_any (EndpointWithNTLMHash)
| distinct DeviceName;
DeviceNetworkEvents
// NTLM over SMB connection
| where RemotePort == "445" and RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| where DeviceName has_any (VulnerableEndpoint)
// Revised Version v2
let DeviceLNKCreation =
DeviceFileEvents
| where ActionType == @"FileCreated"
| where FileName endswith ".lnk"
| distinct DeviceName;
DeviceNetworkEvents
// NTLM authentication over SMB connection
| where RemotePort == "445" and RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| where DeviceName has_any (DeviceLNKCreation)
// T1550.002: Use Alternate Authentication Material: Pass the HashExplanation
This KQL query is designed to monitor and detect potential exploitation of the CVE-2024-43451 vulnerability, which involves NTLM hash disclosure in Windows environments. Here's a simplified breakdown of what the query does:
-
Identify Endpoints with NTLM Hashes:
- The query first identifies endpoints that have NTLM hashes stored. This is done by checking the
ExposureGraphEdgesfor any credentials labeled as having an NTLM hash.
- The query first identifies endpoints that have NTLM hashes stored. This is done by checking the
-
Detect Vulnerable Endpoints:
- It then checks the software inventory on devices to find those running potentially vulnerable software, specifically "edge_webview2_runtime" or "internet_explorer". It cross-references these with the previously identified endpoints that have NTLM hashes.
-
Monitor Network Events:
- The query looks for successful NTLM authentication attempts over SMB connections (port 445) to public IP addresses. This is indicative of potential unauthorized access attempts using exposed NTLM hashes.
-
Track LNK File Creation:
- In the revised version, the query also tracks the creation of
.lnkfiles, which could be used as part of the exploitation process. It then monitors network events for these devices to detect NTLM authentication over SMB connections.
- In the revised version, the query also tracks the creation of
-
Response Action:
- If the query detects suspicious activity, it suggests that Defender should prompt the user to reset their credentials immediately to mitigate any potential unauthorized access.
Overall, this query is part of an advanced hunting strategy to detect and respond to the exploitation of a specific zero-day vulnerability affecting Windows systems.
Details

Steven Lim
Released: November 15, 2024
Tables
ExposureGraphEdgesDeviceTvmSoftwareInventoryDeviceNetworkEventsDeviceFileEvents
Keywords
ExposureGraphEdgesDeviceTvmSoftwareInventoryDeviceNetworkEventsDeviceFileEvents
Operators
let|where==@.distinctorhas_anyandendswith
MITRE Techniques