CVE 2024 43451 Zero Day NTLM Hash Disclosure Spoofing Vulnerability

// CVE-2024-43451 Zero-Day (NTLM Hash Disclosure Spoofing Vulnerability) // https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43451 // In Microsoft’s November 2024 Patch Tuesday, one of the actively exploited zero-day vulnerabilities is CVE-2024-43451. This flaw exposes a user’s NTLMv2 hash, which is used for credential validation in Windows environments. Attackers can use these hashes to authenticate as legitimate users, gaining access to applications and data they have permissions for. The vulnerability affects all Windows versions and requires minimal user interaction to exploit. Simply selecting or inspecting a file could trigger the vulnerability, according to Microsoft. // This vulnerability was publicly disclosed by Israel Yeshurun of ClearSky Cyber Security. According to the Microsoft advisory FAQ, it relates to the underlying MSHTML, EdgeHTML, and scripting platforms, which are still supported despite the retirement of Internet Explorer 11 and Microsoft Edge Legacy. // Based on this advisory information, I have developed an advanced hunting DefenderXDR KQL to monitor MDE endpoints for NTLM hash activity and Edge WebView usage, along with NTLM over SMB connections to the internet. If this rule triggers, Defender should prompt the user to reset their credentials immediately. The KQL code can be downloaded from my SlimKQL GitHub Repository, which is featured on my LinkedIn profile. (Search for “CVE-2024-43451”) let EndpointWithNTLMHash = ExposureGraphEdges | where EdgeLabel == @"has credentials of" | where EdgeProperties.rawData.ntlmHash.ntlmHash == "true" // Endpoint with NTLM hash stored | distinct SourceNodeName; let VulnerableEndpoint = DeviceTvmSoftwareInventory // https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43451 FAQ | where SoftwareName == "edge_webview2_runtime" or SoftwareName == "internet_explorer" | where DeviceName has_any (EndpointWithNTLMHash) | distinct DeviceName; DeviceNetworkEvents // NTLM over SMB connection | where RemotePort == "445" and RemoteIPType == "Public" | where ActionType == "ConnectionSuccess" | where DeviceName has_any (VulnerableEndpoint) // T1550.002: Use Alternate Authentication Material: Pass the Hash

Explanation

This KQL query is designed to detect potential exploitation of the CVE-2024-43451 vulnerability, which involves NTLM hash disclosure and spoofing. Here's a simplified breakdown of what the query does:

Identify Endpoints with NTLM Hashes:
- The query first searches for endpoints that have NTLM hashes stored. It does this by checking the ExposureGraphEdges table for entries where the NTLM hash is present.
Identify Vulnerable Endpoints:
- It then checks the DeviceTvmSoftwareInventory table to find devices that have specific software installed, namely "edge_webview2_runtime" or "internet_explorer". These are identified as potentially vulnerable based on the advisory information.
Monitor Network Events:
- The query looks at DeviceNetworkEvents to find successful NTLM over SMB connections (port 445) to public IP addresses. This is a common method attackers might use to exploit the vulnerability.
Correlate Findings:
- It correlates the endpoints with stored NTLM hashes and those with vulnerable software to identify devices at risk of exploitation.
Actionable Outcome:
- If the query detects such activity, it suggests that Defender should prompt the user to reset their credentials immediately to mitigate potential unauthorized access.

Overall, this query is part of an advanced hunting strategy to monitor and respond to potential exploitation of a specific zero-day vulnerability in Windows environments.

KQL Search

CVE 2024 43451 Zero Day NTLM Hash Disclosure Spoofing Vulnerability

Query

Explanation

Details

Actions