KQL Search

Query Details

HomeAI ToolsDevice Query

New URL File NTLM Hash Disclosure Vulnerability Detection 0day

Query

// New URL File NTLM Hash Disclosure Vulnerability Detection (0day)
// https://blog.0patch.com/2024/12/url-file-ntlm-hash-disclosure.html
// A highly accurate DefenderXDR exposure management detection for URL File NTLM Hash Disclosure Vulnerability (0day):

// 1. NTLM hash presence on endpoint
// 2. New .LNK file creation
// 3. NTLM authentication over SMB connection to Internet IP

// Conditions 1 + 2 + 3 => 💥

let EndpointWithNTLMHash = 
ExposureGraphEdges
| where EdgeLabel == @"has credentials of"
| where EdgeProperties.rawData.ntlmHash.ntlmHash == "true"
// Endpoint with NTLM hash stored
| distinct SourceNodeName;
let DeviceLNKCreation =
DeviceFileEvents
| where ActionType == @"FileCreated"
| where FileName endswith ".lnk"
| where DeviceName has_any(EndpointWithNTLMHash)
| distinct DeviceName;
// Endpoint with NTLM hash and LNK creation
DeviceNetworkEvents
// NTLM authentication over SMB connection
| where RemotePort == "445" and RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| where DeviceName has_any (DeviceLNKCreation)

Explanation

This KQL query is designed to detect a specific security vulnerability related to NTLM hash disclosure through URL files. Here's a simplified breakdown of what the query does:

  1. Identify Endpoints with NTLM Hashes:

    • It searches for endpoints (computers or devices) that have NTLM hashes stored. NTLM hashes are a type of password hash used in Windows environments.

  2. Detect New .LNK File Creation:

    • It looks for the creation of new shortcut files (with the ".lnk" extension) on those endpoints identified in the first step.

  3. Monitor NTLM Authentication over SMB:

    • It checks for successful NTLM authentication attempts over SMB (Server Message Block) connections to public IP addresses (i.e., connections going out to the internet) from the devices identified in the second step.

The query combines these three conditions to identify a potential security threat. If all three conditions are met on the same device, it indicates a possible NTLM hash disclosure vulnerability, which is a serious security risk.

Details

Steven Lim profile picture

Steven Lim

Released: December 6, 2024

Tables

ExposureGraphEdgesDeviceFileEventsDeviceNetworkEvents

Keywords

ExposureGraphEdgesDeviceFileEventsDeviceNetworkEvents

Operators

let|where==.endswithhas_anydistinctand

Actions