Skip to content

Commit

Permalink
CVE-2024-43451 Zero-Day (NTLM Hash Disclosure Spoofing Vulnerability)…
Browse files Browse the repository at this point in the history 
….kql
  • Loading branch information
@SlimKQL
SlimKQL authored Nov 15, 2024
1 parent c25e81d commit a162b5d
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions DefenderXDR/CVE-2024-43451 Zero-Day (NTLM Hash Disclosure Spoofing Vulnerability).kql
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,4 +23,17 @@ DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where DeviceName has_any (VulnerableEndpoint)

// Revised Version v2

let DeviceLNKCreation =
DeviceFileEvents
| where ActionType == @"FileCreated"
| where FileName endswith ".lnk"
| distinct DeviceName;
DeviceNetworkEvents
// NTLM authentication over SMB connection
| where RemotePort == "445" and RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| where DeviceName has_any (DeviceLNKCreation)

// T1550.002: Use Alternate Authentication Material: Pass the Hash

0 comments on commit a162b5d

Please sign in to comment.