Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction. If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.
Sigma rule (View on GitHub)
1title: Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit
2id: 5a7132c0-86db-4e6b-95c0-f0e9d7f461aa
3status: experimental
4description: |
5 Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction.
6 If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.
7references:
8 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
9 - https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
10author: Gene Kazimiarovich
11date: 2025-04-20
12tags:
13 - detection.emerging-threats
14 - attack.credential-access
15 - attack.t1187 # Forced Authentication
16 - cve.2025-24054
17logsource:
18 product: windows
19 category: file_event
20detection:
21 selection:
22 TargetFilename|endswith: '.library-ms'
23 Image|endswith:
24 - '\7z.exe'
25 - '\winrar.exe'
26 - '\explorer.exe'
27 condition: selection
28falsepositives:
29 - Legitimate Library shortcuts under %APPDATA%\Microsoft\Windows\Libraries\ (rarely created by end-users)
30 - Custom corporate scripts that programmatically generate .library-ms Files
31level: medium
References
-
Key Points Introduction NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM operates through a direct client-server exchange known as the NTLM challenge/response mechanism, in which the server challenges the client to prove its identity without […]
Read More
Related rules
- PetitPotam Suspicious Kerberos TGT Request
- GALLIUM IOCs
- Okta 2023 Breach Indicator Of Compromise
- CVE-2023-23397 Exploitation Attempt
- GALLIUM Artefacts - Builtin