Windows NTLM Credential Leak via File Download Interaction
CVE-2025-24054 is a Windows NTLM hash disclosure vulnerability triggered when a user interacts with a specially crafted file (e.g., .library-ms, .url, .lnk) that forces an outbound NTLM authentication attempt to an attacker-controlled server. Exploitation requires minimal user interaction — simply downloading or viewing a malicious file in Explorer can suffice. The leaked Net-NTLMv2 hash can be cracked offline or relayed for lateral movement. This vulnerability is actively exploited in the wild and listed in CISA's KEV catalog.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Windows
- Versions
- Windows 10, Windows 11, Windows Server 2008-2025
Weakness (CWE)
Timeline
- Disclosed
- March 11, 2025
- Patched
- March 11, 2025
CVSS
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
What is CVE-2025-24054 Windows NTLM Credential Leak via File Download Interaction?
Windows NTLM Credential Leak via File Download Interaction (CVE-2025-24054) maps to the Credential Access and Lateral Movement tactics — the adversary is trying to steal account names and passwords in MITRE ATT&CK.
This page provides production-ready detection logic for Windows NTLM Credential Leak via File Download Interaction, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceNetworkEvents, DeviceFileEvents. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union DeviceNetworkEvents, DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType in ("NetworkConnectionRequested", "ConnectionSuccess", "ConnectionFailed")
or ActionType in ("FileCreated", "FileModified")
| where FileName endswith ".library-ms" or FileName endswith ".url" or FileName endswith ".lnk" or FileName endswith ".scf"
or (RemotePort == 445 or RemotePort == 139)
| extend FileExt = tostring(split(FileName, ".")[-1])
| where InitiatingProcessFileName in~ ("explorer.exe", "svchost.exe", "rundll32.exe")
or InitiatingProcessParentFileName in~ ("explorer.exe")
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (445, 139)
| where InitiatingProcessFileName in~ ("lsass.exe", "svchost.exe", "explorer.exe")
| where ActionType == "ConnectionSuccess"
| project DeviceId, NetworkTimestamp=Timestamp, RemoteIP, RemotePort, InitiatingProcessFileName
) on DeviceId
| where abs(datetime_diff('second', Timestamp, NetworkTimestamp)) < 30
| where not(ipv4_is_private(RemoteIP)) or RemoteIP !startswith "10." and RemoteIP !startswith "192.168."
| summarize count(), FileNames=make_set(FileName), RemoteIPs=make_set(RemoteIP) by DeviceId, DeviceName, bin(Timestamp, 5m)
| where count_ >= 1
| project Timestamp, DeviceName, DeviceId, FileNames, RemoteIPs, EventCount=count_Detects NTLM credential leakage triggered by interaction with crafted files (.library-ms, .url, .lnk, .scf) that initiate outbound SMB connections, characteristic of CVE-2025-24054 exploitation. Correlates file events with outbound port 445/139 connections within a 30-second window.
Data Sources
Required Tables
False Positives
- Legitimate network shares accessed via .lnk shortcuts to internal file servers
- IT management tools creating .url or .library-ms files for legitimate configuration distribution
- Domain-joined systems performing routine SYSVOL/NETLOGON SMB authentication during policy refresh
- Backup or sync agents that create .lnk files and connect to SMB shares
Sigma rule & cross-platform mapping
The detection logic for Windows NTLM Credential Leak via File Download Interaction (CVE-2025-24054) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-24054
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTLM Credential Leak via Malicious .library-ms File
Expected signal: Sysmon Event ID 11 (FileCreate) for TestLib.library-ms; Sysmon Event ID 3 (NetworkConnect) from explorer.exe to ATTACKER_IP:445; Windows Security Event ID 4648 showing NTLM authentication attempt to ATTACKER_IP
- Test 2NTLM Credential Leak via Crafted .url Shortcut File
Expected signal: Sysmon Event ID 11 (FileCreate) for Important-Document.url on Desktop; Sysmon Event ID 3 (NetworkConnect) from explorer.exe to ATTACKER_IP:445; Windows Security Event ID 4625 if auth fails (Responder returns failure after capture)
- Test 3Net-NTLMv2 Hash Offline Cracking Simulation Post-Capture
Expected signal: On Windows DC (if auth attempted with cracked hash): Windows Security Event ID 4624 (successful logon) or 4625 (failed logon) with NTLM authentication from unexpected source IP; Kerberos fallback to NTLM is itself anomalous for modern AD environments
- Test 4NTLM Credential Leak via Crafted .scf File in Shared Folder
Expected signal: Sysmon Event ID 11 (FileCreate) for @trigger.scf; Sysmon Event ID 3 (NetworkConnect) from explorer.exe to ATTACKER_IP:445 triggered by shell icon resolution; Windows Security audit log showing NTLM authentication to external host
Unlock Pro Content
Get the full detection package for CVE-2025-24054 including response playbook, investigation guide, and atomic red team tests.