Detect Windows NTLM Credential Leak via File Download Interaction in Microsoft Sentinel
CVE-2025-24054 is a medium-severity (CVSS 6.5 per Microsoft, 5.4 per NIST) Windows NTLM spoofing vulnerability caused by external control of file name or path (CWE-73). An attacker can leak NTLMv2 credentials by inducing a victim to download and interact with (or simply unzip) a malicious archive containing a specially crafted .library-ms, .searchConnector-ms, or similar Windows shell integration file. The interaction triggers an automatic NTLM authentication to an attacker-controlled server. CISA added this to the KEV catalog with a due date of May 8, 2025, and public exploits are available on Exploit-DB. This is closely related to CVE-2024-43451 but triggers through different file types (library files, search connectors) rather than .url shortcuts.
MITRE ATT&CK
- Tactic
- Credential Access Initial Access
KQL Detection Query
// CVE-2025-24054 — Windows NTLM Credential Leak via Shell Integration Files
// Detect NTLM coercion via .library-ms, .searchConnector-ms, and similar files
// Key signals: shell processes initiating outbound SMB/WebDAV auth,
// creation of Windows shell integration file types in user dirs
let SuspiciousShellFileCreation =
DeviceFileEvents
| where TimeGenerated > ago(24h)
| where FileName endswith_cs ".library-ms"
or FileName endswith_cs ".searchConnector-ms"
or FileName endswith_cs ".search-ms"
or FileName endswith_cs ".mapimail"
| where ActionType in ("FileCreated", "FileRenamed")
| where FolderPath has_any ("Downloads", "Temp", "AppData", "Desktop")
| extend ThreatIndicator = "CVE-2025-24054-ShellFile-Drop";
let NTLMCoercionFromShell =
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("explorer.exe", "searchprotocolhost.exe",
"searchindexer.exe", "svchost.exe")
| where RemotePort in (445, 139, 80, 443)
| where RemoteIPType == "Public"
| where InitiatingProcessCommandLine has_any ("SearchProtocolHost", "search")
or InitiatingProcessFileName in~ ("searchprotocolhost.exe", "explorer.exe")
| extend ThreatIndicator = "CVE-2025-24054-NTLM-Coercion";
SuspiciousShellFileCreation
| union NTLMCoercionFromShell
| sort by TimeGenerated descDetects CVE-2025-24054 exploitation via two signals: (1) Windows shell integration files (.library-ms, .searchConnector-ms) created in user-accessible paths — the typical delivery mechanism, and (2) Windows Search or Explorer initiating outbound SMB/HTTP connections to external IPs — the NTLM coercion trigger. Correlate both on the same host within minutes for high confidence.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate .library-ms files deployed by enterprise software (document management, SharePoint connectors)
- Windows Search indexer accessing legitimate UNC paths on corporate file servers (exclude RFC1918 IPs)
- IT tools creating library or search connector files for deployment
Other platforms for CVE-2025-24054
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create malicious .library-ms file triggering NTLM auth
Expected signal: Sysmon Event ID 3 — SearchProtocolHost.exe or explorer.exe connecting to attacker IP:445; Event ID 4648.
Unlock Pro Content
Get the full detection package for CVE-2025-24054 including response playbook, investigation guide, and atomic red team tests.