Detect Windows NTLM Credential Leak via File Download Interaction in Splunk
CVE-2025-24054 is a medium-severity (CVSS 6.5 per Microsoft, 5.4 per NIST) Windows NTLM spoofing vulnerability caused by external control of file name or path (CWE-73). An attacker can leak NTLMv2 credentials by inducing a victim to download and interact with (or simply unzip) a malicious archive containing a specially crafted .library-ms, .searchConnector-ms, or similar Windows shell integration file. The interaction triggers an automatic NTLM authentication to an attacker-controlled server. CISA added this to the KEV catalog with a due date of May 8, 2025, and public exploits are available on Exploit-DB. This is closely related to CVE-2024-43451 but triggers through different file types (library files, search connectors) rather than .url shortcuts.
MITRE ATT&CK
- Tactic
- Credential Access Initial Access
SPL Detection Query
index=endpoint sourcetype IN ("XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", "WinEventLog:Security", "crowdstrike:events:sensor")
(
(
(EventCode=11 OR event_simpleName="FileCreate")
AND (
TargetFilename="*.library-ms" OR TargetFilename="*.searchConnector-ms"
OR TargetFilename="*.search-ms"
)
AND (TargetFilename IN ("*\\Downloads\\*", "*\\Temp\\*", "*\\Desktop\\*",
"*\\AppData\\*"))
)
OR
(
(EventCode=3 OR event_simpleName="NetworkConnectIP4")
AND Image IN ("*\\explorer.exe", "*\\SearchProtocolHost.exe",
"*\\SearchIndexer.exe")
AND dest_port IN (445, 139, 80, 443)
AND NOT dest_ip IN ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.1")
)
)
| eval CVE="CVE-2025-24054"
| eval ThreatType=case(
match(TargetFilename, "library-ms|searchConnector-ms|search-ms"), "ShellIntegration-File-Drop",
Image="*\\SearchProtocolHost.exe", "Windows-Search-NTLM-Coercion",
Image="*\\explorer.exe", "Explorer-NTLM-Coercion",
true(), "Unknown"
)
| stats count AS Events,
values(TargetFilename) AS Files,
values(dest_ip) AS ExternalIPs,
values(ThreatType) AS ThreatTypes
BY host, user, CVE, _time span=1h
| where Events >= 1
| table _time, host, user, ThreatTypes, Files, ExternalIPs, Events, CVE
| sort - EventsDetects CVE-2025-24054 by monitoring for Windows shell integration files (.library-ms, .searchConnector-ms) created in user directories, and Windows Search/Explorer initiating outbound SMB or HTTP connections to external IPs — the two-stage pattern of file delivery followed by automatic NTLM credential leak.
Data Sources
Required Sourcetypes
False Positives & Tuning
- SharePoint or OneDrive sync clients creating .library-ms files for mapped libraries
- Enterprise search connectors for corporate document management systems
Other platforms for CVE-2025-24054
Testing Methodology
Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create malicious .library-ms file triggering NTLM auth
Expected signal: Sysmon Event ID 3 — SearchProtocolHost.exe or explorer.exe connecting to attacker IP:445; Event ID 4648.
Unlock Pro Content
Get the full detection package for CVE-2025-24054 including response playbook, investigation guide, and atomic red team tests.