Detect Windows NTLM Credential Leak via File Download Interaction in Sumo Logic CSE
CVE-2025-24054 is a Windows NTLM hash disclosure vulnerability triggered when a user interacts with a specially crafted file (e.g., .library-ms, .url, .lnk) that forces an outbound NTLM authentication attempt to an attacker-controlled server. Exploitation requires minimal user interaction — simply downloading or viewing a malicious file in Explorer can suffice. The leaked Net-NTLMv2 hash can be cracked offline or relayed for lateral movement. This vulnerability is actively exploited in the wild and listed in CISA's KEV catalog.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=Windows/Security OR _sourceCategory=Windows/Sysmon
| parse regex "(?i)(?P<filename>[\w\-\.]+\.(?:library-ms|url|lnk|scf))" nodrop
| parse regex "DestinationPort=(?P<dest_port>\d+)" nodrop
| parse regex "DestinationIp=(?P<dest_ip>[\d\.]+)" nodrop
| parse regex "AuthenticationPackageName=(?P<auth_package>[^\r\n]+)" nodrop
| parse regex "SubjectUserName=(?P<username>[^\r\n]+)" nodrop
| where filename matches "*.library-ms" or filename matches "*.url" or filename matches "*.lnk" or filename matches "*.scf"
or (dest_port = "445" or dest_port = "139")
or (auth_package = "NTLM")
| eval is_suspicious_file = if(!isNull(filename), 1, 0)
| eval is_smb_connection = if(dest_port in ("445", "139"), 1, 0)
| eval is_ntlm = if(auth_package = "NTLM", 1, 0)
| timeslice 2m
| stats sum(is_suspicious_file) as file_events, sum(is_smb_connection) as smb_events, sum(is_ntlm) as ntlm_events, values(filename) as files, values(dest_ip) as dest_ips, values(username) as users by _timeslice, _sourceHost
| where file_events >= 1 and smb_events >= 1
| sort by _timeslice descSumo Logic query correlating Windows Security and Sysmon log events for suspicious file extensions known to trigger NTLM authentication, outbound SMB connections, and NTLM auth package usage, pivoting by host and 2-minute time windows to detect CVE-2025-24054 exploitation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate corporate intranet shortcuts distributed as .url files to internal SMB resources
- Windows library management tools creating .library-ms files with network paths
- Domain login scripts that distribute .lnk shortcuts to shared network drives
- Security awareness phishing simulations using crafted files in controlled environments
Other platforms for CVE-2025-24054
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1NTLM Credential Leak via Malicious .library-ms File
Expected signal: Sysmon Event ID 11 (FileCreate) for TestLib.library-ms; Sysmon Event ID 3 (NetworkConnect) from explorer.exe to ATTACKER_IP:445; Windows Security Event ID 4648 showing NTLM authentication attempt to ATTACKER_IP
- Test 2NTLM Credential Leak via Crafted .url Shortcut File
Expected signal: Sysmon Event ID 11 (FileCreate) for Important-Document.url on Desktop; Sysmon Event ID 3 (NetworkConnect) from explorer.exe to ATTACKER_IP:445; Windows Security Event ID 4625 if auth fails (Responder returns failure after capture)
- Test 3Net-NTLMv2 Hash Offline Cracking Simulation Post-Capture
Expected signal: On Windows DC (if auth attempted with cracked hash): Windows Security Event ID 4624 (successful logon) or 4625 (failed logon) with NTLM authentication from unexpected source IP; Kerberos fallback to NTLM is itself anomalous for modern AD environments
- Test 4NTLM Credential Leak via Crafted .scf File in Shared Folder
Expected signal: Sysmon Event ID 11 (FileCreate) for @trigger.scf; Sysmon Event ID 3 (NetworkConnect) from explorer.exe to ATTACKER_IP:445 triggered by shell icon resolution; Windows Security audit log showing NTLM authentication to external host
Unlock Pro Content
Get the full detection package for CVE-2025-24054 including response playbook, investigation guide, and atomic red team tests.