Detect Microsoft Windows Link Following Vulnerability (CVE-2025-60710) in Microsoft Sentinel
CVE-2025-60710 is an actively exploited Microsoft Windows link following vulnerability (CWE-59) that allows an attacker to abuse symbolic links or junction points to redirect file operations to unintended locations. This class of vulnerability is commonly leveraged for privilege escalation, file tampering, or unauthorized access to protected resources. The vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.
MITRE ATT&CK
KQL Detection Query
let suspiciousSymlinkOps = DeviceFileEvents
| where ActionType in ("SymlinkCreated", "JunctionCreated", "FileCreated", "FileModified")
| where FileName endswith ".lnk" or FolderPath has_any ("\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Windows\\Temp\\")
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, FileName, ActionType;
let privEscIndicators = DeviceProcessEvents
| where ProcessCommandLine has_any ("mklink", "CreateSymbolicLink", "junction", "NtSetInformationFile")
| where AccountName != "SYSTEM" or InitiatingProcessFileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
| project TimeGenerated, DeviceId, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName;
suspiciousSymlinkOps
| join kind=inner privEscIndicators on DeviceId
| where abs(datetime_diff('second', TimeGenerated, TimeGenerated1)) < 60
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, FolderPath, FileName, ActionType
| order by TimeGenerated descDetects Windows symbolic link and junction creation activity in temporary or writable directories by non-system processes, correlated with process command lines indicative of link following exploitation (CVE-2025-60710).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers that create symbolic links during setup
- Developer tools such as Visual Studio or npm that use junctions for module resolution
- System administrators using mklink for intentional directory remapping
Other platforms for CVE-2025-60710
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Symbolic Link in Temp Directory Targeting Privileged Path
Expected signal: Sysmon Event ID 1 capturing mklink.exe execution with command line containing the symlink and target paths; Sysmon Event ID 11 showing creation of test_link.txt in C:\Windows\Temp\.
- Test 2Junction Point Creation Targeting System32
Expected signal: Sysmon Event ID 1 with mklink /J command line and junction target; Windows Security Event ID 4663 on subsequent directory traversal through the junction.
- Test 3PowerShell Symbolic Link Creation via .NET API
Expected signal: Sysmon Event ID 1 showing powershell.exe with CreateSymbolicLink in command line; Sysmon Event ID 11 or 12 for the created link object in Temp directory.
Unlock Pro Content
Get the full detection package for CVE-2025-60710 including response playbook, investigation guide, and atomic red team tests.