CVE-2025-60710 Splunk · SPL

Detect Microsoft Windows Link Following Vulnerability (CVE-2025-60710) in Splunk

CVE-2025-60710 is an actively exploited Microsoft Windows link following vulnerability (CWE-59) that allows an attacker to abuse symbolic links or junction points to redirect file operations to unintended locations. This class of vulnerability is commonly leveraged for privilege escalation, file tampering, or unauthorized access to protected resources. The vulnerability is listed on CISA's Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.

MITRE ATT&CK

Tactic
Privilege Escalation Defense Evasion Persistence

SPL Detection Query

Splunk (SPL)
spl 
index=windows (source="WinEventLog:Security" OR source="WinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval event_id=coalesce(EventCode, event_id)
| where event_id IN ("4656", "4663", "4670", "1", "11")
| eval cmdline=coalesce(CommandLine, ProcessCommandLine, "")
| eval file_path=coalesce(TargetFilename, ObjectName, "")
| where match(cmdline, "(?i)(mklink|junction|CreateSymbolicLink|NtSetInformationFile)")
   OR (match(file_path, "(?i)(\\\\Temp\\\\|\\\\AppData\\\\Local\\\\Temp\\\\.+\\.lnk$|\\\\Windows\\\\Temp\\\\)"))
| where NOT match(User, "(?i)(SYSTEM|NT AUTHORITY)")
| stats count AS event_count, values(cmdline) AS commands, values(file_path) AS paths, dc(host) AS host_count BY User, host, _time
| where event_count > 1
| sort - event_count
high severity medium confidence

Detects symbolic link and junction creation events via Sysmon and Windows Security logs for CVE-2025-60710. Looks for mklink, junction, and related API calls in temporary paths by non-system users.

Data Sources

Windows Security Event LogSysmon

Required Sourcetypes

WinEventLog:SecurityWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Software package managers (npm, pip, conda) creating symlinks for module resolution
  • CI/CD pipeline agents running as non-system users performing build artifact linking
  • Legitimate administrative scripts using mklink for storage management

Other platforms for CVE-2025-60710

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Symbolic Link in Temp Directory Targeting Privileged Path

    Expected signal: Sysmon Event ID 1 capturing mklink.exe execution with command line containing the symlink and target paths; Sysmon Event ID 11 showing creation of test_link.txt in C:\Windows\Temp\.

  2. Test 2Junction Point Creation Targeting System32

    Expected signal: Sysmon Event ID 1 with mklink /J command line and junction target; Windows Security Event ID 4663 on subsequent directory traversal through the junction.

  3. Test 3PowerShell Symbolic Link Creation via .NET API

    Expected signal: Sysmon Event ID 1 showing powershell.exe with CreateSymbolicLink in command line; Sysmon Event ID 11 or 12 for the created link object in Temp directory.

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2025-60710 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0004Privilege EscalationTA0005Defense EvasionTA0003Persistence

Related Techniques

T1574.010Services File Permissions WeaknessT1548.002Bypass User Account ControlT1055Process Injection

Same Tactic: Privilege Escalation

Popular Detections