CVE 2025 24054 NTLM Exploit In The Wild Detection
Query
// CVE-2025-24054: NTLM Exploit in the Wild
DeviceFileEvents
| where ActionType == "FileCreated" and FileName endswith ".library-ms"
| where parse_json(AdditionalFields)["FileType"] has "library-ms"
| where InitiatingProcessUniqueId != 0
| join DeviceNetworkEvents on InitiatingProcessUniqueIdExplanation
This query is designed to detect potential exploitation of a specific vulnerability (CVE-2025-24054) related to NTLM. Here's a simplified breakdown of what the query does:
-
Target Table: It starts by looking at the
DeviceFileEventstable, which logs file-related activities on devices. -
Filter for File Creation: It filters the events to only include those where a file was created (
ActionType == "FileCreated"). -
File Type Check: It further narrows down the results to files with names ending in ".library-ms" and checks that the file type is indeed "library-ms" by examining additional fields.
-
Exclude System Processes: It excludes events where the initiating process has a unique ID of 0, which typically represents system processes, focusing on user-initiated actions.
-
Join with Network Events: Finally, it joins these filtered file creation events with the
DeviceNetworkEventstable using theInitiatingProcessUniqueId. This step correlates file creation events with network activities initiated by the same process.
In summary, the query identifies instances where a ".library-ms" file is created by a non-system process and correlates these events with network activities, potentially indicating malicious exploitation of the NTLM vulnerability.
Details

Steven Lim
Released: April 16, 2025
Tables
Keywords
Operators