Query Details
CVE 2025 33073 Detection
Query
// CVE-2025-33073 Detection
// https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
let QueryPeriod = 1h;
let HostList =
DeviceInfo
| extend Hostname = tostring(split(DeviceName, '.')[0])
| distinct Hostname;
DnsEvents
| where TimeGenerated > ago(QueryPeriod)
| extend DNSQuery = tolower(Name)
| where DNSQuery startswith "localhost" or DNSQuery has_any(HostList)
| where not (DNSQuery has ".")
| where DNSQuery matches regex @"[A-Za-z0-9+\/]{20,}={0,2}"
Explanation
This query is designed to detect potential exploitation attempts related to the CVE-2025-33073 vulnerability, which involves NTLM reflection attacks. Here's a simplified breakdown of what the query does:
-
Query Period: It sets a time window of 1 hour (
1h) to look back at the DNS events. -
Host List Creation: It extracts a list of distinct hostnames from the
DeviceInfotable. This is done by taking theDeviceName, splitting it by the dot (.), and taking the first part as the hostname. -
DNS Events Filtering: The query then filters DNS events from the
DnsEventstable that were generated within the last hour. -
DNS Query Processing:
- It converts the DNS query names to lowercase for uniformity.
- It filters DNS queries that either start with "localhost" or match any hostname from the previously created host list.
- It excludes any DNS queries that contain a period (
.), focusing on non-fully qualified domain names. - It further filters DNS queries that match a specific regex pattern, which looks for base64-like strings of at least 20 characters, potentially indicating encoded data or unusual patterns.
Overall, this query is looking for suspicious DNS queries that could be indicative of NTLM reflection attacks, focusing on queries that are local or match known hostnames and exhibit unusual characteristics.
Details
Steven Lim
Released: June 16, 2025
Tables
Keywords
Operators