## https://sploitus.com/exploit?id=193F61B6-AFAB-5066-A82C-03D8AA8216BB
# CVE-2025-24054 โ Detection & Mitigation Lab
Project log for a defensive security lab on **CVE-2025-24054**, the Windows
**New Technology LAN Manager (NTLM) Hash Disclosure Spoofing** vulnerability,
under the assumption that the affected system **cannot be patched** short-term.
> Blue-team educational project (Murdoch University ICT279). The exploitation
> technique is publicly documented (Check Point, CISA KEV); the original
> contribution is the detection + mitigation methodology. No live credentials or
> the VM credential sheet are stored in this repository.
## The vulnerability
| Field | Value |
|---|---|
| CVE | CVE-2025-24054 |
| Class | Spoofing / Forced Authentication |
| Common Weakness Enumeration (CWE) | CWE-73: External Control of File Name or Path |
| MITRE ATT&CK | T1187 (Forced Authentication) |
| Affected | Windows 10 / 11, Windows Server 2008 R2 โ 2025 |
| Real-world use | Phishing vs. Polish & Romanian government targets, March 2025 |
| CISA KEV | Added 17 April 2025 |
Windows auto-parses `.library-ms` files (Extensible Markup Language (XML)
library descriptors). A malicious file embeds a Universal Naming Convention
(UNC) path to an attacker server; on merely viewing or extracting it, Windows
opens an outbound Server Message Block (SMB) connection on Transmission Control
Protocol (TCP) port 445 and transmits the user's Net-NTLMv2 hash โ no click
required.
## Lab architecture
```
Isolated lab network (/24, air-gapped)
โโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโ
โ Attacker (Kali)โ โ Victim (Win10) โ โ SIEM (Ubuntu) โ
โ Responder โโโโโค Sysmon + Agent โโโโบโ Wazuh Manager โ
โโโโโโโโโโโโโโโโโโSMBโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโ
445
```
Detection pipeline: `Sysmon โ Windows Event Log โ Wazuh Agent โ Wazuh Manager โ Custom Rules โ Dashboard Alert`
## Contents
- [`detection/`](detection/) โ Sysmon config + custom Wazuh rules
- [`mitigation/`](mitigation/) โ Group Policy Object (GPO) NTLM restriction
- [`exploit/`](exploit/) โ defensive description of the trigger (placeholder IPs)
- [`docs/`](docs/) โ walkthrough, limitations, and screenshot evidence log
## Two findings from implementation (documented, not assumed)
1. The outbound port-445 connection is attributed to **`System` (Process ID 4)**,
the kernel SMB redirector โ **not** `explorer.exe`. The detection rule
therefore uses **no image-name filter**, which is what makes it fire.
2. The blocked-NTLM event on the victim is **Event ID 4001** ("Blocking NTLM"),
not 8002 as some documentation states. The lab environment is the authority.
## References
- Check Point Research (2025). *CVE-2025-24054, NTLM Exploit in the Wild.*
- CISA (2025). *Known Exploited Vulnerabilities Catalog: CVE-2025-24054.*
- Microsoft Learn (2022). *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.*
- MITRE ATT&CK (2025). *T1187: Forced Authentication.*