Share
## https://sploitus.com/exploit?id=193F61B6-AFAB-5066-A82C-03D8AA8216BB
# CVE-2025-24054 โ€” Detection & Mitigation Lab

Project log for a defensive security lab on **CVE-2025-24054**, the Windows
**New Technology LAN Manager (NTLM) Hash Disclosure Spoofing** vulnerability,
under the assumption that the affected system **cannot be patched** short-term.

> Blue-team educational project (Murdoch University ICT279). The exploitation
> technique is publicly documented (Check Point, CISA KEV); the original
> contribution is the detection + mitigation methodology. No live credentials or
> the VM credential sheet are stored in this repository.

## The vulnerability

| Field | Value |
|---|---|
| CVE | CVE-2025-24054 |
| Class | Spoofing / Forced Authentication |
| Common Weakness Enumeration (CWE) | CWE-73: External Control of File Name or Path |
| MITRE ATT&CK | T1187 (Forced Authentication) |
| Affected | Windows 10 / 11, Windows Server 2008 R2 โ†’ 2025 |
| Real-world use | Phishing vs. Polish & Romanian government targets, March 2025 |
| CISA KEV | Added 17 April 2025 |

Windows auto-parses `.library-ms` files (Extensible Markup Language (XML)
library descriptors). A malicious file embeds a Universal Naming Convention
(UNC) path to an attacker server; on merely viewing or extracting it, Windows
opens an outbound Server Message Block (SMB) connection on Transmission Control
Protocol (TCP) port 445 and transmits the user's Net-NTLMv2 hash โ€” no click
required.

## Lab architecture

```
   Isolated lab network (/24, air-gapped)
   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
   โ”‚ Attacker (Kali)โ”‚   โ”‚ Victim (Win10) โ”‚   โ”‚ SIEM (Ubuntu)  โ”‚
   โ”‚ Responder      โ”‚โ—„โ”€โ”€โ”ค Sysmon + Agent โ”œโ”€โ”€โ–บโ”‚ Wazuh Manager  โ”‚
   โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜SMBโ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜   โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                     445
```

Detection pipeline: `Sysmon โ†’ Windows Event Log โ†’ Wazuh Agent โ†’ Wazuh Manager โ†’ Custom Rules โ†’ Dashboard Alert`

## Contents

- [`detection/`](detection/) โ€” Sysmon config + custom Wazuh rules
- [`mitigation/`](mitigation/) โ€” Group Policy Object (GPO) NTLM restriction
- [`exploit/`](exploit/) โ€” defensive description of the trigger (placeholder IPs)
- [`docs/`](docs/) โ€” walkthrough, limitations, and screenshot evidence log

## Two findings from implementation (documented, not assumed)

1. The outbound port-445 connection is attributed to **`System` (Process ID 4)**,
   the kernel SMB redirector โ€” **not** `explorer.exe`. The detection rule
   therefore uses **no image-name filter**, which is what makes it fire.
2. The blocked-NTLM event on the victim is **Event ID 4001** ("Blocking NTLM"),
   not 8002 as some documentation states. The lab environment is the authority.

## References

- Check Point Research (2025). *CVE-2025-24054, NTLM Exploit in the Wild.*
- CISA (2025). *Known Exploited Vulnerabilities Catalog: CVE-2025-24054.*
- Microsoft Learn (2022). *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers.*
- MITRE ATT&CK (2025). *T1187: Forced Authentication.*