sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Add CVE-2025-24054 Library-MS creation rule

Open gkazimiarovich opened this issue 8 months ago • 2 comments

Summary of the Pull Request

Adds a new emerging-threats rule that detects the creation or extraction of a malicious .library-ms file used to exploit CVE-2025-24054 (forced NTLM hash leak via Windows Explorer). The rule targets Sysmon file-event telemetry and raises a medium-severity alert.

Changelog

new: Library-MS File Written (CVE-2025-24054 Exploit)

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

gkazimiarovich avatar Apr 29 '25 19:04 gkazimiarovich

Bump. What's the process to merge this rule to master?

gkazimiarovich avatar May 27 '25 15:05 gkazimiarovich

There's some backlog, sorry. As a first time contributor the workflows won't run automatically. The first step is to look at the output of the failed tests and try to fix them. In general it helps reading the convention documents given in the PR template. If you need assistance with fixing the issues in the failed tests, please let me know.

phantinuss avatar May 28 '25 10:05 phantinuss

@phantinuss @nasbench All tests passed, errors cleared. Please review.

gkazimiarovich avatar Jul 24 '25 03:07 gkazimiarovich