Emerging Threatmediumexperimental

Suspicious Creation of .library-ms File — Potential CVE-2025-24054 Exploit

Detects creation of '.library-ms' files, which may indicate exploitation of CVE-2025-24054. This vulnerability allows an attacker to trigger an automatic outbound SMB or WebDAV authentication request to a remote server upon archive extraction. If the system is unpatched, no user interaction is required beyond extracting a malicious archive—potentially exposing the user's NTLMv2-SSP hash to the attacker.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Gene KazimiarovichCreated Sun Apr 205a7132c0-86db-4e6b-95c0-f0e9d7f461aa2025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: '.library-ms'
        Image|endswith:
            - '\7z.exe'
            - '\winrar.exe'
            - '\explorer.exe'
    condition: selection