Skip to content

Add CVE-2025-24054 Library-MS creation rule #5391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add CVE-2025-24054 Library-MS creation rule #5391

wants to merge 1 commit into from
+33 −0

Conversation

gkazimiarovich
Copy link

@gkazimiarovich gkazimiarovich commented Apr 29, 2025
edited
Loading

Summary of the Pull Request

Adds a new emerging-threats rule that detects the creation or extraction of a
malicious .library-ms file used to exploit CVE-2025-24054 (forced NTLM hash leak via Windows Explorer).
The rule targets Sysmon file-event telemetry and raises a medium-severity alert.

Changelog

new: Library-MS File Written (CVE-2025-24054 Exploit)

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

github-actions[bot]
github-actions bot reviewed Apr 29, 2025
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @gkazimiarovich 👋

It looks like this is your first pull request on the Sigma rules repository!

Please make sure to read the SigmaHQ conventions document to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.

Thanks again, and welcome to the Sigma community! 😃

@gkazimiarovich gkazimiarovich changed the title Add Add CVE-2025-24054 Library-MS creation rule Add CVE-2025-24054 Library-MS creation rule Apr 29, 2025
@gkazimiarovich
Copy link
Author

Bump.
What's the process to merge this rule to master?

@phantinuss
Copy link
Collaborator

There's some backlog, sorry. As a first time contributor the workflows won't run automatically. The first step is to look at the output of the failed tests and try to fix them. In general it helps reading the convention documents given in the PR template. If you need assistance with fixing the issues in the failed tests, please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
Emerging-Threats Rules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gkazimiarovich @phantinuss