Wikileaks Vault 7, posted in March 2017, revealed that the CIA exploited Windows `.library-ms` files for hacking Windows PCs. Recently, CVE-2025-24054 has shown these files being used to steal NTLM credentials. Despite Microsoft’s supposed patch in November 2024, the vulnerability persists, raising concerns about the CVE process.
`.library-ms` files are XML-based files containing symbolic links, introduced as a Windows 7 “feature.” Attackers abuse them for persistence, credential theft, and DLL sideloading.
How to Disable Windows Library-MS Files
1. Hide the “Libraries” Folder in File Explorer
- Open File Explorer.
- Click the View tab.
- Select Options (top-right).
- Navigate to the View tab in Folder Options.
- Uncheck “Show Libraries”.
- Click Apply → OK.
- Disable Indexed Library Features via Group Policy (Admin Required)
– Press Win + R, type gpedit.msc, and hit Enter.
– Go to:
`Computer Configuration → Administrative Templates → Windows Components → Windows Explorer`
– Enable “DisableIndexedLibraryExperience” to block metadata-dependent features.
3. Monitor .library-ms Files with Wazuh
Wazuh’s File Integrity Monitoring (FIM) can detect and quarantine malicious `.library-ms` files. Example configuration (/var/ossec/etc/ossec.conf):
<syscheck> <directories check_all="yes" realtime="yes">C:\Users\AppData\Roaming\Microsoft\Windows\Libraries.library-ms</directories> </syscheck>
You Should Know:
- Check for Suspicious .library-ms Files:
Get-ChildItem -Path "$env:USERPROFILE\AppData\Roaming\Microsoft\Windows\Libraries.library-ms" -Force
- Audit NTLM Credential Leaks:
Get-WinEvent -LogName "Security" -FilterXPath '[System[EventID=4624]] and [EventData[Data[@Name="AuthenticationPackage"]="NTLM"]]'
- Block Outbound NTLM Traffic via GPO:
- Navigate to:
`Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options` - Set “Network security: Restrict NTLM: Outgoing NTLM traffic” to “Deny All”.
Detect Malicious Symbolic Links:
fsutil reparsepoint query "C:\path\to\suspicious.library-ms"
Relevant Links:
- TheHackerNews on CVE-2025-24054
- Wikileaks Vault 7 Docs
- Microsoft’s .library-ms Documentation
- F-Secure’s Analysis on .library-ms Abuse
What Undercode Say:
Microsoft’s delayed patch for a seven-year-old exploit highlights systemic flaws in the CVE process. Administrators must proactively disable `.library-ms` features and monitor for NTLM leaks. Tools like Wazuh and PowerShell auditing are critical for detecting abuse. Expect continued exploitation of legacy Windows features until Microsoft enforces stricter deprecation.
Prediction:
Future attacks will increasingly abuse deprecated Windows features like .library-ms, leveraging poor patch adherence and legacy compatibility.
Expected Output:
C:> fsutil reparsepoint query "C:\Malicious.library-ms" Reparse Tag Value: 0xA0000003 (Symbolic Link)
References:
Reported By: Charlescrampton Wikileaks – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
