title: CVE-2025-33073 Pattern (Sysmon Event ID 22) id: 0b2d2d7a-7d1b-4e8c-9c3f-5e3a8d7e9f1a status: test description: Detecting the exploitation of the CVE-2025-33073 vulnerability in Windows NTLM authentication by checking the DNS name for a specific pattern references: - https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025 author: PT ESC date: 2025/06/20 logsource: product: windows service: sysmon category: dns_query event_id: 22 detection: selection: QueryName|re: (?i)(^[a-z0-9\\-]{1,50}1uwhrca[a-z0-9+/=]{1,50}$) condition: selection falsepositives: - Unknown level: high