Date: 02/24/2025
Severity: Medium
Summary
Detects the loading of Clfs.sys by a process from a potentially suspicious location. Clfs.sys is commonly exploited in various CVEs targeting the Common Log File System.
Indicators of Compromise (IOC) List
ImageLoaded : | \clfs.sys |
Image : | - ':\Perflogs\' - ':\Users\Public\' - '\Temporary Internet' - '\Windows\Temp\' - ':\Users\' - '\Favorites\' - '\Favourites\' - '\Contacts\' - '\Pictures\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | (resourcename = "Sysmon" AND eventtype = "7" ) AND imageloaded like "clfs.sys" AND ((image like ":\Perflogs" or image like ":\Users\Public" or image like "\Temporary Internet") OR ((image like ":\Users" AND image like "\Favorites") AND (image like ":\Users" AND image like "\Favourites") AND (image like ":\Users" AND image like "\Contacts") AND (image like ":\Users" AND image like "\Pictures"))) |
Detection Query : | (technologygroup = "EDR" ) AND imageloaded like "clfs.sys" AND ((image like ":\Perflogs" or image like ":\Users\Public" or image like "\Temporary Internet") OR ((image like ":\Users" AND image like "\Favorites") AND (image like ":\Users" AND image like "\Favourites") AND (image like ":\Users" AND image like "\Contacts") AND (image like ":\Users" AND image like "\Pictures"))) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_clfs_load.yml