CLFS.SYS Loaded by Process Located in a Potential Suspicious Location

    Date: 02/24/2025

    Severity: Medium

    Summary

    Detects the loading of Clfs.sys by a process from a potentially suspicious location. Clfs.sys is commonly exploited in various CVEs targeting the Common Log File System.

    Indicators of Compromise (IOC) List

    ImageLoaded : 

    \clfs.sys

    Image :  

    - ':\Perflogs\'

    - ':\Users\Public\'

    - '\Temporary Internet'

    - '\Windows\Temp\'

    - ':\Users\'

    - '\Favorites\'

    - '\Favourites\'

    - '\Contacts\'

    - '\Pictures\'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query : 

    (resourcename = "Sysmon"  AND eventtype = "7"  ) AND imageloaded like "clfs.sys" AND ((image like ":\Perflogs" or image like ":\Users\Public" or image like "\Temporary Internet") OR ((image like ":\Users" AND image like "\Favorites") AND (image like ":\Users" AND image like "\Favourites") AND (image like ":\Users" AND image like "\Contacts") AND (image like ":\Users" AND image like "\Pictures")))

    Detection Query :

    (technologygroup = "EDR" ) AND imageloaded like "clfs.sys" AND ((image like ":\Perflogs" or image like ":\Users\Public" or image like "\Temporary Internet") OR ((image like ":\Users" AND image like "\Favorites") AND (image like ":\Users" AND image like "\Favourites") AND (image like ":\Users" AND image like "\Contacts") AND (image like ":\Users" AND image like "\Pictures")))

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/image_load/image_load_clfs_load.yml


    Tags

    SigmaCLFS.SYSExploitInformation Technology

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags