Mohamed Ashraf
7f83008e9e
new: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location fix: Python Initiated Connection - Add filter for `pip install` fix: Python Inline Command Execution - Add filter for whl package installations --------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com>
42 lines
1.3 KiB
YAML
42 lines
1.3 KiB
YAML
title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
|
|
id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
|
|
status: experimental
|
|
description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
|
|
references:
|
|
- https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
|
|
- https://x.com/Threatlabz/status/1879956781360976155
|
|
author: X__Junior
|
|
date: 2025-01-20
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059
|
|
logsource:
|
|
category: image_load
|
|
product: windows
|
|
detection:
|
|
selection_dll:
|
|
ImageLoaded|endswith: '\clfs.sys'
|
|
selection_folders_1:
|
|
Image|contains:
|
|
- ':\Perflogs\'
|
|
- ':\Users\Public\'
|
|
- '\Temporary Internet'
|
|
- '\Windows\Temp\'
|
|
selection_folders_2:
|
|
- Image|contains|all:
|
|
- ':\Users\'
|
|
- '\Favorites\'
|
|
- Image|contains|all:
|
|
- ':\Users\'
|
|
- '\Favourites\'
|
|
- Image|contains|all:
|
|
- ':\Users\'
|
|
- '\Contacts\'
|
|
- Image|contains|all:
|
|
- ':\Users\'
|
|
- '\Pictures\'
|
|
condition: selection_dll and 1 of selection_folders_*
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|