detection.wiki

Detection rules › Sigma

Clfs.SYS Loaded By Process Located In a Potential Suspicious Location

Severity
medium
Author
X__Junior
Source
upstream

Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: selection_dll

ImageLoaded|endswith: '\clfs.sys'

Stage 2: 1 of selection_folders_1

or:
Image|contains: ':\Perflogs\'
Image|contains: ':\Users\Public\'
Image|contains: '\Temporary Internet'
Image|contains: '\Windows\Temp\'

Stage 3: 1 of selection_folders_2

or:
Image|contains: ':\Users\'
Image|contains: '\Contacts\'
Image|contains: ':\Users\'
Image|contains: '\Favorites\'
Image|contains: ':\Users\'
Image|contains: '\Favourites\'
Image|contains: ':\Users\'
Image|contains: '\Pictures\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imagematch
  • :\Perflogs\ corpus 7 (sigma 7)
  • :\Users\ corpus 3 (sigma 3)
  • :\Users\Public\ corpus 14 (sigma 14)
  • \Contacts\ corpus 5 (sigma 5)
  • \Favorites\ corpus 6 (sigma 6)
  • \Favourites\ corpus 5 (sigma 5)
  • \Pictures\ corpus 5 (sigma 5)
  • \Temporary Internet corpus 2 (sigma 2)
  • \Windows\Temp\ corpus 7 (sigma 7)
ImageLoadedends_with
  • \clfs.sys