099. Hunting for CLFS Exploit Activity Artifacts

Hello everyone! I think you already heard about a zero-day vulnerability in the Common Log File System (CLFS) weaponized by RansomEXX affiliates. I'm talking about CVE 2025-29824.

If you look through Microsoft Threat Intelligence Center (MSTIC) report, you can spot a curious artifact. As part of the exploitation, a CLFS BLF file is created: C:\ProgramData\SkyPDF\PDUDrv.blf.

What does it mean? We can hunt for similar activity! For example:

event_type: "filecreatewin"

AND

file_path: ("programdata" AND "blf")

Despite the fact the adversary exploited a zero day vulnerablity for privilege escalation, the kill chain included some easy detectable behaviors, for example, abusing ProcDump for dumping LSASS. As always - we have lots of detection opportunities even in such cases!

See you tomorrow!