Uncoder AI의 의사 결정 트리로 Microsoft Defender에서 clfs.sys 위협 활동 시각화

작성자

Steven Edwards

기술 작가

[post-views]

5월 01, 2025 · 5 분 읽기

Uncoder AI의 의사 결정 트리로 Microsoft Defender에서 clfs.sys 위협 활동 시각화

합법적인 시스템 드라이버를 불법적이거나 의심스러운 디렉토리에서 로딩하는 것은 적대자들이 지속성, 회피 또는 실행을 위해 사용하는 알려진 기법입니다. 이 범주에서의 고가치 타겟은 clfs.sys — Common Log File System와 연관된 합법적인 Windows 드라이버입니다.

이 활동을 탐지하기 위해, Microsoft Defender for Endpoint는 고급 KQL 기반 탐지 논리를 지원합니다. 하지만 이러한 쿼리를 실제로 운영화하려면, 분석가들은 그것이 어떻게 작동하는지에 대한 가시성이 필요합니다. 이것이 바로 Uncoder AI의 AI 생성 의사결정 트리 가 제공하는 것입니다.

Uncoder AI 탐색

사용 사례: User 또는 Temp 경로에서 로드된 clfs.sys

이 쿼리는 clfs.sys 가 로드될 때를 식별합니다 비표준 또는 사용자 제어 디렉토리를 포함할 수 있는:

UsersPublic
Temporary Internet
WindowsTemp
하위 폴더 Users 다음과 같은 Pictures , Contacts , 또는 Favourites

이러한 경로는 시스템 수준 드라이버를 호스트하거나 로딩을 시작할 것으로 거의 예상되지 않으므로, 이러한 활동은 매우 의심스럽습니다.

Input we used (click to show the text)

DeviceImageLoadEvents | where (FolderPath endswith @'clfs.sys' and ((InitiatingProcessFolderPath contains @':Perflogs' or InitiatingProcessFolderPath contains @':UsersPublic' or InitiatingProcessFolderPath contains @'Temporary Internet' or InitiatingProcessFolderPath contains @'WindowsTemp') or (InitiatingProcessFolderPath contains @':Users' and InitiatingProcessFolderPath contains @'Favorites') or (InitiatingProcessFolderPath contains @':Users' and InitiatingProcessFolderPath contains @'Favourites') or (InitiatingProcessFolderPath contains @':Users' and InitiatingProcessFolderPath contains @'Contacts') or (InitiatingProcessFolderPath contains @':Users' and InitiatingProcessFolderPath contains @'Pictures')))

의사결정 트리가 이를 분해하는 방법

Uncoder AI는 이 탐지 논리를 인간이 읽기 쉬운 의사결정 트리 구조로 자동 변환하여 다음을 보여줍니다:

쿼리 범위:
DeviceImageLoadEvents에서 필터링됩니다 DeviceImageLoadEvents 폴더 경로가 clfs.sys.
으로 끝나는 경우:
의사결정 트리는 시작 과정의 폴더 경로가 어떤 비정상적인 사용자 또는 임시 저장소 위치를 포함하는지 여부를 확인합니다.
분기 조건:
하위 분기들은 어떤 경로들이 고려되는지를 명확히 합니다:
- 일반적인 임시 또는 캐시 폴더
- 개인 데이터 접근을 암시하는 사용자 특정 위치
- 와 같은 결합된 조건: Users + Favourites or Pictures
결과:
이 조건들 중 어느 하나라도 충족되면 이벤트는 관련성이 있는 것으로 표시되어 잠재적 오용의 가능성을 나타냅니다 clfs.sys 의심스러운 원본 경로에서

AI Output (click to show the text)

The Microsoft Defender for Endpoint Query you’ve provided is designed to filter `DeviceImageLoadEvents` based on specific conditions related to the loading of a particular system file (`clfs.sys`) and the paths from which the initiating processes are launched. Here’s a breakdown of the decision tree involved in the condition part of this query:

1. **Initial Condition**: The query starts by looking at all `DeviceImageLoadEvents` where the `FolderPath` ends with `clfs.sys`. This means it’s specifically interested in events involving the loading of the `clfs.sys` file, which is a system file related to the Common Log File System (CLFS) used by Windows.

2. **Main Conditional Branch**:
– The query then applies an OR condition to filter these events based on the `InitiatingProcessFolderPath`. This means it checks if any of the following conditions are true for the folder path of the process that initiated the loading of `clfs.sys`.

3. **Sub-Conditions for Initiating Process Folder Path**:
– The first set of sub-conditions checks if the `InitiatingProcessFolderPath` contains specific directories that could indicate potentially malicious or unauthorized activity, such as:
– `:Perflogs`
– `:UsersPublic`
– `Temporary Internet`
– `WindowsTemp`
– These paths are often associated with temporary files, public user data, internet cache, and system temporary files, respectively. Loading system files like `clfs.sys` from these contexts could be unusual or indicative of malicious activity.

– The next set of sub-conditions checks if the `InitiatingProcessFolderPath` contains specific user directories that might indicate unauthorized access to personal data:
– `:Users` combined with any of the following: `Favorites`, `Favourites`, `Contacts`, or `Pictures`.
– These conditions aim to identify scenarios where a process, potentially malicious, is accessing sensitive user data locations while loading system files.

4. **Decision Outcome**:
– If any of these sub-conditions are met (i.e., if the `InitiatingProcessFolderPath` matches any of the specified patterns), then the event is included in the query results.
– Essentially, the query is looking for instances where the loading of `clfs.sys` might be associated with potentially suspicious or unauthorized activity based on the initiating process’s location.

In summary, this Microsoft Defender for Endpoint Query uses a detailed decision tree to identify and flag `DeviceImageLoadEvents` involving the `clfs.sys` file loaded from specific folder paths that could indicate malicious or unusual system activity.

이것이 중요한 이유

향상된 컨텍스트: 분석가들은 더 이상 위험 범위를 이해하기 위해 복잡한 OR 조건을 해독할 필요가 없습니다.
더 빠른 분류: 규칙이 임시 경로 오용, 사용자 폴더 남용 또는 둘 다를 잡아내는지 몇 초 안에 알 수 있습니다.
감사 준비 논리: 트리 스타일 분해는 문서화 및 SOC 교육 노력을 더 쉽게 지원합니다.

결국 clfs.sys 를 예상된 시스템 디렉토리 외부에서 로드하는 것은 드라이버 오용, 로우 오프 랜드 전술, 또는 의심스러운 것으로 합법적 프로세스로 가장하는 악성코드.

폴더 플래그에서 위협 방어로

Uncoder AI의 의사결정 트리는 장황한 KQL을 직관적이고 SOC 친화적인 형식으로바꿉니다. 이 규칙을 조정하거나 이상을 사냥하거나 탐지 논리를 리더십에 설명할 때에 이 기능은 실용적입니다.

Uncoder AI 탐색

이 기사가 도움이 되었나요?

동료들과 좋아요를 누르고 공유하세요.

SOC Prime의 Detection as Code 플랫폼에 가입하세요 귀하의 비즈니스와 가장 관련 있는 위협에 대한 가시성을 향상시키세요. 시작하고 즉각적인 가치를 창출하기 위해 지금 SOC Prime 전문가와의 미팅을 예약하세요.

무료 가입하기 미팅 예약하기

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.

Uncoder AI의 의사 결정 트리로 Microsoft Defender에서 clfs.sys 위협 활동 시각화

사용 사례: User 또는 Temp 경로에서 로드된 clfs.sys

의사결정 트리가 이를 분해하는 방법

이것이 중요한 이유

폴더 플래그에서 위협 방어로

목차

이 기사가 도움이 되었나요?

관련 게시물

사이버 방어를 강화하세요 위협 탐지 마켓플레이스

Uncoder AI의 의사 결정 트리로 Microsoft Defender에서 clfs.sys 위협 활동 시각화

사용 사례: User 또는 Temp 경로에서 로드된 clfs.sys

의사결정 트리가 이를 분해하는 방법

이것이 중요한 이유

폴더 플래그에서 위협 방어로

#ez_toc_widget_sticky-2 .ez-toc-widget-sticky-container ul.ez-toc-widget-sticky-list li.active{ background-color: #ededed; } 목차

이 기사가 도움이 되었나요?

관련 게시물

사이버 방어를 강화하세요 위협 탐지 마켓플레이스

목차