Skip to content

Sigma rules to detect CVE 2025 29824 and susp BLF File Creation #5260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Sigma rules to detect CVE 2025 29824 and susp BLF File Creation #5260

wants to merge 7 commits into from

Conversation

swachchhanda000
Copy link
Contributor

Summary of the Pull Request

Sigma rules to detect CVE 2025 29824 and susp BLF File Creation

Changelog

new: Potential Exploitation of CVE-2025-29824 - CLFS BLF File Creation (ET)
new: Suspicious BLF File Creation Outside System Directories

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules Emerging-Threats labels Apr 10, 2025
nasbench
nasbench requested changes Apr 15, 2025
View reviewed changes
rules/windows/file/file_event/file_event_win_susp_blf_file_creation.yml
Comment on lines +20 to +47
selection_suspicious_paths_1:
TargetFilename|contains:
- ':\$Recycle.bin'
- ':\Perflogs'
- ':\ProgramData'
- ':\Temp'
- ':\Users\Default'
- ':\Users\public'
- ':\Windows\Temp'
- ':\Windows\addins'
- ':\Windows\Fonts'
- ':\Windows\IME'
- ':\Windows\System32\Tasks'
- ':\Windows\Tasks'
- '\config\systemprofile'
- '\AppData\Local\Temp'
- '\AppData\Roaming'
selection_suspicious_paths_user_1:
TargetFilename|contains: ':\Users\'
selection_suspicious_paths_user_2:
TargetFilename|contains:
- '\Contacts\'
- '\Documents\'
- '\Favorites\'
- '\Favourites\'
- '\Music\'
- '\Photos\'
- '\Pictures\'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.blf files should not be common so focusing on exclusion is far better than specifying a list that can be bypassed.

Also your list already contains FP such as C:\Users\Default\ and \config\systemprofile.

You cannot add a static list of potential susp paths without testing them first.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If so, wouldn't using the exclusion increase the chances of false positives even more? we can only speculate as we don't have proper sets of env logs

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The FP that i mentioned are built-in hence can be found with a nice lab.

As for the logic to use exclusion is that argument that .blf are not that common (not in many random folders) and should be created by a set of expected processes. The FPs cannot be huge once you exclude the appropriate system dirs and files.

Because it is experimental and the level is not high. People would not be flooded and you can gather more data once its merged in.

rules-emerging-threats/2025/Exploits/CVE-2025-29824/file_event_win_exploit_cve_2025_29824.yml
selection_path:
TargetFilename|contains: ':\ProgramData\SkyPDF\'
selection_image:
Image|endswith: '\dllhost.exe'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Who is the process that usually writes .blf files? Are you sure its not dllhost?

@nasbench nasbench added Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Apr 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nasbench nasbench nasbench requested changes

Assignees
No one assigned
Labels
Author Input Required changes the require information from original author of the rules Emerging-Threats Rules Windows Pull request add/update windows related rules Work In Progress Some changes are needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@swachchhanda000 @nasbench