Clfs.sys is being loaded by a process originating from a suspicious location, which is commonly associated with exploit activity targeting common log files. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation attempts leveraging Clfs.sys as part of a broader attack chain.
Detection Rule
title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
status: experimental
description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
references:
- https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
- https://x.com/Threatlabz/status/1879956781360976155
author: X__Junior
date: 2025-01-20
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection_dll:
ImageLoaded|endswith: '\clfs.sys'
selection_folders_1:
Image|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
- '\Windows\Temp\'
selection_folders_2:
- Image|contains|all:
- ':\Users\'
- '\Favorites\'
- Image|contains|all:
- ':\Users\'
- '\Favourites\'
- Image|contains|all:
- ':\Users\'
- '\Contacts\'
- Image|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_dll and 1 of selection_folders_*
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\clfs.sys" and ((InitiatingProcessFolderPath contains ":\\Perflogs\\" or InitiatingProcessFolderPath contains ":\\Users\\Public\\" or InitiatingProcessFolderPath contains "\\Temporary Internet" or InitiatingProcessFolderPath contains "\\Windows\\Temp\\") or ((InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favorites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Favourites\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Contacts\\") or (InitiatingProcessFolderPath contains ":\\Users\\" and InitiatingProcessFolderPath contains "\\Pictures\\")))Scenario: A system administrator is using Windows Event Viewer to review logs, and the process eventvwr.exe is loading Clfs.sys from a legitimate system directory.
Filter/Exclusion: Exclude processes running from the system directory (C:\Windows\System32) or use a filter like process.name != "eventvwr.exe" or process.path contains "System32".
Scenario: A scheduled task (e.g., Task Scheduler) is configured to run a script that temporarily loads Clfs.sys for log analysis.
Filter/Exclusion: Exclude processes associated with the Task Scheduler using process.name contains "schtasks" or process.parent.name contains "TaskScheduler".
Scenario: A Windows Update or System File Checker (SFC) scan is running, and Clfs.sys is being loaded as part of the system integrity check.
Filter/Exclusion: Exclude processes related to Windows Update (svchost.exe with wuauserv service) or SFC (sfcos.exe or dism.exe).
Scenario: A log management tool like Splunk or ELK Stack is running a process that loads Clfs.sys for log parsing or analysis.
Filter/Exclusion: Exclude processes associated with Splunk (splunkd.exe) or ELK Stack (java.exe with specific command-line arguments).
Scenario: A third-party log analysis tool such as LogParser or PowerShell script is being used to analyze logs, and it loads Clfs.sys as part of its operation.
Filter/Exclusion: Exclude processes with PowerShell (powershell.exe) or LogParser (`logparser.exe