Clfs.SYS Loaded By Process Located In a Potential Suspicious Location

calendar Feb 22, 2025 · attack.execution attack.t1059  ·
Share on: linkedin copy

Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.

Sigma rule (View on GitHub)

 1title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
 2id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
 3status: experimental
 4description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
 5references:
 6    - https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
 7    - https://x.com/Threatlabz/status/1879956781360976155
 8author: X__Junior
 9date: 2025-01-20
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection_dll:
18        ImageLoaded|endswith: '\clfs.sys'
19    selection_folders_1:
20        Image|contains:
21            - ':\Perflogs\'
22            - ':\Users\Public\'
23            - '\Temporary Internet'
24            - '\Windows\Temp\'
25    selection_folders_2:
26        - Image|contains|all:
27              - ':\Users\'
28              - '\Favorites\'
29        - Image|contains|all:
30              - ':\Users\'
31              - '\Favourites\'
32        - Image|contains|all:
33              - ':\Users\'
34              - '\Contacts\'
35        - Image|contains|all:
36              - ':\Users\'
37              - '\Pictures\'
38    condition: selection_dll and 1 of selection_folders_*
39falsepositives:
40    - Unknown
41level: medium

References

  • SSD Advisory - Common Log File System (CLFS) driver PE - SSD Secure Disclosure

    Summary A vulnerability in the Common Log File System (CLFS) driver allows a local user to gain elevated privileges on Windows 11. The vulnerability is in the CClfsBaseFilePersisted::WriteMetadataBlock function, and is due to return value of ClfsDecodeBlock not being checked, it is possible to corrupt the data of internal CLFS structure, allowing attackers to escalate … Read More »


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top