Clfs.SYS Loaded By Process Located In a Potential Suspicious Location

Title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
Status: experimental
Description:Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
References:
  -https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
  -https://x.com/Threatlabz/status/1879956781360976155
Author: X__Junior
Date: 2025-01-20
modified:None
Tags:

• -'attack.execution'
• -'attack.t1059'

Logsource:

• category: image_load
• product: windows

Detection:
  selection_dll:
    ImageLoaded|endswith: '\clfs.sys'
  selection_folders_1:
    Image|contains:
      -':\Perflogs\'
      -':\Users\Public\'
      -'\Temporary Internet'
      -'\Windows\Temp\'

  selection_folders_2:
    - Image|contains|all:
      - ':\Users\'
      - '\Favorites\'
    - Image|contains|all:
      - ':\Users\'
      - '\Favourites\'
    - Image|contains|all:
      - ':\Users\'
      - '\Contacts\'
    - Image|contains|all:
      - ':\Users\'
      - '\Pictures\'
  condition:selection_dll and 1 of selection_folders_*
Falsepositives:
  -Unknown
Level: medium