Rule: Suspicious CLFS Driver Load
Suspicious CLFS Driver Load
Query
DeviceImageLoadEvents
| where FileName endswith "clfs.sys"
| where not( FolderPath startswith @"C:\Windows\System32\drivers\" )About this query
Explanation
This query is designed to detect potentially suspicious activity related to the loading of the CLFS (Common Log File System) driver on Windows systems. Here's a simple breakdown:
-
Purpose: The query aims to identify instances where the CLFS driver (
clfs.sys) is loaded from an unusual or unexpected location. This could indicate malicious activity, such as attempts to manipulate kernel modules or maintain persistence on a system. -
How It Works:
- It looks at
DeviceImageLoadEvents, which are events that track when and where system drivers and other images are loaded. - It specifically filters for events where the file name is
clfs.sys. - It flags these events if the driver is not loaded from the standard, trusted directory (
C:\Windows\System32\drivers\). Loading from a different directory might suggest tampering or unauthorized use.
- It looks at
-
Why It's Important: The CLFS driver is a critical component for managing log files in Windows. If it's loaded from an unexpected location, it could be a sign of a security breach at the kernel level, which is serious because it can allow attackers to hide their activities or maintain control over a system.
-
Considerations:
- You might need to adjust the query to exclude legitimate paths specific to your environment to avoid false positives.
- This detection is part of broader security monitoring efforts to catch early signs of exploitation and respond quickly.
-
Tags and Context: The query is associated with Windows security, image load events, and potential kernel module manipulation. It also references a specific CVE (Common Vulnerabilities and Exposures) identifier, suggesting it may be related to a known vulnerability.
Details

Ali Hussein
Released: February 25, 2025
Tables
Keywords
Operators