KQL Search

Query Details

HomeAI ToolsDevice Query

Suspicious CLFS Driver Load

Query

# Rule: Suspicious CLFS Driver Load

## Description
This detection rule identifies suspicious loading of the CLFS driver, which may indicate an attempt to inject or manipulate kernel modules for malicious purposes. The CLFS (Common Log File System) driver, normally located in a trusted system directory, is a critical component for managing log files in Windows. When this driver is loaded from an unexpected location or in an unusual context, it can be an indicator of kernel-level compromise or persistence mechanisms employed by adversaries.

Monitoring image load events for the CLFS driver can provide early detection of such exploitation attempts, enabling rapid investigation and remediation.

- [Sigma Rule: Image Load CLFS Load](https://detection.fyi/sigmahq/sigma/windows/image_load/image_load_clfs_load/)  

## Detection Logic
- Monitors `DeviceImageLoadEvents` for events where the loaded image corresponds to the CLFS driver (e.g., `clfs.sys`).
- Flags events that deviate from normal, trusted behavior for the CLFS driver load (e.g., loading from non-standard directories).

## Tags
- Windows Security
- Image Load Events
- Suspicious Driver Load
- Kernel Module Manipulation
- Persistence
- CLFS
-  CVE-2024-38196

## Search Query
```kql
DeviceImageLoadEvents
| where FileName endswith "clfs.sys"
| where not( FolderPath startswith @"C:\Windows\System32\drivers\" )
```
## Exclusions
you might need to exclude legit path's in your enviroment

Explanation

This query is designed to detect potentially suspicious activity related to the loading of the CLFS (Common Log File System) driver on Windows systems. Here's a simple breakdown:

  1. Purpose: The query aims to identify instances where the CLFS driver (clfs.sys) is loaded from an unusual or unexpected location. This could indicate malicious activity, such as attempts to manipulate kernel modules or maintain persistence on a system.

  2. How It Works:

    • It looks at DeviceImageLoadEvents, which are events that track when and where system drivers and other images are loaded.
    • It specifically filters for events where the file name is clfs.sys.
    • It flags these events if the driver is not loaded from the standard, trusted directory (C:\Windows\System32\drivers\). Loading from a different directory might suggest tampering or unauthorized use.

  3. Why It's Important: The CLFS driver is a critical component for managing log files in Windows. If it's loaded from an unexpected location, it could be a sign of a security breach at the kernel level, which is serious because it can allow attackers to hide their activities or maintain control over a system.

  4. Considerations:

    • You might need to adjust the query to exclude legitimate paths specific to your environment to avoid false positives.
    • This detection is part of broader security monitoring efforts to catch early signs of exploitation and respond quickly.

  5. Tags and Context: The query is associated with Windows security, image load events, and potential kernel module manipulation. It also references a specific CVE (Common Vulnerabilities and Exposures) identifier, suggesting it may be related to a known vulnerability.

Details

Ali Hussein profile picture

Ali Hussein

Released: February 25, 2025

Tables

DeviceImageLoadEvents

Keywords

DeviceImageLoadEventsWindowsSecuritySuspiciousDriverLoadKernelModuleManipulationPersistenceCLFS

Operators

endswithnotstartswith

Actions