Severity

High

Analysis Summary

Microsoft Windows Vista and Windows Server 2003 was introduced CLFS log framework for efficient performance. To create store and reading log it provides applications with and API use – available in clfsw32.dll. This format is not widely used or documented, for this purpose there is no tool available to analyze these CLFS log files. Attackers have the opportunity to hide their data as log records in an advantageous way because they can access it through API functions. This is similar in nature to malware which may rely, for example, on Windows Registry or NTFS Extended Attributes to hide their data, which also allow locations to store and restore binary data with the help of windows API. Microsoft Windows, CLFS is notably used by the Kernel Transaction Manager (KTM) for both Transactional NTFS (TxF) and Transactional Registry (TxR) operations. These permit applications to do a number of changes on the filesystems or registry, all grouped in a single transaction that can be committed or rolled back. For example, to open a registry key in a transaction, the functions RegCreateKeyTransacted(), RegOpenKeyTransacted(), and RegDeleteKeyTransacted() are available. Enrollment of these transactions is stored in dedicated files with the name <hive><GUID>.TMContainer<number>.regtrans-ms or <hive><GUID>.TxR.<number>.regtrans-ms. CLFS containers that are referenced in a master.blf It can be found in various locations including user profile directories.

Impact

• Information Disclosure

Affected Vendors

Realtek

Indicators of Compromise

MD5

• 91b08896fbda9edb8b6f93a6bc811ec6
• 0c605276ff21b5150365b7d1991f5904

SHA-256

• 1e53559e6be1f941df1a1508bba5bb9763aedba23f946294ce5d92646877b40c
• 720610b9067c8afe857819a098a44cab24e9da5cf6a086351d01b73714afd397

SHA-1

• 2946dce2f77bccc21b782a9d9efeb2018d953564
• 2d336978af261e07b1ecfaf65dc903b239e287a4

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.