feat(rules): Add Exploitation via Common Log File System rule

Identifies potential Common Log File System (CLFS) exploitation for
privilege escalation by non-SYSTEM processes invoking CLFS log file
API followed by the spawning of a child process with system privileges.

Author: rabbitstack

rules/privilege_escalation_exploitation_via_common_log_file_system.yml

@@ -0,0 +1,33 @@
+name: Exploitation via Common Log File System
+id: 74624a2e-1ca6-4214-9065-9f96d60e9cc6
+version: 1.0.0
+description: |
+  Identifies potential Common Log File System (CLFS) exploitation for
+  privilege escalation by non-SYSTEM processes invoking CLFS log file
+  API followed by the spawning of a child process with system privileges.
+labels:
+  tactic.id: TA0004
+  tactic.name: Privilege Escalation
+  tactic.ref: https://attack.mitre.org/tactics/TA0004/
+  technique.id: T1068
+  technique.name: Exploitation for Privilege Escalation
+  technique.ref: https://attack.mitre.org/techniques/T1068/
+references:
+  - https://github.com/encrypter15/CVE-2025-29824
+  - https://github.com/advisories/GHSA-74mq-6c57-fxpx
+  - https://www.elastic.co/security-labs/itw-windows-lpe-0days-insights-and-detection-strategies
+
+condition: >
+  sequence
+  maxspan 1m30s
+    |((open_file) or (create_file)) and
+     ps.sid != 'S-1-5-18' and
+     thread.callstack.symbols imatches ('clfsw32.dll!CreateLogFile*', 'clfsw32.dll!AddLogContainerSet*')
+    | by ps.uuid
+    |spawn_process and (ps.sid = 'S-1-5-18' or ps.token.integrity_level = 'SYSTEM')| by ps.parent.uuid
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0