Suspicious File Created In PerfLogs

 1title: Suspicious File Created In PerfLogs
 2id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b
 3status: test
 4description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
 5references:
 6    - Internal Research
 7    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023-05-05
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename|startswith: 'C:\PerfLogs\'
19        TargetFilename|endswith:
20            - '.7z'
21            - '.bat'
22            - '.bin'
23            - '.chm'
24            - '.dll'
25            - '.exe'
26            - '.hta'
27            - '.lnk'
28            - '.ps1'
29            - '.psm1'
30            - '.py'
31            - '.scr'
32            - '.sys'
33            - '.vbe'
34            - '.vbs'
35            - '.zip'
36    condition: selection
37falsepositives:
38    - Unlikely
39level: medium

References

• Internal Research

  
  Read More

• FIN7 tradecraft seen in attacks against Veeam backup servers

  

  WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.

  
  Read More

Related rules

• Abusable DLL Potential Sideloading From Suspicious Location
• Add Insecure Download Source To Winget
• Add New Download Source To Winget
• Atlassian Confluence CVE-2022-26134
• Azure New CloudShell Created