Suspicious File Created In PerfLogs

Detects suspicious file based on their extension being created in "C:\PerfLogs". Note that this directory mostly contains ".etl" files

Sigma rule (View on GitHub)

 1title: Suspicious File Created In PerfLogs
 2id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b
 3status: test
 4description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
 5references:
 6    - Internal Research
 7    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2023/05/05
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        TargetFilename|startswith: 'C:\PerfLogs\'
19        TargetFilename|endswith:
20            - '.7z'
21            - '.bat'
22            - '.bin'
23            - '.chm'
24            - '.dll'
25            - '.exe'
26            - '.hta'
27            - '.lnk'
28            - '.ps1'
29            - '.psm1'
30            - '.py'
31            - '.scr'
32            - '.sys'
33            - '.vbe'
34            - '.vbs'
35            - '.zip'
36    condition: selection
37falsepositives:
38    - Unlikely
39level: medium

References

Related rules

to-top