Rebuild Performance Counter Values Via Lodctr.EXE
Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
Sigma rule (View on GitHub)
1title: Rebuild Performance Counter Values Via Lodctr.EXE
2id: cc9d3712-6310-4320-b2df-7cb408274d53
3status: experimental
4description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
5references:
6 - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/06/15
9modified: 2024/03/05
10tags:
11 - attack.execution
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection_img:
17 Image|endswith: '\lodctr.exe'
18 OriginalFileName: 'LODCTR.EXE'
19 selection_cli:
20 CommandLine|contains|windash: ' -r'
21 condition: all of selection_*
22falsepositives:
23 - Legitimate usage by an administrator
24level: medium
References
-
Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
Read More
Related rules
- Forfiles Command Execution
- Qakbot Regsvr32 Calc Pattern
- Potential Raspberry Robin CPL Execution Activity
- Add Insecure Download Source To Winget
- Add New Download Source To Winget