detection.wiki

Detection rules › Sigma

Suspicious File Created In PerfLogs

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects suspicious file based on their extension being created in "C:\PerfLogs". Note that this directory mostly contains ".etl" files

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059 Command and Scripting Interpreter

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: selection

or:
TargetFilename|endswith: .7z
TargetFilename|endswith: .bat
TargetFilename|endswith: .bin
TargetFilename|endswith: .chm
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
TargetFilename|endswith: .hta
TargetFilename|endswith: .lnk
TargetFilename|endswith: .ps1
TargetFilename|endswith: .psm1
TargetFilename|endswith: .py
TargetFilename|endswith: .scr
TargetFilename|endswith: .sys
TargetFilename|endswith: .vbe
TargetFilename|endswith: .vbs
TargetFilename|endswith: .zip
TargetFilename|startswith: 'C:\PerfLogs\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenameends_with
  • .7z corpus 3 (sigma 3)
  • .bat corpus 15 (sigma 15)
  • .bin
  • .chm corpus 3 (sigma 3)
  • .dll corpus 21 (sigma 21)
  • .exe corpus 18 (sigma 18)
  • .hta corpus 12 (sigma 12)
  • .lnk corpus 5 (sigma 5)
  • .ps1 corpus 15 (sigma 15)
  • .psm1 corpus 4 (sigma 4)
  • .py corpus 2 (sigma 2)
  • .scr corpus 8 (sigma 8)
  • .sys corpus 6 (sigma 6)
  • .vbe corpus 13 (sigma 13)
  • .vbs corpus 16 (sigma 16)
  • .zip corpus 4 (sigma 4)
TargetFilenamestarts_with
  • C:\PerfLogs\ corpus 2 (sigma 2)