Adversaries may create malicious files with suspicious extensions in the PerfLogs directory to evade detection and persist on the system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware execution and early-stage persistence tactics.
Detection Rule
title: Suspicious File Created In PerfLogs
id: bbb7e38c-0b41-4a11-b306-d2a457b7ac2b
status: test
description: Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files
references:
- Internal Research
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
tags:
- attack.execution
- attack.t1059
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|startswith: 'C:\PerfLogs\'
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.bin'
- '.chm'
- '.dll'
- '.exe'
- '.hta'
- '.lnk'
- '.ps1'
- '.psm1'
- '.py'
- '.scr'
- '.sys'
- '.vbe'
- '.vbs'
- '.zip'
condition: selection
falsepositives:
- Unlikely
level: medium
imFileEvent
| where TargetFileName startswith "C:\\PerfLogs\\" and (TargetFileName endswith ".7z" or TargetFileName endswith ".bat" or TargetFileName endswith ".bin" or TargetFileName endswith ".chm" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".hta" or TargetFileName endswith ".lnk" or TargetFileName endswith ".ps1" or TargetFileName endswith ".psm1" or TargetFileName endswith ".py" or TargetFileName endswith ".scr" or TargetFileName endswith ".sys" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs" or TargetFileName endswith ".zip")Scenario: System Performance Logs Cleanup Task
Description: A legitimate system maintenance task runs a script to clean up old performance logs, which may create temporary files with suspicious extensions in the \PerfLogs directory.
Filter/Exclusion: Exclude files created by the perfmon service or scripts associated with the Cleanup-PerfLogs.ps1 PowerShell script.
Scenario: Scheduled Backup Job
Description: A backup job configured to store temporary files in \PerfLogs during the backup process, which may include files with non-standard extensions.
Filter/Exclusion: Exclude files created by the backup agent (e.g., Veeam, Acronis) or those with timestamps matching the backup schedule.
Scenario: Admin Tool for Performance Monitoring
Description: An administrator uses a tool like Windows Performance Analyzer (WPA) or PerfView to generate diagnostic files in the \PerfLogs directory.
Filter/Exclusion: Exclude files created by processes with the executable path containing PerfView.exe, WPA.exe, or PerfMon.exe.
Scenario: Log File Rotation or Archiving
Description: A log management tool (e.g., Splunk, ELK Stack, or Logstash) rotates or archives log files into the \PerfLogs directory, which may result in files with unusual extensions.
Filter/Exclusion: Exclude files created by log management tools or with extensions like .log, .gz, or .tar.
Scenario: User-Generated Temporary Files
Description: A user or application creates temporary files in \PerfLogs for testing or debugging purposes, which may have suspicious extensions.
Filter/Exclusion: Exclude files created by user-initiated processes or those with a CreationTime within a specific