Suspicious Network Connection from PerfLogs Directory

Rule Info

Name
Suspicious Network Connection from PerfLogs Directory
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects network connections from processes executing from the PerfLogs directory, which is unusual and potentially suspicious. The PerfLogs directory is a default Windows directory intended for storing performance logs and not typically used for running executables. The fact that network connection is being made could hint that malware could be making connection to its C&C server. Adversaries often this directory to hide malware as it is often overlooked in monitoring and investigations.
Reference
https://docs.microsoft.com/en-us/windows/win32/perfctrs/performance-counters-portal
Date
2025-03-24 00:00:00
Modified
None
Id
3c7c0cba-41f9-43dc-a783-f2efe39ae7f2
Tags
attack.command-and-control
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022