diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml
index cc890f26..c4872343 100644
--- a/rules/windows/malware/sysmon_malware_notpetya.yml
+++ b/rules/windows/malware/sysmon_malware_notpetya.yml
@@ -20,7 +20,9 @@ detection:
         EventID: 1
         Image: '*\wevtutil.exe'
         CommandLine: '* cl *'
-    condition: fsutil_clean_journal or pipe_com or event_clean
+    perfc_keyword:
+        - '*\perfc.dat*'
+    condition: fsutil_clean_journal or pipe_com or event_clean or perfc_keyword
 falsepositives:
     - Admin activity
 level: critical