From ece1d7e3a83414f1c0cb4649304d7d6a933157b9 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Wed, 28 Jun 2017 10:35:42 +0200
Subject: [PATCH] Added perfc.dat keyword to NotPetya rule

---
 rules/windows/malware/sysmon_malware_notpetya.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml
index cc890f26..c4872343 100644
--- a/rules/windows/malware/sysmon_malware_notpetya.yml
+++ b/rules/windows/malware/sysmon_malware_notpetya.yml
@@ -20,7 +20,9 @@ detection:
         EventID: 1
         Image: '*\wevtutil.exe'
         CommandLine: '* cl *'
-    condition: fsutil_clean_journal or pipe_com or event_clean
+    perfc_keyword:
+        - '*\perfc.dat*'
+    condition: fsutil_clean_journal or pipe_com or event_clean or perfc_keyword
 falsepositives:
     - Admin activity
 level: critical