Techniques
Sample rules
Rebuild Performance Counter Values Via Lodctr.EXE
- source: sigma
- technicques:
Description
Detects the execution of “lodctr.exe” to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: ' -r'
selection_img:
Image|endswith: \lodctr.exe
OriginalFileName: LODCTR.EXE
New Virtual Smart Card Created Via TpmVscMgr.EXE
- source: sigma
- technicques:
Description
Detects execution of “Tpmvscmgr.exe” to create a new virtual smart card.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: create
selection_img:
Image|endswith: \tpmvscmgr.exe
OriginalFileName: TpmVscMgr.exe