mandiant/capa-rules

detect opening of services often referenced by ransomware

Open

#1.048 geöffnet am 22. Mai 2025

Auf GitHub ansehen
 (1 Kommentar) (0 Reaktionen) (0 zugewiesene Personen) (234 Forks)github user discovery
good first issuehelp wantedrule idea

Repository-Metriken

Stars
 (721 Stars)
PR-Merge-Metriken
 (PR-Metriken ausstehend)

Beschreibung

Ransomware may attempt to open and stop specific services during execution, e.g. to stop critical backup and recovery services. The rule should include a list of target service names combined with Windows API calls, e.g. OpenService.

Example list: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/10b21b2fa5f280ea414fdbb47ea74c0386ab9587/Malware/BlackMatter/IOCs/README.md?plain=1#L58-L94

Contributor Guide