mandiant/capa-rules

detect opening of services often referenced by ransomware

Open

#1 048 ouverte le 22 mai 2025

Voir sur GitHub
 (1 commentaire) (0 réactions) (0 assignés) (234 forks)github user discovery
good first issuehelp wantedrule idea

Métriques du dépôt

Stars
 (721 stars)
Métriques de merge PR
 (Métriques PR en attente)

Description

Ransomware may attempt to open and stop specific services during execution, e.g. to stop critical backup and recovery services. The rule should include a list of target service names combined with Windows API calls, e.g. OpenService.

Example list: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/10b21b2fa5f280ea414fdbb47ea74c0386ab9587/Malware/BlackMatter/IOCs/README.md?plain=1#L58-L94

Guide contributeur