mandiant/capa-rules

detect opening of services often referenced by ransomware

Open

#1048 aperta il 22 mag 2025

Vedi su GitHub
 (1 commento) (0 reazioni) (0 assegnatari) (234 fork)github user discovery
good first issuehelp wantedrule idea

Metriche repository

Star
 (721 star)
Metriche merge PR
 (Metriche PR in attesa)

Descrizione

Ransomware may attempt to open and stop specific services during execution, e.g. to stop critical backup and recovery services. The rule should include a list of target service names combined with Windows API calls, e.g. OpenService.

Example list: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/10b21b2fa5f280ea414fdbb47ea74c0386ab9587/Malware/BlackMatter/IOCs/README.md?plain=1#L58-L94

Guida contributor