mandiant/capa-rules

detect opening of services often referenced by ransomware

Open

#1,048 opened on 2025年5月22日

GitHub で見る
 (1 comment) (0 reactions) (0 assignees) (234 forks)github user discovery
good first issuehelp wantedrule idea

Repository metrics

Stars
 (721 stars)
PR merge metrics
 (PR metrics pending)

説明

Ransomware may attempt to open and stop specific services during execution, e.g. to stop critical backup and recovery services. The rule should include a list of target service names combined with Windows API calls, e.g. OpenService.

Example list: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/10b21b2fa5f280ea414fdbb47ea74c0386ab9587/Malware/BlackMatter/IOCs/README.md?plain=1#L58-L94

コントリビューターガイド