mandiant/capa-rules

detect opening of services often referenced by ransomware

Open

#1,048 opened on May 22, 2025

View on GitHub
 (1 comment) (0 reactions) (0 assignees) (234 forks)github user discovery
good first issuehelp wantedrule idea

Repository metrics

Stars
 (721 stars)
PR merge metrics
 (PR metrics pending)

Description

Ransomware may attempt to open and stop specific services during execution, e.g. to stop critical backup and recovery services. The rule should include a list of target service names combined with Windows API calls, e.g. OpenService.

Example list: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/10b21b2fa5f280ea414fdbb47ea74c0386ab9587/Malware/BlackMatter/IOCs/README.md?plain=1#L58-L94

Contributor guide