mandiant/capa-rules

detect opening of services often referenced by ransomware

Open

#1.048 aberto em 22 de mai. de 2025

Ver no GitHub
 (1 comment) (0 reactions) (0 assignees) (234 forks)github user discovery
good first issuehelp wantedrule idea

Métricas do repositório

Stars
 (721 stars)
Métricas de merge de PR
 (Métricas PR pendentes)

Description

Ransomware may attempt to open and stop specific services during execution, e.g. to stop critical backup and recovery services. The rule should include a list of target service names combined with Windows API calls, e.g. OpenService.

Example list: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/10b21b2fa5f280ea414fdbb47ea74c0386ab9587/Malware/BlackMatter/IOCs/README.md?plain=1#L58-L94

Guia do colaborador