mandiant/capa-rules

detect opening of services often referenced by ransomware

Open

#1,048 建立於 2025年5月22日

在 GitHub 查看
 (1 留言) (0 反應) (0 負責人) (234 fork)github user discovery
good first issuehelp wantedrule idea

倉庫指標

Star
 (721 star)
PR 合併指標
 (PR 指標待抓取)

描述

Ransomware may attempt to open and stop specific services during execution, e.g. to stop critical backup and recovery services. The rule should include a list of target service names combined with Windows API calls, e.g. OpenService.

Example list: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/10b21b2fa5f280ea414fdbb47ea74c0386ab9587/Malware/BlackMatter/IOCs/README.md?plain=1#L58-L94

貢獻者指南