mandiant/capa-rules

detect opening of services often referenced by ransomware

Open

#1,048 创建于 2025年5月22日

在 GitHub 查看
 (1 评论) (0 反应) (0 负责人) (234 fork)github user discovery
good first issuehelp wantedrule idea

仓库指标

Star
 (721 star)
PR 合并指标
 (PR 指标待抓取)

描述

Ransomware may attempt to open and stop specific services during execution, e.g. to stop critical backup and recovery services. The rule should include a list of target service names combined with Windows API calls, e.g. OpenService.

Example list: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/10b21b2fa5f280ea414fdbb47ea74c0386ab9587/Malware/BlackMatter/IOCs/README.md?plain=1#L58-L94

贡献者指南