SigmaHQ/rules/windows/builtin/win_apt_stonedrill.yml

25 lines
720 B
YAML
Raw Normal View History

2017-03-07 08:24:06 +00:00
title: StoneDrill Service Install
2019-11-12 22:12:27 +00:00
id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
description: This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky
2017-03-07 08:24:06 +00:00
author: Florian Roth
date: 2017/03/07
references:
- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
2018-07-25 07:50:01 +00:00
tags:
- attack.persistence
- attack.g0064
- attack.t1050 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1543.003
2017-03-07 08:24:06 +00:00
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
2017-03-31 17:25:10 +00:00
ServiceName: NtsSrv
ServiceFileName: '* LocalService'
condition: selection
2017-03-07 08:24:06 +00:00
falsepositives:
- Unlikely
level: high