title: StoneDrill Service Install
description: 'This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky'   
author: Florian Roth
references:
    - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
logsource:
    product: windows
    service: system
detection:
    selection:
        EventID: 7045
        ServiceName: NtsSrv
        ServiceFileName: '* LocalService'
    condition: selection
falsepositives:
    - Unlikely
level: high