SigmaHQ/rules/apt/apt_carbonpaper_turla.yml

18 lines
519 B
YAML

title: Turla Service Install
description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET'
references: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
ServiceName:
- 'srservice'
- 'ipvpn'
- 'hkmsvc'
condition: selection
falsepositives:
- Unknown
level: high