Turla Service Install

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.g0010 attack.t1543.003 detection.emerging-threats ·

Share on:

This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET

Sigma rule (View on GitHub)

 1title: Turla Service Install
 2id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
 3status: test
 4description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
 5references:
 6    - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
 7author: Florian Roth (Nextron Systems)
 8date: 2017-03-31
 9modified: 2021-11-30
10tags:
11    - attack.privilege-escalation
12    - attack.persistence
13    - attack.g0010
14    - attack.t1543.003
15    - detection.emerging-threats
16logsource:
17    product: windows
18    service: system
19detection:
20    selection:
21        Provider_Name: 'Service Control Manager'
22        EventID: 7045
23        ServiceName:
24            - 'srservice'
25            - 'ipvpn'
26            - 'hkmsvc'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

Carbon Paper: Peering into Turla’s second stage backdoor

The Turla espionage group has been targeting various institutions for many years. Recently, ESET found several new versions of Carbon.

Read More

Turla Service Install

Sigma rule (View on GitHub)

References

Carbon Paper: Peering into Turla’s second stage backdoor

Related rules