Turla Service Install
This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
Sigma rule (View on GitHub)
1title: Turla Service Install
2id: 1df8b3da-b0ac-4d8a-b7c7-6cb7c24160e4
3status: test
4description: This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET
5references:
6 - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
7author: Florian Roth (Nextron Systems)
8date: 2017-03-31
9modified: 2021-11-30
10tags:
11 - attack.persistence
12 - attack.g0010
13 - attack.t1543.003
14 - detection.emerging-threats
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 Provider_Name: 'Service Control Manager'
21 EventID: 7045
22 ServiceName:
23 - 'srservice'
24 - 'ipvpn'
25 - 'hkmsvc'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
The Turla espionage group has been targeting various institutions for many years. Recently, ESET found several new versions of Carbon.
Read More
Related rules
- Turla PNG Dropper Service
- CosmicDuke Service Installation
- Moriya Rootkit File Created
- OilRig APT Activity
- OilRig APT Registry Persistence