Turla PNG Dropper Service
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
Sigma rule (View on GitHub)
1title: Turla PNG Dropper Service
2id: 1228f8e2-7e79-4dea-b0ad-c91f1d5016c1
3status: test
4description: This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
5references:
6 - https://research.nccgroup.com/2018/11/22/turla-png-dropper-is-back/
7author: Florian Roth (Nextron Systems)
8date: 2018-11-23
9modified: 2021-11-30
10tags:
11 - attack.persistence
12 - attack.g0010
13 - attack.t1543.003
14 - detection.emerging-threats
15logsource:
16 product: windows
17 service: system
18detection:
19 selection:
20 Provider_Name: 'Service Control Manager'
21 EventID: 7045
22 ServiceName: 'WerFaultSvc'
23 condition: selection
24falsepositives:
25 - Unlikely
26level: critical
References
-
This is a short blog post on the PNG Dropper malware that has been developed and used by the Turla Group [1]. The PNG Dropper was first discovered back in August 2017 by Carbon Black researchers. B...
Read More
Related rules
- Turla Service Install
- CosmicDuke Service Installation
- Moriya Rootkit File Created
- OilRig APT Activity
- OilRig APT Registry Persistence