RTCore Suspicious Service Installation
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
Sigma rule (View on GitHub)
1title: RTCore Suspicious Service Installation
2id: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c
3status: test
4description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
5references:
6 - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-30
9tags:
10 - attack.persistence
11logsource:
12 product: windows
13 service: system
14detection:
15 selection:
16 Provider_Name: 'Service Control Manager'
17 EventID: 7045
18 ServiceName: 'RTCore64'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
-
Enumerating and removing kernel callbacks using signed vulnerable drivers - br-sn/CheekyBlinder
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint