RTCore Suspicious Service Installation
Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
Sigma rule (View on GitHub)
1title: RTCore Suspicious Service Installation
2id: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c
3status: test
4description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
5references:
6 - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/30
9tags:
10 - attack.persistence
11logsource:
12 product: windows
13 service: system
14detection:
15 selection:
16 Provider_Name: 'Service Control Manager'
17 EventID: 7045
18 ServiceName: 'RTCore64'
19 condition: selection
20falsepositives:
21 - Unknown
22level: high
References
-
Enumerating and removing kernel callbacks using signed vulnerable drivers - br-sn/CheekyBlinder
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Added Credentials to Existing Application
- Anydesk Remote Access Software Service Installation