19 lines
561 B
Text
19 lines
561 B
Text
|
rule APT1_Revird_svc
|
||
|
{
|
||
|
meta:
|
||
|
author = "AlienVault Labs"
|
||
|
info = "CommentCrew-threat-apt1"
|
||
|
|
||
|
strings:
|
||
|
$dll1 = "nwwwks.dll" wide ascii
|
||
|
$dll2 = "rdisk.dll" wide ascii
|
||
|
$dll3 = "skeys.dll" wide ascii
|
||
|
$dll4 = "SvcHost.DLL.log" wide ascii
|
||
|
$svc1 = "InstallService" wide ascii
|
||
|
$svc2 = "RundllInstallA" wide ascii
|
||
|
$svc3 = "RundllUninstallA" wide ascii
|
||
|
$svc4 = "ServiceMain" wide ascii
|
||
|
$svc5 = "UninstallService" wide ascii
|
||
|
condition:
|
||
|
1 of ($dll*) and 2 of ($svc*)
|
||
|
}
|