Sneed-Reactivity/yara-mikesxrs/alienvault/APT1_Revird_svc.yar

19 lines
561 B
Text
Raw Normal View History

rule APT1_Revird_svc
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$dll1 = "nwwwks.dll" wide ascii
$dll2 = "rdisk.dll" wide ascii
$dll3 = "skeys.dll" wide ascii
$dll4 = "SvcHost.DLL.log" wide ascii
$svc1 = "InstallService" wide ascii
$svc2 = "RundllInstallA" wide ascii
$svc3 = "RundllUninstallA" wide ascii
$svc4 = "ServiceMain" wide ascii
$svc5 = "UninstallService" wide ascii
condition:
1 of ($dll*) and 2 of ($svc*)
}