08e8d462fe
RED PILL 🔴 💊
19 lines
No EOL
561 B
Text
19 lines
No EOL
561 B
Text
rule APT1_Revird_svc
|
|
{
|
|
meta:
|
|
author = "AlienVault Labs"
|
|
info = "CommentCrew-threat-apt1"
|
|
|
|
strings:
|
|
$dll1 = "nwwwks.dll" wide ascii
|
|
$dll2 = "rdisk.dll" wide ascii
|
|
$dll3 = "skeys.dll" wide ascii
|
|
$dll4 = "SvcHost.DLL.log" wide ascii
|
|
$svc1 = "InstallService" wide ascii
|
|
$svc2 = "RundllInstallA" wide ascii
|
|
$svc3 = "RundllUninstallA" wide ascii
|
|
$svc4 = "ServiceMain" wide ascii
|
|
$svc5 = "UninstallService" wide ascii
|
|
condition:
|
|
1 of ($dll*) and 2 of ($svc*)
|
|
} |