Sneed-Reactivity/yara-mikesxrs/alienvault/APT1_Revird_svc.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

19 lines
No EOL
561 B
Text

rule APT1_Revird_svc
{
meta:
author = "AlienVault Labs"
info = "CommentCrew-threat-apt1"
strings:
$dll1 = "nwwwks.dll" wide ascii
$dll2 = "rdisk.dll" wide ascii
$dll3 = "skeys.dll" wide ascii
$dll4 = "SvcHost.DLL.log" wide ascii
$svc1 = "InstallService" wide ascii
$svc2 = "RundllInstallA" wide ascii
$svc3 = "RundllUninstallA" wide ascii
$svc4 = "ServiceMain" wide ascii
$svc5 = "UninstallService" wide ascii
condition:
1 of ($dll*) and 2 of ($svc*)
}