capa-rules icon indicating copy to clipboard operation
capa-rules copied to clipboard
verified publisher icon mandiant

detect opening of services often referenced by ransomware

Open mike-hunhoff opened this issue 7 months ago • 1 comments

Ransomware may attempt to open and stop specific services during execution, e.g. to stop critical backup and recovery services. The rule should include a list of target service names combined with Windows API calls, e.g. OpenService.

Example list: https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/10b21b2fa5f280ea414fdbb47ea74c0386ab9587/Malware/BlackMatter/IOCs/README.md?plain=1#L58-L94

mike-hunhoff avatar May 22 '25 18:05 mike-hunhoff

Hello @mike-hunhoff

I hope you're doing well. I'm fairly new to this space, but I've been exploring static detection rules and wanted to share a basic idea I've worked on. The rule below aims to detect ransomware behavior by identifying attempts to manipulate specific high-value services using Windows API calls.

Please note, I’ve made moderate use of AI tools to assist with structuring and researching this—mainly to help me learn and communicate my ideas more effectively.

Static Detection Rule: ransomware_service_targeting

rule ransomware_service_targeting { meta: description = "Detects ransomware targeting specific services via OpenService calls" author = "Ritesh Kapoor" reference = "https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/main/Malware/BlackMatter/IOCs/README.md" date = "2025-06-14"

strings:
    // High-value service targets (from BlackMatter IOCs)
    $s1 = "agntsvc" ascii wide nocase
    ...
    $s37 = "xfssvccon" ascii wide nocase

    // Relevant API calls
    $open_serv_a = "OpenServiceA"
    $open_serv_w = "OpenServiceW"
    $control_serv = "ControlService"
    $query_serv = "QueryServiceStatus"

condition:
    uint16(0) == 0x5A4D and
    any of ($open_serv_*, $control_serv, $query_serv) and
    #s* >= 3

}

Service Name Matching: Looks for 37 known service names targeted by ransomware. API Monitoring: Flags usage of Windows service-related functions. False Positive Control: Requires at least 3 service name hits to reduce noise. Modifiers Uses ascii, wide, and nocase for encoding and evasion handling. File Type Check: Ensures target is a valid PE file.

Let me know If I need to improve somewhere, I am a python developer with good experience in Django and devops. I would love to contribute to FLARE.

Riteshk1314 avatar Jun 14 '25 05:06 Riteshk1314