diff --git a/rules/apt/apt_carbonpaper_turla.yml b/rules/apt/apt_carbonpaper_turla.yml
new file mode 100644
index 000000000..458b151b8
--- /dev/null
+++ b/rules/apt/apt_carbonpaper_turla.yml
@@ -0,0 +1,17 @@
+title: Turla Service Install
+description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
+reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+        ServiceName:
+            - 'srservice'
+            - 'ipvpn'
+            - 'hkmsvc' 
+    condition: selection
+falsepositives:
+    - Unknown
+level: high