From 2657ff7db82ce3e08de22f3fd19cc52c7ff47f85 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Fri, 31 Mar 2017 19:25:41 +0200
Subject: [PATCH] Rule: Carbon Paper Framework Service (Turla)
 https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/

---
 rules/apt/apt_carbonpaper_turla.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 rules/apt/apt_carbonpaper_turla.yml

diff --git a/rules/apt/apt_carbonpaper_turla.yml b/rules/apt/apt_carbonpaper_turla.yml
new file mode 100644
index 000000000..458b151b8
--- /dev/null
+++ b/rules/apt/apt_carbonpaper_turla.yml
@@ -0,0 +1,17 @@
+title: Turla Service Install
+description: 'This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET' 
+reference: https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
+logsource:
+    product: windows
+    service: system
+detection:
+    selection:
+        EventID: 7045
+        ServiceName:
+            - 'srservice'
+            - 'ipvpn'
+            - 'hkmsvc' 
+    condition: selection
+falsepositives:
+    - Unknown
+level: high