title: StoneDrill Service Install
author: Florian Roth
date: 2017/03/07
description: This method detects a service install of the malicious Microsoft Network
  Realtime Inspection Service service described in StoneDrill report by Kaspersky
detection:
  SELECTION_1:
    EventID: 7045
  SELECTION_2:
    ServiceName: NtsSrv
  SELECTION_3:
    ServiceFileName: '* LocalService'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- Unlikely
id: 9e987c6c-4c1e-40d8-bd85-dd26fba8fdd6
level: high
logsource:
  product: windows
  service: system
references:
- https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/
status: experimental
tags:
- attack.persistence
- attack.g0064
- attack.t1050
- attack.t1543.003
ruletype: SIGMA