From c39a54ff0269c2653ea8048d0ec1cae976192a2b Mon Sep 17 00:00:00 2001
From: AnasRm01 <abderrahimianas@gmail.com>
Date: Wed, 25 Mar 2026 08:46:20 +0100
Subject: [PATCH] Create target-services-for-ransomware.yml

add rule to detect ransomware targeting services via OpenService calls (fixes #1048)
---
 .../target-services-for-ransomware.yml        | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 impact/inhibit-system-recovery/target-services-for-ransomware.yml

diff --git a/impact/inhibit-system-recovery/target-services-for-ransomware.yml b/impact/inhibit-system-recovery/target-services-for-ransomware.yml
new file mode 100644
index 000000000..ffe57324e
--- /dev/null
+++ b/impact/inhibit-system-recovery/target-services-for-ransomware.yml
@@ -0,0 +1,22 @@
+rule:
+  meta:
+    name: target services for ransomware
+    namespace: impact/inhibit-system-recovery
+    authors:
+      - AnasRm01
+    scopes:
+      static: function
+      dynamic: span of calls
+    att&ck:
+      - Impact::Inhibit System Recovery [T1490]
+      - Impact::Service Stop [T1489]
+    references:
+      - https://github.com/netskopeoss/NetskopeThreatLabsIOCs/blob/main/Malware/BlackMatter/IOCs/README.md
+  features:
+    - or:
+      - and:
+        - api: OpenServiceA
+        - api: ControlService
+      - and:
+        - api: OpenServiceW
+        - api: ControlService