rules/windows/process_creation/proc_creation_win_taskkill_sep.yml

title: Taskkill Symantec Endpoint Protection
id: 4a6713f6-3331-11ed-a261-0242ac120002
status: test
description: |
    Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
    Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
    As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
references:
    - https://www.exploit-db.com/exploits/37525
    - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
    - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
author: Ilya Krestinichev, Florian Roth (Nextron Systems)
date: 2022-09-13
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'taskkill'
            - ' /F '
            - ' /IM '
            - 'ccSvcHst.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
refactor: renamed and changed title 2022-09-16 09:45:56 +02:00			`title: Taskkill Symantec Endpoint Protection`
refactor: CRLF to LF 2022-09-16 09:22:21 +02:00			`id: 4a6713f6-3331-11ed-a261-0242ac120002`
$frack113$ Merge PR #4479 From @frack113 - Upgrade Rules Status 2023-10-17 14:35:26 +02:00			`status: test`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`description: \|`
fix: apply suggestions from code review 2023-02-16 10:46:29 +01:00			`Detects one of the possible scenarios for disabling Symantec Endpoint Protection.`
feat: updates and enhancements 2023-02-14 00:51:20 +01:00			`Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.`
			`As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.`
refactor: CRLF to LF 2022-09-16 09:22:21 +02:00			`references:`
			`- https://www.exploit-db.com/exploits/37525`
			`- https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection`
			`- https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer`
feat: updates and enhancements 2023-02-14 00:51:20 +01:00			`author: Ilya Krestinichev, Florian Roth (Nextron Systems)`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-09-13`
refactor: CRLF to LF 2022-09-16 09:22:21 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
refactor: CRLF to LF 2022-09-16 09:22:21 +02:00			`- attack.t1562.001`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`selection:`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`CommandLine\|contains\|all:`
			`- 'taskkill'`
			`- ' /F '`
			`- ' /IM '`
			`- 'ccSvcHst.exe'`
refactor: CRLF to LF 2022-09-16 09:22:21 +02:00			`condition: selection`
			`falsepositives:`
			`- Unknown`
			`level: high`