security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update proc_creation_disable_SEP.yml

Browse Source
This commit is contained in:
Florian Roth
2022-09-16 09:18:27 +02:00
committed by GitHub
parent 02cfd972ed
commit 6d9d08e1de
1 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_disable_SEP.yml
+12 -10
View File
@@ -1,25 +1,27 @@
title: Disabling SEP
title: Disabling Symantec Endpoint Protection with Taskkill
id: 4a6713f6-3331-11ed-a261-0242ac120002
status: experimental
description: detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
references:
- internal investigation
author: Ilya Krestinichev
- https://www.exploit-db.com/exploits/37525
- https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
- https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
author: Ilya Krestinichev, Florian Roth
date: 2022/09/13
tags:
- attack.Impair_Defenses
- attack.t1562
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine|contains|all:
CommandLine|contains|all:
- 'taskkill'
- ' /F '
- ' /IM '
- 'ccSvcHst.exe'
condition: selection
fields:
- CommandLine
falsepositives:
- Unknown
level: critical
level: high