Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
Sigma rule (View on GitHub)
1title: Taskkill Symantec Endpoint Protection
2id: 4a6713f6-3331-11ed-a261-0242ac120002
3status: test
4description: |
5 Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
6 Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
7 As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
8references:
9 - https://www.exploit-db.com/exploits/37525
10 - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
11 - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
12author: Ilya Krestinichev, Florian Roth (Nextron Systems)
13date: 2022/09/13
14tags:
15 - attack.defense_evasion
16 - attack.t1562.001
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 CommandLine|contains|all:
23 - 'taskkill'
24 - ' /F '
25 - ' /IM '
26 - 'ccSvcHst.exe'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
Symantec Endpoint Protection 12.1.4013 - Service Disabling. CVE-124307 . dos exploit for Windows platform
Read More -
Hi All, I am trying to create a batch script to uninstall Symantec. I’ve created a rough draft, but was wondering on how I could make it better. The uninstall script that I currently have is as follows: @echo OFF call MsiExec.exe /x {4C89867B-2E80-4B0D-87DB-1BD643D5EF5D} /qn /norestart taskkill /IM PAUI.exe timeout 10 taskkill /IM ccSvcHst.exe /F timeout 10 call "C:\Program Files\Symantec.cloud\PlatformAgent\Uninstall.exe" /S exit /B 3010 Is there a way to check if the product code is install...
Read More -
Hello,When I tries to kill the process with the command "Taskkill /F /IM ccSvcHst.exe", it successfully executed and SEP completly stopped.How do we prevent sym
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- Azure Kubernetes Events Deleted
- Powershell Defender Exclusion
- Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
- Win Defender Restored Quarantine File