Taskkill Symantec Endpoint Protection

Original Source: [Sigma source]

Title: Taskkill Symantec Endpoint Protection
Status: test
Description:Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
References:
-https://www.exploit-db.com/exploits/37525
-https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
-https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
Author: Ilya Krestinichev, Florian Roth (Nextron Systems)
Date: 2022-09-13
modified:None
Tags:

-'attack.defense-evasion'
-'attack.t1562.001'

Logsource:

category: process_creation
product: windows

Detection:
selection:
CommandLine|contains|all:
-'taskkill'
-' /F '
-' /IM '
-'ccSvcHst.exe'

condition:selection
Falsepositives:
-Unknown
Level: high

Sign Up to Personalize and Manage Your Detection

Taskkill Symantec Endpoint Protection