Home/CVE-2012-1456/Sigma rules
Sigma

Sigma rules for CVE-2012-1456

2 rules · scoped to cve · back to CVE-2012-1456
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

2 of 2
direct medium
Azure Application Gateway Modified or Deleted
Identifies when a application gateway is modified or deleted.
status test author Austin Songer id ad87d14e-7599-4633-ba81-aeb60cfe8cd6 license Sigma · DRL-1.1
view Sigma YAML 
title: Azure Application Gateway Modified or Deleted
id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6
status: test
description: Identifies when a application gateway is modified or deleted.
references:
    - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021-08-16
modified: 2022-08-23
tags:
    - attack.impact
logsource:
    product: azure
    service: activitylogs
detection:
    selection:
        operationName:
            - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
            - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
    condition: selection
falsepositives:
    - Application gateway being modified or deleted may be performed by a system administrator.
    - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
    - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
level: medium
direct high
Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
status test author Ilya Krestinichev, Florian Roth (Nextron Systems) id 4a6713f6-3331-11ed-a261-0242ac120002 license Sigma · DRL-1.1
view Sigma YAML 
title: Taskkill Symantec Endpoint Protection
id: 4a6713f6-3331-11ed-a261-0242ac120002
status: test
description: |
    Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
    Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
    As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
references:
    - https://www.exploit-db.com/exploits/37525
    - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
    - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
author: Ilya Krestinichev, Florian Roth (Nextron Systems)
date: 2022-09-13
tags:
    - attack.defense-impairment
    - attack.t1685
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'taskkill'
            - ' /F '
            - ' /IM '
            - 'ccSvcHst.exe'
    condition: selection
falsepositives:
    - Unknown
level: high
Showing 1-2 of 2
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin