Sigma rules for CVE-2022-36670
5 rules · scoped to cve · back to CVE-2022-36670
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Kaspersky Endpoint Security Stopped Via CommandLine - Linux
id: 36388120-b3f1-4ce9-b50b-280d9a7f4c04
status: experimental
description: |
Detects execution of the Kaspersky init.d stop script on Linux systems either directly or via systemctl.
This activity may indicate a manual interruption of the antivirus service by an administrator, or it could be a sign of potential tampering or evasion attempts by malicious actors.
references:
- https://support.kaspersky.com/KES4Linux/12.0.0/en-US/197929.htm
author: Milad Cheraghi
date: 2025-10-18
tags:
- attack.execution
- attack.defense-impairment
- attack.t1685
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith:
# Note: Add the list of shells allowed in your environment that can be used to run init.d scripts.
- '/systemctl'
- '/bash'
- '/sh'
CommandLine|contains|all:
- 'stop'
- 'kesl'
condition: selection
falsepositives:
- System administrator manually stopping Kaspersky services
level: high
title: ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
id: 6345b048-8441-43a7-9bed-541133633d7a
status: test
description: |
Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
references:
- https://twitter.com/gN3mes1s/status/1222088214581825540
- https://twitter.com/gN3mes1s/status/1222095963789111296
- https://twitter.com/gN3mes1s/status/1222095371175911424
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2020-01-28
modified: 2025-01-22
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\dctask64.exe'
- Hashes|contains:
- 'IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD'
- 'IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA'
- 'IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3'
- 'IMPHASH=F1039CED4B91572AB7847D26032E6BBF'
selection_cli:
CommandLine|contains:
- ' executecmd64 '
- ' invokeexe '
- ' injectDll '
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Taskkill Symantec Endpoint Protection
id: 4a6713f6-3331-11ed-a261-0242ac120002
status: test
description: |
Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
references:
- https://www.exploit-db.com/exploits/37525
- https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection
- https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer
author: Ilya Krestinichev, Florian Roth (Nextron Systems)
date: 2022-09-13
tags:
- attack.defense-impairment
- attack.t1685
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'taskkill'
- ' /F '
- ' /IM '
- 'ccSvcHst.exe'
condition: selection
falsepositives:
- Unknown
level: high
title: AWS ECS Task Definition That Queries The Credential Endpoint
id: b94bf91e-c2bf-4047-9c43-c6810f43baad
status: test
description: |
Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint.
This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.
references:
- https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py
- https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html
- https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html
author: Darin Smith
date: 2022-06-07
modified: 2023-04-24
tags:
- attack.persistence
- attack.t1525
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'ecs.amazonaws.com'
eventName:
- 'DescribeTaskDefinition'
- 'RegisterTaskDefinition'
- 'RunTask'
requestParameters.containerDefinitions.command|contains: '$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI'
condition: selection
falsepositives:
- Task Definition being modified to request credentials from the Task Metadata Service for valid reasons
level: medium
title: AWS Glue Development Endpoint Activity
id: 4990c2e3-f4b8-45e3-bc3c-30b14ff0ed26
status: test
description: Detects possible suspicious glue development endpoint activity.
references:
- https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/
- https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html
author: Austin Songer @austinsonger
date: 2021-10-03
modified: 2022-12-18
tags:
- attack.privilege-escalation
logsource:
product: aws
service: cloudtrail
detection:
selection:
eventSource: 'glue.amazonaws.com'
eventName:
- 'CreateDevEndpoint'
- 'DeleteDevEndpoint'
- 'UpdateDevEndpoint'
condition: selection
falsepositives:
- Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- If known behavior is causing false positives, it can be exempted from the rule.
level: low