Skip to content

Symantec Endpoint Protection

Overview

Symantec Endpoint Protection is a client-server solution that protects laptops, desktops, and servers in your network against malware, risks, and vulnerabilities. This product is supported by Broadcom.

Benefit from SEKOIA.IO built-in rules and upgrade Symantec Endpoint Protection with the following detection capabilities out-of-the-box.

SEKOIA.IO x Symantec Endpoint Protection on ATT&CK Navigator

Exfiltration And Tunneling Tools Execution

Execution of well known tools for data exfiltration and tunneling

  • Effort: advanced
Hijack Legit RDP Session To Move Laterally

Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon.

  • Effort: intermediate
Interactive Terminal Spawned via Python

Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.

  • Effort: advanced
Network Scanning and Discovery

Tools and command lines used for network discovery from current system

  • Effort: advanced
Network Sniffing

List of common tools used for network packages sniffing

  • Effort: advanced
Phorpiex Process Masquerading

Detects specific process executable path used by the Phorpiex botnet to masquerade its system process network activity. It looks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a random algorithm 13-15 numbers long.

  • Effort: elementary
Python Exfiltration Tools

Python has some built-in modules or library that could be installed and later be used as exflitration tool by an attacker

  • Effort: advanced
RYUK Ransomeware - martinstevens Username

Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.

  • Effort: elementary
SELinux Disabling

An attacker can disable SELinux to make workstation or server compromise easier as it disables several protections.

  • Effort: intermediate
Suspicious Double Extension

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns

  • Effort: elementary
Suspicious PROCEXP152.sys File Created In Tmp

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.

  • Effort: advanced
Symantec EPP Event Blocked

Symantec EPP blocked an action. Careful when activating this rule, it generates lots of events that are not always relevant for detection.

  • Effort: master
System Info Discovery

System info discovery, attempt to detects basic command use to fingerprint a host

  • Effort: master
WMI Persistence Script Event Consumer File Write

Detects file writes through WMI script event consumer.

  • Effort: advanced

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Anti-virus Symantec Endpoint Protection analyses processes and files to prevent malicious actions.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind event
Category malware
Type ``

Event Samples

Find below few samples of events and how they are normalized by SEKOIA.IO.

{
    "message": "Site: OSTAM,Server Name: STR04,Domain Name: MyDomain,The client has downloaded the content package successfully,STV02,ADMIN,stv02.local",
    "event": {
        "kind": "event",
        "category": [
            "malware"
        ],
        "reason": "The client has downloaded the content package successfully",
        "type": [
            "info"
        ]
    },
    "observer": {
        "vendor": "Broadcom",
        "product": "Symantec Endpoint Protection"
    },
    "host": {
        "hostname": "STV02",
        "name": "stv02.local"
    },
    "user": {
        "name": "ADMIN"
    },
    "broadcom": {
        "endpoint_protection": {
            "server": {
                "domain": "MyDomain",
                "name": "STR04"
            }
        }
    },
    "related": {
        "hosts": [
            "STV02"
        ],
        "user": [
            "ADMIN"
        ]
    }
}
{
    "message": "INT23456,,Blocked,C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.3.4615.2000.105\\Bin64\\ccSvcHst.exe,,Begin: 2022-08-29 11:58:20,End Time: 2022-08-29 11:58:20,Rule: ,4428,C:\\PROGRAM FILES\\SMART-X\\CONTROLUPAGENT\\VERSION 8.1.5.634\\CUAGENT.EXE,0,,C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\\14.3.4615.2000.105\\Bin64\\ccSvcHst.exe,User Name: Admin,Domain Name: ,Action Type: 55,File size (bytes): ,Device ID: ",
    "event": {
        "kind": "event",
        "category": [
            "malware"
        ],
        "action": "Blocked",
        "type": [
            "denied"
        ]
    },
    "observer": {
        "vendor": "Broadcom",
        "product": "Symantec Endpoint Protection"
    },
    "host": {
        "hostname": "INT23456",
        "name": "INT23456"
    },
    "user": {
        "name": "Admin"
    },
    "process": {
        "pid": 4428,
        "executable": "C:\\PROGRAM FILES\\SMART-X\\CONTROLUPAGENT\\VERSION 8.1.5.634\\CUAGENT.EXE",
        "name": "CUAGENT.EXE",
        "working_directory": "C:\\PROGRAM FILES\\SMART-X\\CONTROLUPAGENT\\VERSION 8.1.5.634",
        "args": [
            "C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection\f.3.4615.2000.105\\Bin64\\ccSvcHst.exe"
        ]
    },
    "related": {
        "hosts": [
            "INT23456"
        ],
        "user": [
            "Admin"
        ]
    }
}
{
    "message": "SONAR detection now allowed,IP Address: 1.2.3.4,Computer name: DNHFF3453,Source: Auto-Protect scan,Risk name: WS.Reputation.1,Occurrences: 1,File path: c:\\program files (x86)\\visualxxxxxxxxxx\\vtomxvision.exe,Description: ,Actual action: Action invalid,Requested action: Process terminate pending restart,Secondary action: 102,Event time: 2022-07-07 17:01:05,Event Insert Time: 2022-07-07 17:24:14,End Time: 2022-07-07 17:01:05,Last update time: 2022-07-07 17:24:14,Domain Name: MyDomain,Group Name: MyDomain\\Subdivision\\Citrix VDI persistants,Server Name: XXXXX01,User Name: Doe,Source Computer Name: ,Source Computer IP: ,Disposition: Good,Download site: ,Web domain: ,Downloaded by: c:/windows/explorer.exe,Prevalence: This file has been seen by fewer than 50 Symantec users.,Confidence: There is some evidence that this file is trustworthy.,URL Tracking Status: On,First Seen: Symantec has known about this file approximately 2 days.,Sensitivity: ,Allowed application reason: User allow list,Application hash: E13D72DE479A65E6448C779B3B2BCE45DB7B5AE52B1BAA0FE915380A667D3C01,Hash type: SHA2,Company name: Absyss S.A.S,Application name: Visual TOM,Application version: 6.6.1 (FR),Application type: 127,File size (bytes): 67352,Category set: Malware,Category type: Insight Network Threat,Location: MyDomain,Intensive Protection Level: 0,Certificate issuer: Absyss,Certificate signer: Sectigo RSA Code Signing CA,Certificate thumbprint: D31433F4C8C0BE4846E7E90318CD0CF5046EE95C,Signing timestamp: 1649155201,Certificate serial number: 044541E287C90A879334BFD15D6A3ED3",
    "event": {
        "reason": "SONAR detection now allowed",
        "kind": "event",
        "category": [
            "malware"
        ],
        "type": [
            "info"
        ],
        "action": "Process terminate pending restart"
    },
    "observer": {
        "vendor": "Broadcom",
        "product": "Symantec Endpoint Protection"
    },
    "host": {
        "ip": [
            "1.2.3.4"
        ],
        "hostname": "DNHFF3453",
        "name": "DNHFF3453"
    },
    "user": {
        "name": "Doe"
    },
    "related": {
        "hosts": [
            "DNHFF3453"
        ],
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "Doe"
        ]
    },
    "threat": {
        "enrichments": [
            {
                "indicator": {
                    "type": "file",
                    "first_seen": "2022-07-07T17:01:05.000000Z",
                    "last_seen": "2022-07-07T17:01:05.000000Z",
                    "modified_at": "2022-07-07T17:24:14.000000Z",
                    "sightings": 1,
                    "description": "WS.Reputation.1",
                    "file": {
                        "path": "c:\\program files (x86)\\visualxxxxxxxxxx\\vtomxvision.exe",
                        "size": 67352
                    }
                }
            }
        ]
    },
    "file": {
        "path": "c:\\program files (x86)\\visualxxxxxxxxxx\\vtomxvision.exe",
        "size": 67352
    },
    "broadcom": {
        "endpoint_protection": {
            "source": "Auto-Protect scan",
            "server": {
                "domain": "MyDomain",
                "group": "MyDomain\\Subdivision\\Citrix VDI persistants",
                "name": "XXXXX01"
            },
            "threat": {
                "type": "Insight Network Threat",
                "category": "Malware"
            },
            "application": {
                "code_signature": {
                    "digest_algorithm": "sha2",
                    "subject_name": "Absyss",
                    "signer": "Sectigo RSA Code Signing CA",
                    "timestamp": "2022-04-05T10:40:01.000000Z",
                    "certificate": {
                        "thumbprint": "D31433F4C8C0BE4846E7E90318CD0CF5046EE95C",
                        "serial_number": "044541E287C90A879334BFD15D6A3ED3"
                    }
                },
                "hash": {
                    "sha2": "E13D72DE479A65E6448C779B3B2BCE45DB7B5AE52B1BAA0FE915380A667D3C01"
                },
                "name": "Visual TOM",
                "version": "6.6.1 (FR)"
            },
            "downloaded_by": {
                "file": {
                    "path": "c:/windows/explorer.exe"
                }
            },
            "action": {
                "main": "Action invalid",
                "secondary": "102"
            },
            "prevalence": "This file has been seen by fewer than 50 Symantec users.",
            "confidence": "There is some evidence that this file is trustworthy."
        }
    }
}
{
    "message": "OND345,Category: 2,REP,Event Description: Impossible d\u2019assigner un jeton d\u2019authentification client. Une erreur de communication g\u00e9n\u00e9rale est survenue.,Event time: 2022-08-29 11:35:29,Group Name: Company\\Own",
    "event": {
        "kind": "event",
        "category": [
            "malware"
        ],
        "reason": "Impossible d\u2019assigner un jeton d\u2019authentification client. Une erreur de communication g\u00e9n\u00e9rale est survenue.",
        "type": [
            "info"
        ]
    },
    "observer": {
        "vendor": "Broadcom",
        "product": "Symantec Endpoint Protection"
    },
    "host": {
        "hostname": "OND345",
        "name": "OND345"
    },
    "broadcom": {
        "endpoint_protection": {
            "source": "REP",
            "server": {
                "group": "Company\\Own"
            }
        }
    },
    "related": {
        "hosts": [
            "OND345"
        ]
    }
}
{
    "message": "Virus found,IP Address: 1.2.3.4,Computer name: DNHFF3453,Source: Auto-Protect scan,Risk name: EICAR Test String,Occurrences: 1,File path: C:\\Users\\admin\\Desktop\\test.txt,Description: AP realtime deferred scanning,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2022-07-07 14:28:39,Event Insert Time: 2022-07-07 14:30:43,End Time: 2022-07-07 14:28:39,Last update time: 2022-07-07 14:30:43,Domain Name: MyDomain,Group Name: MyDomain\\Subdivision\\Citrix VDI persistants,Server Name: XXXXX01,User Name: ADMIN,Source Computer Name: ,Source Computer IP: ,Disposition: Bad,Download site: ,Web domain: ,Downloaded by: ,Prevalence: This file has been seen by millions of Symantec users.,Confidence: This file is untrustworthy.,URL Tracking Status: On,First Seen: Reputation was not used in this detection.,Sensitivity: ,Allowed application reason: Not on the allow list,Application hash: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F,Hash type: SHA2,Company name: ,Application name: Nouveau document texte.txt,Application version: ,Application type: 127,File size (bytes): 68,Category set: Malware,Category type: Virus,Location: MyDomain,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: ,Certificate serial number: ",
    "event": {
        "reason": "Virus found",
        "kind": "event",
        "category": [
            "malware"
        ],
        "type": [
            "info"
        ],
        "action": "Cleaned"
    },
    "observer": {
        "vendor": "Broadcom",
        "product": "Symantec Endpoint Protection"
    },
    "host": {
        "ip": [
            "1.2.3.4"
        ],
        "hostname": "DNHFF3453",
        "name": "DNHFF3453"
    },
    "user": {
        "name": "ADMIN"
    },
    "related": {
        "hosts": [
            "DNHFF3453"
        ],
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "ADMIN"
        ]
    },
    "threat": {
        "enrichments": [
            {
                "indicator": {
                    "type": "file",
                    "first_seen": "2022-07-07T14:28:39.000000Z",
                    "last_seen": "2022-07-07T14:28:39.000000Z",
                    "modified_at": "2022-07-07T14:30:43.000000Z",
                    "sightings": 1,
                    "description": "EICAR Test String",
                    "file": {
                        "path": "C:\\Users\\admin\\Desktop\\test.txt",
                        "size": 68
                    }
                }
            }
        ]
    },
    "file": {
        "path": "C:\\Users\\admin\\Desktop\\test.txt",
        "size": 68
    },
    "broadcom": {
        "endpoint_protection": {
            "source": "Auto-Protect scan",
            "server": {
                "domain": "MyDomain",
                "group": "MyDomain\\Subdivision\\Citrix VDI persistants",
                "name": "XXXXX01"
            },
            "threat": {
                "type": "Virus",
                "category": "Malware"
            },
            "application": {
                "code_signature": {
                    "digest_algorithm": "sha2"
                },
                "hash": {
                    "sha2": "275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F"
                },
                "name": "Nouveau document texte.txt"
            },
            "action": {
                "main": "Cleaned by deletion",
                "secondary": "Quarantined"
            },
            "prevalence": "This file has been seen by millions of Symantec users.",
            "confidence": "This file is untrustworthy."
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
broadcom.endpoint_protection.action.main keyword
broadcom.endpoint_protection.action.secondary keyword
broadcom.endpoint_protection.application.code_signature.certificate.serial_number keyword
broadcom.endpoint_protection.application.code_signature.certificate.thumbprint keyword
broadcom.endpoint_protection.application.code_signature.digest_algorithm keyword
broadcom.endpoint_protection.application.code_signature.signer keyword
broadcom.endpoint_protection.application.code_signature.subject_name keyword
broadcom.endpoint_protection.application.code_signature.timestamp keyword
broadcom.endpoint_protection.application.hash.sha2 keyword
broadcom.endpoint_protection.application.name keyword
broadcom.endpoint_protection.application.version keyword
broadcom.endpoint_protection.confidence keyword
broadcom.endpoint_protection.downloaded_by.file.path keyword
broadcom.endpoint_protection.prevalence keyword
broadcom.endpoint_protection.server.domain keyword
broadcom.endpoint_protection.server.group keyword
broadcom.endpoint_protection.server.name keyword
broadcom.endpoint_protection.source keyword
broadcom.endpoint_protection.threat.category keyword
broadcom.endpoint_protection.threat.type keyword
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
file.path keyword Full path to the file, including the file name.
file.size long File size in bytes.
host.hostname keyword Hostname of the host.
host.ip ip Host ip addresses.
host.name keyword Name of the host.
observer.product keyword The product name of the observer.
observer.vendor keyword Vendor name of the observer.
process.args keyword Array of process arguments.
process.executable keyword Absolute path to the process executable.
process.name keyword Process name.
process.pid long Process id.
process.working_directory keyword The working directory of the process.
threat.enrichments array
user.name keyword Short name or login of the user.

Configure

In this guide, you will configure your Symantec Endpoint Protection Manager or your Symantec Endpoint Security to forward events through syslog.

Prerequisites

An internal log concentrator (Rsyslog) is required to collect and forward events to SEKOIA.IO.

Enable Syslog forwarding

Log on the console of our management server and follow this guide to enable logs forwarding and provide the IP, the transport protocol (we are recommending TCP) and the listening port (514) of the concentrator.

Create the intake

Go to the intake page and create a new intake from the format Symantec Endpoint Protection.

Transport to SEKOIA.IO

Please consult the Rsyslog Transport documentation to forward these logs to SEKOIA.IO.