| sigma |
win_susp_disable_raccine.yml |
title: Raccine Uninstall |
DRL 1.0 |
| sigma |
win_susp_wmic_security_product_uninstall.yml |
title: Wmic Uninstall Security Product |
DRL 1.0 |
| sigma |
win_susp_wmic_security_product_uninstall.yml |
- 'call uninstall' |
DRL 1.0 |
| LOLBAS |
Installutil.yml |
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies |
|
| malware-ioc |
rtm |
uninstall |
© ESET 2014-2018 |
| malware-ioc |
rtm |
uninstall-lock |
© ESET 2014-2018 |
| atomic-red-team |
index.md |
- Atomic Test #11: Uninstall Sysmon [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #1: Regasm Uninstall Method Call Test [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #11: Uninstall Sysmon [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #1: Regasm Uninstall Method Call Test [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1095.md |
if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) { |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
- Atomic Test #5 - InstallUtil Uninstall method call - /U variant |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
- Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
## Atomic Test #5 - InstallUtil Uninstall method call - /U variant |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
$CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall "$InstallerAssemblyFullPath”” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
- Atomic Test #1 - Regasm Uninstall Method Call Test |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
- Atomic Test #2 - Regsvcs Uninstall Method Call Test |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
## Atomic Test #1 - Regasm Uninstall Method Call Test |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
## Atomic Test #2 - Regsvcs Uninstall Method Call Test |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1219.md |
$file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1219.md |
get-package ‘LogMeIn Client’ -ErrorAction Ignore | uninstall-package |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1505.002.md |
Uninstall-TransportAgent #{transport_agent_identity} |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1518.md |
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1518.md |
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
- Atomic Test #11 - Uninstall Sysmon |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
- Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
## Atomic Test #11 - Uninstall Sysmon |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Uninstall Sysinternals Sysmon for Defense Evasion |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }} |
MIT License. © 2018 Red Canary |
| signature-base |
apt_eqgrp.yar |
$x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_op_cloudhopper.yar |
$s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide |
CC BY-NC 4.0 |
| signature-base |
crime_buzus_softpulse.yar |
$s4 = “CurrentVersion\Uninstall\avast” fullword wide |
CC BY-NC 4.0 |
| signature-base |
gen_rats_malwareconfig.yar |
$a7 = “Uninstall.jarPK” |
CC BY-NC 4.0 |
| signature-base |
thor-hacktools.yar |
$a = “Unable to uninstall the fgexec service” |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
$s3 = “%s -Uninstall –>To Uninstall The Service” |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
$s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is” |
CC BY-NC 4.0 |