| sigma |
win_builtin_remove_application.yml |
title: An Application Is Uninstall |
DRL 1.0 |
| sigma |
win_susp_system_update_error.yml |
- 24 # Uninstallation Failure: Windows failed to uninstall the following update with error |
DRL 1.0 |
| sigma |
posh_ps_software_discovery.yml |
ScriptBlockText\|contains\|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* \| Select-Object DisplayName, DisplayVersion, Publisher, InstallDate \| Format-Table -Autosize |
DRL 1.0 |
| sigma |
proc_creation_win_cleanwipe.yml |
CommandLine\|contains: '--uninstall' |
DRL 1.0 |
| sigma |
proc_creation_win_cleanwipe.yml |
- '/uninstall' |
DRL 1.0 |
| sigma |
proc_creation_win_dsim_remove.yml |
description: Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images |
DRL 1.0 |
| sigma |
proc_creation_win_susp_disable_raccine.yml |
title: Raccine Uninstall |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wmic_security_product_uninstall.yml |
title: Wmic Uninstall Security Product |
DRL 1.0 |
| sigma |
proc_creation_win_susp_wmic_security_product_uninstall.yml |
- 'call uninstall' |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_crowdstrike_falcon.yml |
title: Uninstall Crowdstrike Falcon |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_crowdstrike_falcon.yml |
- ' /uninstall' |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_crowdstrike_falcon.yml |
- Uninstall by admin |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_sysmon.yml |
title: Uninstall Sysinternals Sysmon |
DRL 1.0 |
| sigma |
proc_creation_win_uninstall_sysmon.yml |
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon |
DRL 1.0 |
| sigma |
proc_creation_win_wmic_remove_application.yml |
title: WMI Uninstall An Application |
DRL 1.0 |
| sigma |
proc_creation_win_wmic_remove_application.yml |
description: Uninstall an application with wmic |
DRL 1.0 |
| sigma |
proc_creation_win_wmic_remove_application.yml |
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic |
DRL 1.0 |
| sigma |
proc_creation_win_wmic_remove_application.yml |
CommandLine\|contains: call uninstall |
DRL 1.0 |
| LOLBAS |
Installutil.yml |
Description: The Installer tool is a command-line utility that allows you to install and uninstall server resources by executing the installer components in specified assemblies |
|
| malware-ioc |
rtm |
uninstall |
© ESET 2014-2018 |
| malware-ioc |
rtm |
uninstall-lock |
© ESET 2014-2018 |
| atomic-red-team |
index.md |
- Atomic Test #11: Uninstall Sysmon [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #1: Regasm Uninstall Method Call Test [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #10: Application uninstall using WMIC [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #11: Uninstall Sysmon [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #6: InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #1: Regasm Uninstall Method Call Test [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #10: Application uninstall using WMIC [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1047.md |
- Atomic Test #10 - Application uninstall using WMIC |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1047.md |
## Atomic Test #10 - Application uninstall using WMIC |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1047.md |
Emulates uninstalling applications using WMIC. This method only works if the product was installed with an msi file. APTs have been seen using this to uninstall security products. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1047.md |
wmic /node:”#{node}” product where “name like ‘#{product}%%’” call uninstall |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1095.md |
if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall* | ?{$_.DisplayName -like “Microsoft Visual C++*”}) ) { |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
- Atomic Test #5 - InstallUtil Uninstall method call - /U variant |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
- Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
## Atomic Test #5 - InstallUtil Uninstall method call - /U variant |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
InstallUtil Uninstall method execution test failure. Installer assembly execution output did not match the expected output. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
## Atomic Test #6 - InstallUtil Uninstall method call - ‘/installtype=notransaction /action=uninstall’ variant |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
$CommandLine = “/logfile= /logtoconsole=false /installtype=notransaction /action=uninstall "$InstallerAssemblyFullPath”” |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.004.md |
Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
- Atomic Test #1 - Regasm Uninstall Method Call Test |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
- Atomic Test #2 - Regsvcs Uninstall Method Call Test |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
## Atomic Test #1 - Regasm Uninstall Method Call Test |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
Executes the Uninstall Method, No Admin Rights Required. Upon execution, “I shouldn’t really execute either.” will be displayed. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
## Atomic Test #2 - Regsvcs Uninstall Method Call Test |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1218.009.md |
Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, “I shouldn’t really execute” will be displayed |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1219.md |
$file = ‘C:\Program Files (x86)\TeamViewer\uninstall.exe’ |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1219.md |
get-package ‘LogMeIn Client’ -ErrorAction Ignore | uninstall-package |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1505.002.md |
Uninstall-TransportAgent #{transport_agent_identity} |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1518.md |
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1518.md |
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
- Atomic Test #11 - Uninstall Sysmon |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
- Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
## Atomic Test #11 - Uninstall Sysmon |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Uninstall Sysinternals Sysmon for Defense Evasion |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
if (Test-Path “#{falcond_path}”) {. “#{falcond_path}” /repair /uninstall /quiet } else { Get-ChildItem -Path “C:\ProgramData\Package Cache” -Include “WindowsSensor.exe” -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $.FullName); if ($sig.Status -eq “Valid” -and $sig.SignerCertificate.DnsNameList -eq “CrowdStrike, Inc.”) { . “$” /repair /uninstall /quiet; break;} }} |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1562.001.md |
DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. |
MIT License. © 2018 Red Canary |
| signature-base |
apt_eqgrp.yar |
$x4 = “%s version %s already has persistence installed. If you want to uninstall,” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
apt_op_cloudhopper.yar |
$s2 = “rundll32.exe "%s", UnInstall /update %s” fullword wide |
CC BY-NC 4.0 |
| signature-base |
crime_buzus_softpulse.yar |
$s4 = “CurrentVersion\Uninstall\avast” fullword wide |
CC BY-NC 4.0 |
| signature-base |
gen_rats_malwareconfig.yar |
$a7 = “Uninstall.jarPK” |
CC BY-NC 4.0 |
| signature-base |
thor-hacktools.yar |
$a = “Unable to uninstall the fgexec service” |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
$s3 = “%s -Uninstall –>To Uninstall The Service” |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
$s6 = “Can’t uninstall,maybe the backdoor is not installed or,the Password you INPUT is” |
CC BY-NC 4.0 |
| signature-base |
thor_inverse_matches.yar |
and not filename matches /uninstall/ |
CC BY-NC 4.0 |