title: Uninstall Crowdstrike Falcon
author: frack113
date: 2021/07/12
description: Adversaries may disable security tools to avoid possible detection of
  their tools and activities by uninstalling Crowdstrike Falcon
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: '*\WindowsSensor.exe*'
  SELECTION_3:
    CommandLine: '* /uninstall*'
  SELECTION_4:
    CommandLine: '* /quiet*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4)
falsepositives:
- Uninstall by admin
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: f0f7be61-9cf5-43be-9836-99d6ef448a18
level: medium
logsource:
  category: process_creation
  product: windows
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
status: experimental
tags:
- attack.defense_evasion
- attack.t1562.001
ruletype: SIGMA