administrator might leverage the same command line for debugging or other purposes. however this action must be always investigated

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_uninstall_crowdstrike_falcon.yml>sigma
technicques: t1562 t1562.001

Techniques

Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon

condition: selection
selection:
  CommandLine|contains|all:
  - \WindowsSensor.exe
  - ' /uninstall'
  - ' /quiet'