agent uninstallations during planned maintenance or legitimate it workflows may trigger these detections. review such events to avoid false positive alerts.

t1685
endpoint
splunk

Techniques

T1685

Sample rules

Windows CrowdStrike Agent Registry Key Removal

source: splunk
technicques:
- T1685

Description

Detects delete events on the CrowdStrike registry keys. These keys are removed as part of the agent uninstallation process. This activity should only occur during planned events and any instances outside that should be evaluated for malicious activity such as CVE-2022-44721.

Detection logic

`sysmon`
EventID="12"
TargetObject="*\\SYSTEM\\CrowdStrike"
action="deleted"

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer EventID TargetObject action dest process_guid process_id registry_hive
     registry_path registry_key_name status user vendor_product


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_crowdstrike_agent_registry_key_removal_filter`