Techniques
Sample rules
PUA - CleanWipe Execution
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
Detection logic
condition: 1 of selection*
selection1:
Image|endswith: \SepRemovalToolNative_x64.exe
selection2:
CommandLine|contains: --uninstall
Image|endswith: \CATClean.exe
selection3:
CommandLine|contains: -r
Image|endswith: \NetInstaller.exe
selection4:
CommandLine|contains|all:
- /uninstall
- /enterprise
Image|endswith: \WFPUnins.exe