Application Uninstalled

 1title: Application Uninstalled
 2id: 570ae5ec-33dc-427c-b815-db86228ad43e
 3status: test
 4description: An application has been removed. Check if it is critical.
 5references:
 6    - https://github.com/nasbench/EVTX-ETW-Resources/blob/f1b010ce0ee1b71e3024180de1a3e67f99701fe4/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml
 7    - https://learn.microsoft.com/en-us/windows/win32/msi/event-logging
 8author: frack113
 9date: 2022-01-28
10modified: 2022-09-17
11tags:
12    - attack.impact
13    - attack.t1489
14logsource:
15    product: windows
16    service: application
17detection:
18    selection:
19        Provider_Name: 'MsiInstaller'
20        EventID:
21            - 1034 # Windows Installer removed the product
22            - 11724 # Product Removal Successful
23    condition: selection
24falsepositives:
25    - Unknown
26# Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview
27level: low

References

• EVTX-ETW-Resources/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/Microsoft-Windows-MsiServer.xml at f1b010ce0ee1b71e3024180de1a3e67f99701fe4 · nasbench/EVTX-ETW-Resources

  

  Event Tracing For Windows (ETW) Resources. Contribute to nasbench/EVTX-ETW-Resources development by creating an account on GitHub.

  
  Read More

• Event Logging (Windows Installer) - Win32 apps

  

  Windows Events provides a standard, centralized way for applications (and the operating system) to record important software and hardware events.

  
  Read More

Related rules

• Azure Application Deleted
• Delete All Scheduled Tasks
• Delete Important Scheduled Task
• Important Scheduled Task Deleted
• Stop Windows Service Via Net.EXE