PUA - CleanWipe Execution

calendar Aug 12, 2024 · attack.defense-evasion attack.t1562.001  ·
Share on: linkedin copy

Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.

Sigma rule (View on GitHub)

 1title: PUA - CleanWipe Execution
 2id: f44800ac-38ec-471f-936e-3fa7d9c53100
 3status: test
 4description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
 5references:
 6    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2021-12-18
 9modified: 2023-02-14
10tags:
11    - attack.defense-evasion
12    - attack.t1562.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection1:
18        Image|endswith: '\SepRemovalToolNative_x64.exe'
19    selection2:
20        Image|endswith: '\CATClean.exe'
21        CommandLine|contains: '--uninstall'
22    selection3:
23        Image|endswith: '\NetInstaller.exe'
24        CommandLine|contains: '-r'
25    selection4:
26        Image|endswith: '\WFPUnins.exe'
27        CommandLine|contains|all:
28            - '/uninstall'
29            - '/enterprise'
30    condition: 1 of selection*
31falsepositives:
32    - Legitimate administrative use (Should be investigated either way)
33level: high

References

Related rules

to-top