Raccine Uninstall
Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Sigma rule (View on GitHub)
1title: Raccine Uninstall
2id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
3status: test
4description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
5references:
6 - https://github.com/Neo23x0/Raccine
7author: Florian Roth (Nextron Systems)
8date: 2021-01-21
9modified: 2022-10-09
10tags:
11 - attack.defense-evasion
12 - attack.t1562.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection1:
18 CommandLine|contains|all:
19 - 'taskkill '
20 - 'RaccineSettings.exe'
21 selection2:
22 CommandLine|contains|all:
23 - 'reg.exe'
24 - 'delete'
25 - 'Raccine Tray'
26 selection3:
27 CommandLine|contains|all:
28 - 'schtasks'
29 - '/DELETE'
30 - 'Raccine Rules Updater'
31 condition: 1 of selection*
32falsepositives:
33 - Legitimate deinstallation by administrative staff
34level: high
References
-
A Simple Ransomware Vaccine. Contribute to Neo23x0/Raccine development by creating an account on GitHub.
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- AWS CloudTrail Important Change
- AWS Config Disabling Channel/Recorder
- AWS GuardDuty Important Change
- Add SafeBoot Keys Via Reg Utility