title: CleanWipe Usage
id: f44800ac-38ec-471f-936e-3fa7d9c53100
status: experimental
description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe
author: Nasreddine Bencherchali @nas_bench
date: 2021/12/18
tags:
    - attack.defense_evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|endswith: '\SepRemovalToolNative_x64.exe'
    selection2:
        Image|endswith: '\CATClean.exe'
        CommandLine|contains: '--uninstall'
    selection3:
        Image|endswith: '\NetInstaller.exe'
        CommandLine|contains: '-r'
    selection4:
        Image|endswith: '\WFPUnins.exe'
        CommandLine|contains|all:
            - '/uninstall'
            - '/enterprise'
    condition: 1 of selection*
falsepositives:
    - Legitimate administrative use
level: medium