Created
October 20, 2020 11:55
-
-
Save scudette/09e514679f662fd97478524d7e9d9bbc to your computer and use it in GitHub Desktop.
Upgrade
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Custom.Admin.Client.Uninstall | |
| description: | | |
| Uninstall Velociraptor from the endpoint. | |
| This artifact uninstalls a Velociraptor client (or any other MSI | |
| package) from the endpoint. | |
| Typically the client will be hard terminated during the uninstall | |
| process, so on the server it would appear that the collection is not | |
| completed. This is normal. | |
| NOTE: Be careful with the DisplayNameRegex to ensure you do not | |
| uninstall another package accidentally. | |
| required_permissions: | |
| - EXECVE | |
| parameters: | |
| - name: DisplayNameRegex | |
| default: Velociraptor | |
| description: A regex that will match the package to uninstall. | |
| - name: ReallyDoIt | |
| type: bool | |
| sources: | |
| - precondition: | |
| SELECT OS From info() where OS = 'windows' | |
| query: | | |
| LET packages = SELECT Name, DisplayName FROM Artifact.Windows.Sys.Programs() | |
| WHERE DisplayName =~ DisplayNameRegex AND | |
| log(message="Will uninstall " + DisplayName) | |
| LET uninstall = SELECT * FROM execve(argv=['msiexec', '/quiet', '/x', Name]) | |
| SELECT Name, DisplayName, | |
| if(condition= ReallyDoIt="Y", then=uninstall.Stdout) AS UninstallLog | |
| FROM packages |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment