title: Raccine Uninstall
id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc
status: experimental
description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. 
references:
    - https://github.com/Neo23x0/Raccine
tags:
    - attack.defense_evasion
    - attack.t1562.001
author: Florian Roth 
date: 2021/01/21
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        CommandLine|contains|all:
            - 'taskkill '
            - '/IM RaccineSettings.exe'
    selection2:
        CommandLine|contains|all:
            - 'reg.exe'
            - 'delete'
            - 'Raccine Tray'
    selection3:
        CommandLine|contains|all:
            - 'schtasks'
            - '/DELETE'
            - 'Raccine Rules Updater'
    condition: 1 of them
falsepositives:
    - Legitimate deinstallation by administrative staff
level: high