SprwLabs

  • Home
  • Blog
  • Ideas Board
  • Services
  • About
  • Contact
Greg Bammel, March 1 2023

Use Case: Removing Unwanted Software

You've taken away administrative privileges on employees desktops but users still maintain various unwanted programs.  You can easily pull a list of these programs however how do you go about removing them?  In this case we'll look at how you automate software removal.  

For the purpose of this article we will focus on Crowdstrike however most endpoint tools have a way to execute similar functionality.  That said, if you're running a legacy endpoint tool, you will run into challenges.  

First, we need to establish what programs we'd like to remove.  Within Crowdstirke, you can query for a list of installed applications.  Below is a sample query.

event_simpleName=InstalledApplication aid=* AppName=*| stats values(AppName) as AppName values(aid) as aid values(event_platform) as OSVersion count by ComputerName

This query could be brought into an automation tool and run at a regular interval as well.  Depending on your SOAR platform, you can schedule this to create alerts based upon new software or keep track of previously removed software.  

Once we've determined the list of software we'd like to remove, we can tackle the removal in several ways.  In our experience, it's best to use a simple Powershell script.  EDR tools tend to be less reliable when removing software while uploading and executing a script tends to be very reliable.  Even a script as simple as the below script will work.

$MyApp = Get-WmiObject -Class Win32_Product | Where-Object{$_.Name -eq "NAME"}
$MyApp.Uninstall()

After you've created the script and placed it into a Powershell file you can use RTR to upload and execute the script.  This will also gather the response from running the files which may contain any errors.  You can add verbose uninstall logic to help troubleshoot any removal issues.  

Every major SOAR tool has integrations with Crowdstrike's RTR API.  The majority of SOAR tools will require using a Base64 version of the Powershell script to upload it.  If you'd like assistance in setting up your SOAR tool to perform application removal, please reach out!

Written by

Greg Bammel

Tags

Previous SOAR Security Analyst Interview Questions
Next Headless Automation