Problem: T1562.001 Atomic Test #12 - Uninstall Sysmon --> Failed

[SirStephanikus]

What did you do?

Invoke-AtomicTest T1562.001 -TestNumbers 12 -CheckPrereqs
PathToAtomicsFolder = C:\AtomicRedTeam\atomics

CheckPrereq's for: T1562.001-12 Uninstall Sysmon
Prerequisites met: T1562.001-12 Uninstall Sysmon

Invoke-AtomicTest T1562.001 -TestNumbers 12 -Verbose

What did you expect to happen?

After the -CheckPrereqs Test met all prerequisites, the AtomicTest should uninstall sysmon correctly,

What happened instead?

Uninstaller does not find sysmon, despite being installed and active.
Aborting uninstall: Sysmon service named Sysmon is not installed, but Sysmon driver named SysmonDrv is.

Your Environment

Windows Server 2022 Standard, as an AD-DC. Run with privileged user.

I found the issue:
---> The Atomic test expects to find "sysmon", but it runs here as "sysmon64" (installed via chocolatey).

Proof:

Get-Service -Name Sysmon64

Status   Name               DisplayName
------   ----               -----------
Running  Sysmon64           Sysmon64

sc.exe query sysmon64 | findstr sysmon64

SERVICE_NAME: sysmon64

Suggestion, fix up the Atomic-Test to recognize even sysmon64.
See also #2951

[NChilds86]

Nice work with the committed find and thanks for reposting the feedback and the proof and team will have this resolved soon as it is possible.

Thanks mate....

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[SirStephanikus]

Stale prevention:
Any news on this?

[cyberbuff]

Hello @SirStephanikus Sorry for the delay. I am working on a fix for both of your issues (#2951 and #2952). Should be fixed within end of the week. Thanks for your patience.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[SirStephanikus]

Push, to remove stale label