UAC Bypass via DiskCleanup Scheduled Task Hijack
Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/11/02"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to
13stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "UAC Bypass via DiskCleanup Scheduled Task Hijack"
30risk_score = 47
31rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e"
32severity = "medium"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Privilege Escalation",
38 "Tactic: Defense Evasion",
39 "Tactic: Execution",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: System",
43 "Data Source: Microsoft Defender for Endpoint",
44 "Data Source: Sysmon",
45 "Data Source: SentinelOne",
46 "Data Source: Crowdstrike",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52process where host.os.type == "windows" and event.type == "start" and
53 process.args : "/autoclean" and process.args : "/d" and process.executable != null and
54 not process.executable : (
55 "C:\\Windows\\System32\\cleanmgr.exe",
56 "C:\\Windows\\SysWOW64\\cleanmgr.exe",
57 "C:\\Windows\\System32\\taskhostw.exe",
58 "\\Device\\HarddiskVolume?\\Windows\\System32\\cleanmgr.exe",
59 "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\cleanmgr.exe",
60 "\\Device\\HarddiskVolume?\\Windows\\System32\\taskhostw.exe"
61)
62'''
63
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1548"
69name = "Abuse Elevation Control Mechanism"
70reference = "https://attack.mitre.org/techniques/T1548/"
71[[rule.threat.technique.subtechnique]]
72id = "T1548.002"
73name = "Bypass User Account Control"
74reference = "https://attack.mitre.org/techniques/T1548/002/"
75
76
77
78[rule.threat.tactic]
79id = "TA0004"
80name = "Privilege Escalation"
81reference = "https://attack.mitre.org/tactics/TA0004/"
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1548"
86name = "Abuse Elevation Control Mechanism"
87reference = "https://attack.mitre.org/techniques/T1548/"
88[[rule.threat.technique.subtechnique]]
89id = "T1548.002"
90name = "Bypass User Account Control"
91reference = "https://attack.mitre.org/techniques/T1548/002/"
92
93
94
95[rule.threat.tactic]
96id = "TA0005"
97name = "Defense Evasion"
98reference = "https://attack.mitre.org/tactics/TA0005/"
99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1053"
103name = "Scheduled Task/Job"
104reference = "https://attack.mitre.org/techniques/T1053/"
105[[rule.threat.technique.subtechnique]]
106id = "T1053.005"
107name = "Scheduled Task"
108reference = "https://attack.mitre.org/techniques/T1053/005/"
109
110
111
112[rule.threat.tactic]
113id = "TA0002"
114name = "Execution"
115reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Bypass UAC via Event Viewer
- UAC Bypass Attempt via Windows Directory Masquerading
- Suspicious MS Office Child Process
- Control Panel Process with Unusual Arguments
- Microsoft Build Engine Started by a System Process