UAC Bypass via DiskCleanup Scheduled Task Hijack
Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to
13stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "UAC Bypass via DiskCleanup Scheduled Task Hijack"
29risk_score = 47
30rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e"
31severity = "medium"
32tags = [
33 "Domain: Endpoint",
34 "OS: Windows",
35 "Use Case: Threat Detection",
36 "Tactic: Privilege Escalation",
37 "Tactic: Defense Evasion",
38 "Tactic: Execution",
39 "Data Source: Elastic Endgame",
40 "Data Source: Elastic Defend",
41 "Data Source: System",
42 "Data Source: Microsoft Defender for Endpoint",
43 "Data Source: Sysmon",
44 "Data Source: SentinelOne",
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50process where host.os.type == "windows" and event.type == "start" and
51 process.args : "/autoclean" and process.args : "/d" and process.executable != null and
52 not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe",
53 "C:\\Windows\\SysWOW64\\cleanmgr.exe",
54 "C:\\Windows\\System32\\taskhostw.exe")
55'''
56
57
58[[rule.threat]]
59framework = "MITRE ATT&CK"
60[[rule.threat.technique]]
61id = "T1548"
62name = "Abuse Elevation Control Mechanism"
63reference = "https://attack.mitre.org/techniques/T1548/"
64[[rule.threat.technique.subtechnique]]
65id = "T1548.002"
66name = "Bypass User Account Control"
67reference = "https://attack.mitre.org/techniques/T1548/002/"
68
69
70
71[rule.threat.tactic]
72id = "TA0004"
73name = "Privilege Escalation"
74reference = "https://attack.mitre.org/tactics/TA0004/"
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77[[rule.threat.technique]]
78id = "T1548"
79name = "Abuse Elevation Control Mechanism"
80reference = "https://attack.mitre.org/techniques/T1548/"
81[[rule.threat.technique.subtechnique]]
82id = "T1548.002"
83name = "Bypass User Account Control"
84reference = "https://attack.mitre.org/techniques/T1548/002/"
85
86
87
88[rule.threat.tactic]
89id = "TA0005"
90name = "Defense Evasion"
91reference = "https://attack.mitre.org/tactics/TA0005/"
92[[rule.threat]]
93framework = "MITRE ATT&CK"
94[[rule.threat.technique]]
95id = "T1053"
96name = "Scheduled Task/Job"
97reference = "https://attack.mitre.org/techniques/T1053/"
98[[rule.threat.technique.subtechnique]]
99id = "T1053.005"
100name = "Scheduled Task"
101reference = "https://attack.mitre.org/techniques/T1053/005/"
102
103
104
105[rule.threat.tactic]
106id = "TA0002"
107name = "Execution"
108reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Bypass UAC via Event Viewer
- Clearing Windows Console History
- Conhost Spawned By Suspicious Parent Process
- Control Panel Process with Unusual Arguments
- Disabling Windows Defender Security Settings via PowerShell