UAC Bypass via DiskCleanup Scheduled Task Hijack

Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/08/18"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to
 13stealthily execute code with elevated permissions.
 14"""
 15from = "now-9m"
 16index = [
 17    "winlogbeat-*",
 18    "logs-endpoint.events.process-*",
 19    "logs-windows.forwarded*",
 20    "logs-windows.sysmon_operational-*",
 21    "endgame-*",
 22    "logs-system.security*",
 23    "logs-m365_defender.event-*",
 24    "logs-sentinel_one_cloud_funnel.*",
 25    "logs-crowdstrike.fdr*",
 26]
 27language = "eql"
 28license = "Elastic License v2"
 29name = "UAC Bypass via DiskCleanup Scheduled Task Hijack"
 30risk_score = 47
 31rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e"
 32severity = "medium"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Privilege Escalation",
 38    "Tactic: Defense Evasion",
 39    "Tactic: Execution",
 40    "Data Source: Elastic Endgame",
 41    "Data Source: Elastic Defend",
 42    "Data Source: System",
 43    "Data Source: Microsoft Defender for Endpoint",
 44    "Data Source: Sysmon",
 45    "Data Source: SentinelOne",
 46    "Data Source: Crowdstrike",
 47    "Resources: Investigation Guide",
 48]
 49timestamp_override = "event.ingested"
 50type = "eql"
 51
 52query = '''
 53process where host.os.type == "windows" and event.type == "start" and
 54 process.args : "/autoclean" and process.args : "/d" and process.executable != null and
 55 not process.executable : (
 56        "C:\\Windows\\System32\\cleanmgr.exe",
 57        "C:\\Windows\\SysWOW64\\cleanmgr.exe",
 58        "C:\\Windows\\System32\\taskhostw.exe",
 59        "\\Device\\HarddiskVolume?\\Windows\\System32\\cleanmgr.exe",
 60        "\\Device\\HarddiskVolume?\\Windows\\SysWOW64\\cleanmgr.exe",
 61        "\\Device\\HarddiskVolume?\\Windows\\System32\\taskhostw.exe"
 62)
 63'''
 64note = """## Triage and analysis
 65
 66> **Disclaimer**:
 67> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 68
 69### Investigating UAC Bypass via DiskCleanup Scheduled Task Hijack
 70
 71User Account Control (UAC) is a security feature in Windows that helps prevent unauthorized changes. Adversaries may exploit the DiskCleanup Scheduled Task to bypass UAC, executing code with elevated privileges. The detection rule identifies suspicious processes using specific arguments and executables not matching known safe paths, flagging potential UAC bypass attempts for further investigation.
 72
 73### Possible investigation steps
 74
 75- Review the process details to confirm the presence of suspicious arguments "/autoclean" and "/d" in the process execution.
 76- Verify the executable path of the process to ensure it does not match known safe paths such as "C:\\Windows\\System32\\cleanmgr.exe" or "C:\\Windows\\SysWOW64\\cleanmgr.exe".
 77- Investigate the parent process to determine how the suspicious process was initiated and assess if it was triggered by a legitimate application or script.
 78- Check the user account under which the process was executed to identify if it aligns with expected user behavior or if it indicates potential compromise.
 79- Analyze recent system changes or scheduled tasks to identify any unauthorized modifications that could facilitate UAC bypass.
 80- Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the activity.
 81- Assess the risk and impact of the event by considering the severity and risk score, and determine if further containment or remediation actions are necessary.
 82
 83### False positive analysis
 84
 85- Legitimate system maintenance tools or scripts may trigger the rule if they use similar arguments and executables not listed in the safe paths. Review the process origin and context to determine if it is part of routine maintenance.
 86- Custom administrative scripts that automate disk cleanup tasks might be flagged. Verify the script's source and purpose, and consider adding it to an exception list if it is deemed safe.
 87- Software updates or installations that temporarily use disk cleanup functionalities could be misidentified. Monitor the timing and context of these events, and exclude known update processes from the rule.
 88- Third-party disk management tools that mimic or extend Windows disk cleanup features may cause alerts. Validate the tool's legitimacy and add it to the exclusion list if it is a trusted application.
 89- Scheduled tasks created by IT departments for system optimization might match the rule's criteria. Confirm the task's legitimacy and adjust the rule to exclude these specific tasks if they are verified as non-threatening.
 90
 91### Response and remediation
 92
 93- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 94- Terminate any suspicious processes identified by the detection rule that are not using the legitimate DiskCleanup executables.
 95- Conduct a thorough review of scheduled tasks on the affected system to identify and remove any unauthorized or malicious tasks that may have been created or modified.
 96- Restore any altered system files or configurations to their original state using known good backups or system restore points.
 97- Update and patch the affected system to the latest security updates to mitigate any known vulnerabilities that could be exploited for UAC bypass.
 98- Monitor the affected system and network for any signs of recurring unauthorized activity or similar UAC bypass attempts.
 99- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1548"
106name = "Abuse Elevation Control Mechanism"
107reference = "https://attack.mitre.org/techniques/T1548/"
108[[rule.threat.technique.subtechnique]]
109id = "T1548.002"
110name = "Bypass User Account Control"
111reference = "https://attack.mitre.org/techniques/T1548/002/"
112
113
114
115[rule.threat.tactic]
116id = "TA0004"
117name = "Privilege Escalation"
118reference = "https://attack.mitre.org/tactics/TA0004/"
119[[rule.threat]]
120framework = "MITRE ATT&CK"
121[[rule.threat.technique]]
122id = "T1548"
123name = "Abuse Elevation Control Mechanism"
124reference = "https://attack.mitre.org/techniques/T1548/"
125[[rule.threat.technique.subtechnique]]
126id = "T1548.002"
127name = "Bypass User Account Control"
128reference = "https://attack.mitre.org/techniques/T1548/002/"
129
130
131
132[rule.threat.tactic]
133id = "TA0005"
134name = "Defense Evasion"
135reference = "https://attack.mitre.org/tactics/TA0005/"
136[[rule.threat]]
137framework = "MITRE ATT&CK"
138[[rule.threat.technique]]
139id = "T1053"
140name = "Scheduled Task/Job"
141reference = "https://attack.mitre.org/techniques/T1053/"
142[[rule.threat.technique.subtechnique]]
143id = "T1053.005"
144name = "Scheduled Task"
145reference = "https://attack.mitre.org/techniques/T1053/005/"
146
147
148
149[rule.threat.tactic]
150id = "TA0002"
151name = "Execution"
152reference = "https://attack.mitre.org/tactics/TA0002/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

User Account Control (UAC) is a security feature in Windows that helps prevent unauthorized changes. Adversaries may exploit the DiskCleanup Scheduled Task to bypass UAC, executing code with elevated privileges. The detection rule identifies suspicious processes using specific arguments and executables not matching known safe paths, flagging potential UAC bypass attempts for further investigation.

  • Review the process details to confirm the presence of suspicious arguments "/autoclean" and "/d" in the process execution.
  • Verify the executable path of the process to ensure it does not match known safe paths such as "C:\Windows\System32\cleanmgr.exe" or "C:\Windows\SysWOW64\cleanmgr.exe".
  • Investigate the parent process to determine how the suspicious process was initiated and assess if it was triggered by a legitimate application or script.
  • Check the user account under which the process was executed to identify if it aligns with expected user behavior or if it indicates potential compromise.
  • Analyze recent system changes or scheduled tasks to identify any unauthorized modifications that could facilitate UAC bypass.
  • Correlate the event with other security alerts or logs from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context on the activity.
  • Assess the risk and impact of the event by considering the severity and risk score, and determine if further containment or remediation actions are necessary.
  • Legitimate system maintenance tools or scripts may trigger the rule if they use similar arguments and executables not listed in the safe paths. Review the process origin and context to determine if it is part of routine maintenance.
  • Custom administrative scripts that automate disk cleanup tasks might be flagged. Verify the script's source and purpose, and consider adding it to an exception list if it is deemed safe.
  • Software updates or installations that temporarily use disk cleanup functionalities could be misidentified. Monitor the timing and context of these events, and exclude known update processes from the rule.
  • Third-party disk management tools that mimic or extend Windows disk cleanup features may cause alerts. Validate the tool's legitimacy and add it to the exclusion list if it is a trusted application.
  • Scheduled tasks created by IT departments for system optimization might match the rule's criteria. Confirm the task's legitimacy and adjust the rule to exclude these specific tasks if they are verified as non-threatening.
  • Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
  • Terminate any suspicious processes identified by the detection rule that are not using the legitimate DiskCleanup executables.
  • Conduct a thorough review of scheduled tasks on the affected system to identify and remove any unauthorized or malicious tasks that may have been created or modified.
  • Restore any altered system files or configurations to their original state using known good backups or system restore points.
  • Update and patch the affected system to the latest security updates to mitigate any known vulnerabilities that could be exploited for UAC bypass.
  • Monitor the affected system and network for any signs of recurring unauthorized activity or similar UAC bypass attempts.
  • Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.

Related rules

to-top