UAC Bypass via DiskCleanup Scheduled Task Hijack
Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/18"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to
11stealthily execute code with elevated permissions.
12"""
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-windows.*",
18 "endgame-*",
19 "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "UAC Bypass via DiskCleanup Scheduled Task Hijack"
24risk_score = 47
25rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e"
26setup = """## Setup
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "medium"
35tags = [
36 "Domain: Endpoint",
37 "OS: Windows",
38 "Use Case: Threat Detection",
39 "Tactic: Privilege Escalation",
40 "Tactic: Defense Evasion",
41 "Tactic: Execution",
42 "Data Source: Elastic Endgame",
43 "Data Source: Elastic Defend",
44]
45timestamp_override = "event.ingested"
46type = "eql"
47
48query = '''
49process where host.os.type == "windows" and event.type == "start" and
50 process.args : "/autoclean" and process.args : "/d" and process.executable != null and
51 not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe",
52 "C:\\Windows\\SysWOW64\\cleanmgr.exe",
53 "C:\\Windows\\System32\\taskhostw.exe")
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1548"
61name = "Abuse Elevation Control Mechanism"
62reference = "https://attack.mitre.org/techniques/T1548/"
63[[rule.threat.technique.subtechnique]]
64id = "T1548.002"
65name = "Bypass User Account Control"
66reference = "https://attack.mitre.org/techniques/T1548/002/"
67
68
69
70[rule.threat.tactic]
71id = "TA0004"
72name = "Privilege Escalation"
73reference = "https://attack.mitre.org/tactics/TA0004/"
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1548"
78name = "Abuse Elevation Control Mechanism"
79reference = "https://attack.mitre.org/techniques/T1548/"
80[[rule.threat.technique.subtechnique]]
81id = "T1548.002"
82name = "Bypass User Account Control"
83reference = "https://attack.mitre.org/techniques/T1548/002/"
84
85
86
87[rule.threat.tactic]
88id = "TA0005"
89name = "Defense Evasion"
90reference = "https://attack.mitre.org/tactics/TA0005/"
91[[rule.threat]]
92framework = "MITRE ATT&CK"
93[[rule.threat.technique]]
94id = "T1053"
95name = "Scheduled Task/Job"
96reference = "https://attack.mitre.org/techniques/T1053/"
97[[rule.threat.technique.subtechnique]]
98id = "T1053.005"
99name = "Scheduled Task"
100reference = "https://attack.mitre.org/techniques/T1053/005/"
101
102
103
104[rule.threat.tactic]
105id = "TA0002"
106name = "Execution"
107reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Conhost Spawned By Suspicious Parent Process
- Service Control Spawned via Script Interpreter
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via ICMLuaUtil Elevated COM Interface