UAC Bypass via DiskCleanup Scheduled Task Hijack

Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/18"
 3integration = ["endpoint", "windows", "system"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/16"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to
13stealthily execute code with elevated permissions.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "UAC Bypass via DiskCleanup Scheduled Task Hijack"
20risk_score = 47
21rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e"
22setup = """
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "medium"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36process where host.os.type == "windows" and event.type == "start" and
37 process.args : "/autoclean" and process.args : "/d" and process.executable != null and 
38 not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe",
39                           "C:\\Windows\\SysWOW64\\cleanmgr.exe",
40                           "C:\\Windows\\System32\\taskhostw.exe")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1548"
48name = "Abuse Elevation Control Mechanism"
49reference = "https://attack.mitre.org/techniques/T1548/"
50[[rule.threat.technique.subtechnique]]
51id = "T1548.002"
52name = "Bypass User Account Control"
53reference = "https://attack.mitre.org/techniques/T1548/002/"
54
55
56
57[rule.threat.tactic]
58id = "TA0004"
59name = "Privilege Escalation"
60reference = "https://attack.mitre.org/tactics/TA0004/"
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1548"
66name = "Abuse Elevation Control Mechanism"
67reference = "https://attack.mitre.org/techniques/T1548/"
68[[rule.threat.technique.subtechnique]]
69id = "T1548.002"
70name = "Bypass User Account Control"
71reference = "https://attack.mitre.org/techniques/T1548/002/"
72
73
74
75[rule.threat.tactic]
76id = "TA0005"
77name = "Defense Evasion"
78reference = "https://attack.mitre.org/tactics/TA0005/"
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1053"
84name = "Scheduled Task/Job"
85reference = "https://attack.mitre.org/techniques/T1053/"
86[[rule.threat.technique.subtechnique]]
87id = "T1053.005"
88name = "Scheduled Task"
89reference = "https://attack.mitre.org/techniques/T1053/005/"
90
91
92
93[rule.threat.tactic]
94id = "TA0002"
95name = "Execution"
96reference = "https://attack.mitre.org/tactics/TA0002/"

Related rules

to-top