Potential Persistence Via Disk Cleanup Handler - Registry

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Disk Cleanup Handler - Registry
 2id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
 3status: test
 4description: |
 5    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
 6    The disk cleanup manager is part of the operating system. It displays the dialog box […]
 7    The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
 8    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
 9    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
10    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.    
11references:
12    - https://persistence-info.github.io/Data/diskcleanuphandler.html
13    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022-07-21
16modified: 2023-02-07
17tags:
18    - attack.persistence
19logsource:
20    product: windows
21    category: registry_add
22detection:
23    selection:
24        EventType: CreateKey
25        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
26    filter:
27        # Default Keys
28        TargetObject|endswith:
29            - '\Active Setup Temp Folders'
30            - '\BranchCache'
31            - '\Content Indexer Cleaner'
32            - '\D3D Shader Cache'
33            - '\Delivery Optimization Files'
34            - '\Device Driver Packages'
35            - '\Diagnostic Data Viewer database files'
36            - '\Downloaded Program Files'
37            - '\DownloadsFolder'
38            - '\Feedback Hub Archive log files'
39            - '\Internet Cache Files'
40            - '\Language Pack'
41            - '\Microsoft Office Temp Files'
42            - '\Offline Pages Files'
43            - '\Old ChkDsk Files'
44            - '\Previous Installations'
45            - '\Recycle Bin'
46            - '\RetailDemo Offline Content'
47            - '\Setup Log Files'
48            - '\System error memory dump files'
49            - '\System error minidump files'
50            - '\Temporary Files'
51            - '\Temporary Setup Files'
52            - '\Temporary Sync Files'
53            - '\Thumbnail Cache'
54            - '\Update Cleanup'
55            - '\Upgrade Discarded Files'
56            - '\User file versions'
57            - '\Windows Defender'
58            - '\Windows Error Reporting Files'
59            - '\Windows ESD installation files'
60            - '\Windows Upgrade Log Files'
61    condition: selection and not filter
62falsepositives:
63    - Legitimate new entry added by windows
64level: medium

References

Related rules

to-top