Potential Persistence Via Disk Cleanup Handler - Registry
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Sigma rule (View on GitHub)
1title: Potential Persistence Via Disk Cleanup Handler - Registry
2id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
3status: test
4description: |
5 Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
6 The disk cleanup manager is part of the operating system. It displays the dialog box […]
7 The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
8 Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
9 Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
10 Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
11references:
12 - https://persistence-info.github.io/Data/diskcleanuphandler.html
13 - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022/07/21
16modified: 2023/02/07
17tags:
18 - attack.persistence
19logsource:
20 product: windows
21 category: registry_add
22detection:
23 selection:
24 EventType: CreateKey
25 TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
26 filter:
27 # Default Keys
28 TargetObject|endswith:
29 - '\Active Setup Temp Folders'
30 - '\BranchCache'
31 - '\Content Indexer Cleaner'
32 - '\D3D Shader Cache'
33 - '\Delivery Optimization Files'
34 - '\Device Driver Packages'
35 - '\Diagnostic Data Viewer database files'
36 - '\Downloaded Program Files'
37 - '\DownloadsFolder'
38 - '\Feedback Hub Archive log files'
39 - '\Internet Cache Files'
40 - '\Language Pack'
41 - '\Microsoft Office Temp Files'
42 - '\Offline Pages Files'
43 - '\Old ChkDsk Files'
44 - '\Previous Installations'
45 - '\Recycle Bin'
46 - '\RetailDemo Offline Content'
47 - '\Setup Log Files'
48 - '\System error memory dump files'
49 - '\System error minidump files'
50 - '\Temporary Files'
51 - '\Temporary Setup Files'
52 - '\Temporary Sync Files'
53 - '\Thumbnail Cache'
54 - '\Update Cleanup'
55 - '\Upgrade Discarded Files'
56 - '\User file versions'
57 - '\Windows Defender'
58 - '\Windows Error Reporting Files'
59 - '\Windows ESD installation files'
60 - '\Windows Upgrade Log Files'
61 condition: selection and not filter
62falsepositives:
63 - Legitimate new entry added by windows
64level: medium
References
Related rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Change Default File Association To Executable Via Assoc
- File Creation In Suspicious Directory By Msdt.EXE
- File Download Via Bitsadmin To An Uncommon Target Folder
- PSEXEC Remote Execution File Artefact