Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Sigma rule (View on GitHub)
1title: Bypass UAC Using SilentCleanup Task
2id: 724ea201-6514-4f38-9739-e5973c34f49a
3status: test
4description: |
5 Detects the setting of the environement variable "windir" to a non default value.
6 Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
7 The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
10 - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
11 - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
12author: frack113, Nextron Systems
13date: 2022-01-06
14modified: 2024-01-30
15tags:
16 - attack.privilege-escalation
17 - attack.defense-evasion
18 - attack.t1548.002
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection:
24 TargetObject|endswith: '\Environment\windir'
25 filter_main_default:
26 Details: '%SystemRoot%'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unknown
30level: high
31regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml
32simulation:
33 - type: atomic-red-team
34 name: Bypass UAC using SilentCleanup Task
35 technique: T1548.002
36 atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Learn about an active and stealthy cryptocurrency mining and ransomware campaign infecting targets in Spain and France which leverages multiple bypass techniques to evade detection by traditional A…
Read More
Related rules
- Bypass UAC Using DelegateExecute
- Always Install Elevated MSI Spawned Cmd And Powershell
- Bypass UAC via CMSTP
- Bypass UAC via Fodhelper.exe
- HackTool - Empire PowerShell UAC Bypass