Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Sigma rule (View on GitHub)
1title: Bypass UAC Using SilentCleanup Task
2id: 724ea201-6514-4f38-9739-e5973c34f49a
3status: test
4description: |
5 Detects the setting of the environement variable "windir" to a non default value.
6 Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
7 The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
10 - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
11 - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
12author: frack113, Nextron Systems
13date: 2022-01-06
14modified: 2024-01-30
15tags:
16 - attack.privilege-escalation
17 - attack.defense-evasion
18 - attack.t1548.002
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection:
24 TargetObject|endswith: '\Environment\windir'
25 filter_main_default:
26 Details: '%SystemRoot%'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unknown
30level: high
References
Related rules
- Bypass UAC Using DelegateExecute
- Bypass UAC via CMSTP
- Bypass UAC via WSReset.exe
- Function Call From Undocumented COM Interface EditionUpgradeManager
- HackTool - Empire PowerShell UAC Bypass