Persistence Via Disk Cleanup Handler - Autorun
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Sigma rule (View on GitHub)
1title: Persistence Via Disk Cleanup Handler - Autorun
2id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc
3status: test
4description: |
5 Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
6 The disk cleanup manager is part of the operating system.
7 It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
8 Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
9 Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
10 Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
11references:
12 - https://persistence-info.github.io/Data/diskcleanuphandler.html
13 - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2022-07-21
16modified: 2023-08-17
17tags:
18 - attack.persistence
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 root:
24 TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
25 selection_autorun:
26 # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
27 TargetObject|contains: '\Autorun'
28 Details: 'DWORD (0x00000001)'
29 selection_pre_after:
30 TargetObject|contains:
31 - '\CleanupString'
32 - '\PreCleanupString'
33 Details|contains:
34 # Add more as you see fit
35 - 'cmd'
36 - 'powershell'
37 - 'rundll32'
38 - 'mshta'
39 - 'cscript'
40 - 'wscript'
41 - 'wsl'
42 - '\Users\Public\'
43 - '\Windows\TEMP\'
44 - '\Microsoft\Windows\Start Menu\Programs\Startup\'
45 condition: root and 1 of selection_*
46falsepositives:
47 - Unknown
48level: medium
References
-
Disk Cleanup Handler Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ HKCR\CLSID Classification: Criteria Value Permissions Admin Security context User Persistence ty...
Read More -
It is a well-known fact that Windows features are the best persistence mechanisms, and… the one I am going to talk about is yet another one of these… If you ever ran into a problem of having not en...
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint