Skip to content
Threat Feed
medium advisory

UAC Bypass via DiskCleanup Scheduled Task Hijack

Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.

This rule identifies User Account Control (UAC) bypass attempts via hijacking the DiskCleanup Scheduled Task. Attackers exploit this method to execute code with elevated privileges, bypassing standard security controls. The technique involves leveraging the cleanmgr.exe or taskhostw.exe executables with specific arguments (/autoclean and /d) outside of their expected paths. This allows attackers to run malicious code under the guise of a legitimate system process, making detection more challenging. This technique is used to gain elevated privileges on a compromised system, allowing for further malicious activities.

Attack Chain

  1. An attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).
  2. The attacker modifies or creates a scheduled task to execute cleanmgr.exe or taskhostw.exe with the /autoclean and /d arguments.
  3. The modified scheduled task is triggered, executing the specified executable with the supplied arguments.
  4. The executable, such as cleanmgr.exe, attempts to run Disk Cleanup.
  5. If the executable path is outside the standard locations (e.g., C:\\Windows\\System32 or C:\\Windows\\SysWOW64), it indicates a potential hijack.
  6. Malicious code is executed with elevated privileges due to the UAC bypass.
  7. The attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.

Impact

Successful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.

Recommendation

  • Deploy the Sigma rule “UAC Bypass via DiskCleanup with Suspicious Path” to your SIEM and tune for your environment to detect UAC bypass attempts.
  • Deploy the Sigma rule “UAC Bypass via DiskCleanup and Taskhostw” to your SIEM to detect UAC bypass attempts.
  • Monitor process creation events for cleanmgr.exe and taskhostw.exe with the /autoclean and /d arguments, focusing on executions outside the standard system directories.
  • Review and harden scheduled tasks to prevent unauthorized modifications.
  • Ensure that UAC settings are properly configured and enforced across the organization.

Detection coverage 2

UAC Bypass via DiskCleanup with Suspicious Path

medium

Detects UAC bypass attempts by monitoring for DiskCleanup executions with suspicious arguments and paths.

sigma tactics: defense_evasion, privilege_escalation techniques: T1548.002 sources: process_creation, windows

UAC Bypass via DiskCleanup and Taskhostw

medium

Detects UAC bypass attempts by monitoring for DiskCleanup or Taskhostw executions with suspicious arguments.

sigma tactics: defense_evasion, privilege_escalation techniques: T1548.002 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →