{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/diskcleanup/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["uac-bypass","privilege-escalation","windows","diskcleanup","scheduled-task"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule identifies User Account Control (UAC) bypass attempts via hijacking the DiskCleanup Scheduled Task. Attackers exploit this method to execute code with elevated privileges, bypassing standard security controls. The technique involves leveraging the \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e executables with specific arguments (\u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e) outside of their expected paths. This allows attackers to run malicious code under the guise of a legitimate system process, making detection more challenging. This technique is used to gain elevated privileges on a compromised system, allowing for further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies or creates a scheduled task to execute \u003ccode\u003ecleanmgr.exe\u003c/code\u003e or \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments.\u003c/li\u003e\n\u003cli\u003eThe modified scheduled task is triggered, executing the specified executable with the supplied arguments.\u003c/li\u003e\n\u003cli\u003eThe executable, such as \u003ccode\u003ecleanmgr.exe\u003c/code\u003e, attempts to run Disk Cleanup.\u003c/li\u003e\n\u003cli\u003eIf the executable path is outside the standard locations (e.g., \u003ccode\u003eC:\\\\Windows\\\\System32\u003c/code\u003e or \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\u003c/code\u003e), it indicates a potential hijack.\u003c/li\u003e\n\u003cli\u003eMalicious code is executed with elevated privileges due to the UAC bypass.\u003c/li\u003e\n\u003cli\u003eThe attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup with Suspicious Path\u0026rdquo; to your SIEM and tune for your environment to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;UAC Bypass via DiskCleanup and Taskhostw\u0026rdquo; to your SIEM to detect UAC bypass attempts.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ecleanmgr.exe\u003c/code\u003e and \u003ccode\u003etaskhostw.exe\u003c/code\u003e with the \u003ccode\u003e/autoclean\u003c/code\u003e and \u003ccode\u003e/d\u003c/code\u003e arguments, focusing on executions outside the standard system directories.\u003c/li\u003e\n\u003cli\u003eReview and harden scheduled tasks to prevent unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eEnsure that UAC settings are properly configured and enforced across the organization.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-uac-bypass-diskcleanup/","summary":"Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.","title":"UAC Bypass via DiskCleanup Scheduled Task Hijack","url":"https://feed.craftedsignal.io/briefs/2024-01-uac-bypass-diskcleanup/"}],"language":"en","title":"CraftedSignal Threat Feed — Diskcleanup","version":"https://jsonfeed.org/version/1.1"}