Attack Chain

1. An attacker gains initial access to the system (e.g., via phishing or exploiting a software vulnerability).
2. The attacker modifies or creates a scheduled task to execute cleanmgr.exe or taskhostw.exe with the /autoclean and /d arguments.
3. The modified scheduled task is triggered, executing the specified executable with the supplied arguments.
4. The executable, such as cleanmgr.exe, attempts to run Disk Cleanup.
5. If the executable path is outside the standard locations (e.g., C:\\Windows\\System32 or C:\\Windows\\SysWOW64), it indicates a potential hijack.
6. Malicious code is executed with elevated privileges due to the UAC bypass.
7. The attacker uses these elevated privileges to install malware, modify system settings, or perform other malicious activities.

Impact

Successful exploitation allows attackers to bypass User Account Control (UAC) and execute code with elevated privileges. This can lead to the installation of malware, modification of system settings, data theft, and other malicious activities. While the exact number of victims is unknown, this technique is effective on systems where UAC is enabled but misconfigured or vulnerable.

Recommendation

• Deploy the Sigma rule “UAC Bypass via DiskCleanup with Suspicious Path” to your SIEM and tune for your environment to detect UAC bypass attempts.
• Deploy the Sigma rule “UAC Bypass via DiskCleanup and Taskhostw” to your SIEM to detect UAC bypass attempts.
• Monitor process creation events for cleanmgr.exe and taskhostw.exe with the /autoclean and /d arguments, focusing on executions outside the standard system directories.
• Review and harden scheduled tasks to prevent unauthorized modifications.
• Ensure that UAC settings are properly configured and enforced across the organization.