detection.wiki

Detection rules › Sigma

UAC Bypass Using Disk Cleanup

Severity
high
Author
Christian Burkard (Nextron Systems)
Source
upstream

Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Defense EvasionT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

IntegrityLevel: [High, S-1-16-12288, S-1-16-16384, System]
CommandLine|endswith: '"\system32\cleanmgr.exe /autoclean /d C:'
ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLineends_with
  • "\system32\cleanmgr.exe /autoclean /d C:
IntegrityLeveleq
  • High corpus 16 (sigma 16)
  • S-1-16-12288 corpus 16 (sigma 16)
  • S-1-16-16384 corpus 21 (sigma 21)
  • System corpus 21 (sigma 21)
ParentCommandLineeq
  • C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule corpus 2 (sigma 2)