detection.wiki

Detection rules › Sigma

Potential Persistence Via Disk Cleanup Handler - Registry

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Event coverage

ProviderEvent IDTitle
Sysmon12RegistryEvent (Object create and delete)

Stages and Predicates

Stage 1: selection

EventType: CreateKey
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'

Stage 2: not 1 of filter_main_default_keys

or:
TargetObject|endswith: '\Active Setup Temp Folders'
TargetObject|endswith: '\BranchCache'
TargetObject|endswith: '\Content Indexer Cleaner'
TargetObject|endswith: '\D3D Shader Cache'
TargetObject|endswith: '\Delivery Optimization Files'
TargetObject|endswith: '\Device Driver Packages'
TargetObject|endswith: '\Diagnostic Data Viewer database files'
TargetObject|endswith: '\Downloaded Program Files'
TargetObject|endswith: '\DownloadsFolder'
TargetObject|endswith: '\Feedback Hub Archive log files'
TargetObject|endswith: '\Internet Cache Files'
TargetObject|endswith: '\Language Pack'
TargetObject|endswith: '\Microsoft Office Temp Files'
TargetObject|endswith: '\Offline Pages Files'
TargetObject|endswith: '\Old ChkDsk Files'
TargetObject|endswith: '\Previous Installations'
TargetObject|endswith: '\Recycle Bin'
TargetObject|endswith: '\RetailDemo Offline Content'
TargetObject|endswith: '\Setup Log Files'
TargetObject|endswith: '\System error memory dump files'
TargetObject|endswith: '\System error minidump files'
TargetObject|endswith: '\Temporary Files'
TargetObject|endswith: '\Temporary Setup Files'
TargetObject|endswith: '\Temporary Sync Files'
TargetObject|endswith: '\Thumbnail Cache'
TargetObject|endswith: '\Update Cleanup'
TargetObject|endswith: '\Upgrade Discarded Files'
TargetObject|endswith: '\User file versions'
TargetObject|endswith: '\Windows Defender'
TargetObject|endswith: '\Windows ESD installation files'
TargetObject|endswith: '\Windows Error Reporting Files'
TargetObject|endswith: '\Windows Upgrade Log Files'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventTypeeq
  • CreateKey corpus 2 (sigma 2)
TargetObjectends_with
  • \Active Setup Temp Folders
  • \BranchCache
  • \Content Indexer Cleaner
  • \D3D Shader Cache
  • \Delivery Optimization Files
  • \Device Driver Packages
  • \Diagnostic Data Viewer database files
  • \Downloaded Program Files
  • \DownloadsFolder
  • \Feedback Hub Archive log files
  • \Internet Cache Files
  • \Language Pack
  • \Microsoft Office Temp Files
  • \Offline Pages Files
  • \Old ChkDsk Files
  • \Previous Installations
  • \Recycle Bin
  • \RetailDemo Offline Content
  • \Setup Log Files
  • \System error memory dump files
  • \System error minidump files
  • \Temporary Files
  • \Temporary Setup Files
  • \Temporary Sync Files
  • \Thumbnail Cache
  • \Update Cleanup
  • \Upgrade Discarded Files
  • \User file versions
  • \Windows Defender
  • \Windows ESD installation files
  • \Windows Error Reporting Files
  • \Windows Upgrade Log Files
TargetObjectmatch
  • \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ corpus 2 (sigma 2)