Detection rules › Sigma

Potential Persistence Via Disk Cleanup Handler - Registry

Status
test
Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Event coverage

Rule body yaml

title: Potential Persistence Via Disk Cleanup Handler - Registry
id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
status: test
description: |
    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
    The disk cleanup manager is part of the operating system. It displays the dialog box […]
    The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
    - https://persistence-info.github.io/Data/diskcleanuphandler.html
    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-02-07
tags:
    - attack.persistence
logsource:
    product: windows
    category: registry_add
detection:
    selection:
        EventType: CreateKey
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
    filter_main_default_keys:
        # Default Keys
        TargetObject|endswith:
            - '\Active Setup Temp Folders'
            - '\BranchCache'
            - '\Content Indexer Cleaner'
            - '\D3D Shader Cache'
            - '\Delivery Optimization Files'
            - '\Device Driver Packages'
            - '\Diagnostic Data Viewer database files'
            - '\Downloaded Program Files'
            - '\DownloadsFolder'
            - '\Feedback Hub Archive log files'
            - '\Internet Cache Files'
            - '\Language Pack'
            - '\Microsoft Office Temp Files'
            - '\Offline Pages Files'
            - '\Old ChkDsk Files'
            - '\Previous Installations'
            - '\Recycle Bin'
            - '\RetailDemo Offline Content'
            - '\Setup Log Files'
            - '\System error memory dump files'
            - '\System error minidump files'
            - '\Temporary Files'
            - '\Temporary Setup Files'
            - '\Temporary Sync Files'
            - '\Thumbnail Cache'
            - '\Update Cleanup'
            - '\Upgrade Discarded Files'
            - '\User file versions'
            - '\Windows Defender'
            - '\Windows Error Reporting Files'
            - '\Windows ESD installation files'
            - '\Windows Upgrade Log Files'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate new entry added by windows
level: medium

Stages and Predicates

Stage 0: condition

selection and not 1 of filter_main_*

Stage 1: selection

selection:
    EventType: CreateKey
    TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'

Stage 2: not filter_main_default_keys

filter_main_default_keys:
    # Default Keys
    TargetObject|endswith:
        - '\Active Setup Temp Folders'
        - '\BranchCache'
        - '\Content Indexer Cleaner'
        - '\D3D Shader Cache'
        - '\Delivery Optimization Files'
        - '\Device Driver Packages'
        - '\Diagnostic Data Viewer database files'
        - '\Downloaded Program Files'
        - '\DownloadsFolder'
        - '\Feedback Hub Archive log files'
        - '\Internet Cache Files'
        - '\Language Pack'
        - '\Microsoft Office Temp Files'
        - '\Offline Pages Files'
        - '\Old ChkDsk Files'
        - '\Previous Installations'
        - '\Recycle Bin'
        - '\RetailDemo Offline Content'
        - '\Setup Log Files'
        - '\System error memory dump files'
        - '\System error minidump files'
        - '\Temporary Files'
        - '\Temporary Setup Files'
        - '\Temporary Sync Files'
        - '\Thumbnail Cache'
        - '\Update Cleanup'
        - '\Upgrade Discarded Files'
        - '\User file versions'
        - '\Windows Defender'
        - '\Windows Error Reporting Files'
        - '\Windows ESD installation files'
        - '\Windows Upgrade Log Files'

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

StageFieldKindExcluded values
2TargetObjectends_with\Active Setup Temp Folders
2TargetObjectends_with\BranchCache
2TargetObjectends_with\Content Indexer Cleaner
2TargetObjectends_with\D3D Shader Cache
2TargetObjectends_with\Delivery Optimization Files
2TargetObjectends_with\Device Driver Packages
2TargetObjectends_with\Diagnostic Data Viewer database files
2TargetObjectends_with\Downloaded Program Files
2TargetObjectends_with\DownloadsFolder
2TargetObjectends_with\Feedback Hub Archive log files
2TargetObjectends_with\Internet Cache Files
2TargetObjectends_with\Language Pack
2TargetObjectends_with\Microsoft Office Temp Files
2TargetObjectends_with\Offline Pages Files
2TargetObjectends_with\Old ChkDsk Files
2TargetObjectends_with\Previous Installations
2TargetObjectends_with\Recycle Bin
2TargetObjectends_with\RetailDemo Offline Content
2TargetObjectends_with\Setup Log Files
2TargetObjectends_with\System error memory dump files
2TargetObjectends_with\System error minidump files
2TargetObjectends_with\Temporary Files
2TargetObjectends_with\Temporary Setup Files
2TargetObjectends_with\Temporary Sync Files
2TargetObjectends_with\Thumbnail Cache
2TargetObjectends_with\Update Cleanup
2TargetObjectends_with\Upgrade Discarded Files
2TargetObjectends_with\User file versions
2TargetObjectends_with\Windows Defender
2TargetObjectends_with\Windows ESD installation files
2TargetObjectends_with\Windows Error Reporting Files
2TargetObjectends_with\Windows Upgrade Log Files

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventTypeeq
  • CreateKey corpus 3 (sigma 3)
TargetObjectmatch
  • \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ corpus 2 (sigma 2)