Detection rules › Sigma
Persistence Via Disk Cleanup Handler - Autorun
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: root
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
Stage 2: 1 of selection_autorun
Details: 'DWORD (0x00000001)'
TargetObject|contains: '\Autorun'
Stage 3: 1 of selection_pre_after
or:
Details|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\'
Details|contains: '\Users\Public\'
Details|contains: '\Windows\TEMP\'
Details|contains: cmd
Details|contains: cscript
Details|contains: mshta
Details|contains: powershell
Details|contains: rundll32
Details|contains: wscript
Details|contains: wsl
or:
TargetObject|contains: '\CleanupString'
TargetObject|contains: '\PreCleanupString'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Details | eq |
|
Details | match |
|
TargetObject | match |
|