Detection rules › Sigma

Persistence Via Disk Cleanup Handler - Autorun

Status
test
Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.

Event coverage

ProviderEventTitle
SysmonEvent ID 13RegistryEvent (Value Set)

Rule body yaml

title: Persistence Via Disk Cleanup Handler - Autorun
id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc
status: test
description: |
    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
    The disk cleanup manager is part of the operating system.
    It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
    - https://persistence-info.github.io/Data/diskcleanuphandler.html
    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    root:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
    selection_autorun:
        # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
        TargetObject|contains: '\Autorun'
        Details: 'DWORD (0x00000001)'
    selection_pre_after:
        TargetObject|contains:
            - '\CleanupString'
            - '\PreCleanupString'
        Details|contains:
            # Add more as you see fit
            - 'cmd'
            - 'powershell'
            - 'rundll32'
            - 'mshta'
            - 'cscript'
            - 'wscript'
            - 'wsl'
            - '\Users\Public\'
            - '\Windows\TEMP\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
    condition: root and 1 of selection_*
falsepositives:
    - Unknown
level: medium

Stages and Predicates

Stage 0: condition

root and 1 of selection_*

Stage 1: root

root:
    TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'

Stage 2: selection_autorun

selection_autorun:
    # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
    TargetObject|contains: '\Autorun'
    Details: 'DWORD (0x00000001)'

Stage 3: selection_pre_after

selection_pre_after:
    TargetObject|contains:
        - '\CleanupString'
        - '\PreCleanupString'
    Details|contains:
        # Add more as you see fit
        - 'cmd'
        - 'powershell'
        - 'rundll32'
        - 'mshta'
        - 'cscript'
        - 'wscript'
        - 'wsl'
        - '\Users\Public\'
        - '\Windows\TEMP\'
        - '\Microsoft\Windows\Start Menu\Programs\Startup\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • DWORD (0x00000001) corpus 42 (sigma 38, chronicle 4)
Detailsmatch
  • \Microsoft\Windows\Start Menu\Programs\Startup\ corpus 2 (sigma 2)
  • \Users\Public\ corpus 5 (sigma 5)
  • \Windows\TEMP\ corpus 5 (sigma 5)
  • cmd corpus 3 (sigma 3)
  • cscript corpus 4 (sigma 4)
  • mshta corpus 5 (sigma 4, splunk 1)
  • powershell corpus 10 (sigma 9, chronicle 1)
  • rundll32 corpus 4 (sigma 4)
  • wscript corpus 4 (sigma 4)
  • wsl
TargetObjectmatch
  • \Autorun
  • \CleanupString
  • \PreCleanupString
  • \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\ corpus 2 (sigma 2)