Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Persistence Via Disk Cleanup Handler - Autorun

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Persistence Via Disk Cleanup Handler - Autorun

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Persistence Via Disk Cleanup Handler - Autorun
id: d4e2745c-f0c6-4bde-a3ab-b553b3f693cc
status: test
description: |
    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun.
    The disk cleanup manager is part of the operating system.
    It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
    - https://persistence-info.github.io/Data/diskcleanuphandler.html
    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-08-17
tags:
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    root:
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
    selection_autorun:
        # Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
        TargetObject|contains: '\Autorun'
        Details: 'DWORD (0x00000001)'
    selection_pre_after:
        TargetObject|contains:
            - '\CleanupString'
            - '\PreCleanupString'
        Details|contains:
            # Add more as you see fit
            - 'cmd'
            - 'powershell'
            - 'rundll32'
            - 'mshta'
            - 'cscript'
            - 'wscript'
            - 'wsl'
            - '\Users\Public\'
            - '\Windows\TEMP\'
            - '\Microsoft\Windows\Start Menu\Programs\Startup\'
    condition: root and 1 of selection_*
falsepositives:
    - Unknown
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml