Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Potential Persistence Via Disk Cleanup Handler - Registry
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Potential Persistence Via Disk Cleanup Handler - Registry
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Potential Persistence Via Disk Cleanup Handler - Registry
id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
status: test
description: |
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
The disk cleanup manager is part of the operating system. It displays the dialog box […]
The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
- https://persistence-info.github.io/Data/diskcleanuphandler.html
- https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-02-07
tags:
- attack.persistence
logsource:
product: windows
category: registry_add
detection:
selection:
EventType: CreateKey
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
filter_main_default_keys:
# Default Keys
TargetObject|endswith:
- '\Active Setup Temp Folders'
- '\BranchCache'
- '\Content Indexer Cleaner'
- '\D3D Shader Cache'
- '\Delivery Optimization Files'
- '\Device Driver Packages'
- '\Diagnostic Data Viewer database files'
- '\Downloaded Program Files'
- '\DownloadsFolder'
- '\Feedback Hub Archive log files'
- '\Internet Cache Files'
- '\Language Pack'
- '\Microsoft Office Temp Files'
- '\Offline Pages Files'
- '\Old ChkDsk Files'
- '\Previous Installations'
- '\Recycle Bin'
- '\RetailDemo Offline Content'
- '\Setup Log Files'
- '\System error memory dump files'
- '\System error minidump files'
- '\Temporary Files'
- '\Temporary Setup Files'
- '\Temporary Sync Files'
- '\Thumbnail Cache'
- '\Update Cleanup'
- '\Upgrade Discarded Files'
- '\User file versions'
- '\Windows Defender'
- '\Windows Error Reporting Files'
- '\Windows ESD installation files'
- '\Windows Upgrade Log Files'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate new entry added by windows
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml