Detectionhightest
Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
François Hubaut, Nextron SystemsCreated Thu Jan 06Updated Tue Jan 30724ea201-6514-4f38-9739-e5973c34f49awindows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
selection:
TargetObject|endswith: '\Environment\windir'
filter_main_default:
Details: '%SystemRoot%'
condition: selection and not 1 of filter_main_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
Testing & Validation
Simulations
atomic-red-teamT1548.002
View on ARTBypass UAC using SilentCleanup Task
GUID: 28104f8a-4ff1-4582-bcf6-699dce156608
MITRE ATT&CK
Rule Metadata
Rule ID
724ea201-6514-4f38-9739-e5973c34f49a
Status
test
Level
high
Type
Detection
Created
Thu Jan 06
Modified
Tue Jan 30
Author
Path
rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.t1548.002