Persistence Via Disk Cleanup Handler - Autorun
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
detection:
root:
TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
selection_autorun:
# Launching PreCleanupString / CleanupString programs w/o gui, i.e. while using e.g. /autoclean
TargetObject|contains: '\Autorun'
Details: 'DWORD (0x00000001)'
selection_pre_after:
TargetObject|contains:
- '\CleanupString'
- '\PreCleanupString'
Details|contains:
# Add more as you see fit
- 'cmd'
- 'powershell'
- 'rundll32'
- 'mshta'
- 'cscript'
- 'wscript'
- 'wsl'
- '\Users\Public\'
- '\Windows\TEMP\'
- '\Microsoft\Windows\Start Menu\Programs\Startup\'
condition: root and 1 of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics