Persistence Via Disk Cleanup Handler - Autorun
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence via autorun. The disk cleanup manager is part of the operating system. It displays the dialog box […] The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI. Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications. Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler. Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Registry value modified" AND (OBJECTNAME contains "\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches" OR (OBJECTNAME endswith "\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches" AND isExist(OBJECTVALUENAME))) AND (((OBJECTNAME contains "\Autorun" OR (OBJECTNAME contains "\Autorun" OR OBJECTVALUENAME contains "\Autorun")) AND (INFORMATION = "DWORD (0x00000001)" OR (CHANGES = 1 AND NEWTYPE = "REG_DWORD"))) OR ((OBJECTNAME contains "\CleanupString,\PreCleanupString" OR (OBJECTNAME contains "\CleanupString,\PreCleanupString" OR OBJECTVALUENAME contains "\CleanupString,\PreCleanupString")) AND INFORMATION contains "cmd,powershell,rundll32,mshta,cscript,wscript,wsl,\Users\Public\,\Windows\TEMP\,\Microsoft\Windows\Start Menu\Programs\Startup")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.OBJECTNAME,Action1.PROCESSNAME,Action1.PREVVAL,Action1.CHANGES
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Nasreddine Bencherchali (Nextron Systems)
