IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Trusted Developer Application Usage Unusual AWS Command for a User »

› › ›

UAC Bypass via DiskCleanup Scheduled Task Hijack

edit

UAC Bypass via DiskCleanup Scheduled Task Hijack

edit

Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to stealthily execute code with elevated permissions.

Rule type: query

Rule indices:

winlogbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Host
Windows
Threat Detection
Privilege Escalation

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Rule query

edit

event.category:process and event.type:(start or process_started) and
process.args:(/autoclean or /AUTOCLEAN) and
process.parent.name:svchost.exe and not
process.executable:("C:\Windows\System32\cleanmgr.exe" or
"C:\Windows\SysWOW64\cleanmgr.exe")

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
Technique:
- Name: Bypass User Account Control
- ID: T1088
- Reference URL: https://attack.mitre.org/techniques/T1088/

« Trusted Developer Application Usage Unusual AWS Command for a User »