Detects the setting of the environement variable “windir” to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the “SilentCleanup” task. The SilentCleanup t
title: Bypass UAC Using SilentCleanup Task
id: 724ea201-6514-4f38-9739-e5973c34f49a
status: test
description: |
Detects the setting of the environement variable "windir" to a non default value.
Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task
- https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/
- https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign
author: frack113, Nextron Systems
date: 2022-01-06
modified: 2024-01-30
tags:
- attack.privilege-escalation
- attack.t1548.002
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|endswith: '\Environment\windir'
filter_main_default:
Details: '%SystemRoot%'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task/info.yml
simulation:
- type: atomic-red-team
name: Bypass UAC using SilentCleanup Task
technique: T1548.002
atomic_guid: 28104f8a-4ff1-4582-bcf6-699dce156608
imRegistry
| where RegistryKey endswith "\\Environment\\windir" and (not(RegistryValueData =~ "%SystemRoot%"))DeviceRegistryEvents
| where RegistryKey endswith "\\Environment\\windir" and (not(RegistryValueData =~ "%SystemRoot%"))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |