← Back to SOC feed Coverage →

Potential Persistence Via Disk Cleanup Handler - Registry

sigma MEDIUM SigmaHQ
imRegistry
backdoorpersistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-24T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence. The disk cleanup manager is part of the operating system. It displays the dialog box […] Th

Detection Rule

Sigma (Original)

title: Potential Persistence Via Disk Cleanup Handler - Registry
id: d4f4e0be-cf12-439f-9e25-4e2cdcf7df5a
status: test
description: |
    Detects when an attacker modifies values of the Disk Cleanup Handler in the registry to achieve persistence.
    The disk cleanup manager is part of the operating system. It displays the dialog box […]
    The user has the option of enabling or disabling individual handlers by selecting or clearing their check box in the disk cleanup manager's UI.
    Although Windows comes with a number of disk cleanup handlers, they aren't designed to handle files produced by other applications.
    Instead, the disk cleanup manager is designed to be flexible and extensible by enabling any developer to implement and register their own disk cleanup handler.
    Any developer can extend the available disk cleanup services by implementing and registering a disk cleanup handler.
references:
    - https://persistence-info.github.io/Data/diskcleanuphandler.html
    - https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-21
modified: 2023-02-07
tags:
    - attack.persistence
logsource:
    product: windows
    category: registry_add
detection:
    selection:
        EventType: CreateKey
        TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\'
    filter_main_default_keys:
        # Default Keys
        TargetObject|endswith:
            - '\Active Setup Temp Folders'
            - '\BranchCache'
            - '\Content Indexer Cleaner'
            - '\D3D Shader Cache'
            - '\Delivery Optimization Files'
            - '\Device Driver Packages'
            - '\Diagnostic Data Viewer database files'
            - '\Downloaded Program Files'
            - '\DownloadsFolder'
            - '\Feedback Hub Archive log files'
            - '\Internet Cache Files'
            - '\Language Pack'
            - '\Microsoft Office Temp Files'
            - '\Offline Pages Files'
            - '\Old ChkDsk Files'
            - '\Previous Installations'
            - '\Recycle Bin'
            - '\RetailDemo Offline Content'
            - '\Setup Log Files'
            - '\System error memory dump files'
            - '\System error minidump files'
            - '\Temporary Files'
            - '\Temporary Setup Files'
            - '\Temporary Sync Files'
            - '\Thumbnail Cache'
            - '\Update Cleanup'
            - '\Upgrade Discarded Files'
            - '\User file versions'
            - '\Windows Defender'
            - '\Windows Error Reporting Files'
            - '\Windows ESD installation files'
            - '\Windows Upgrade Log Files'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate new entry added by windows
level: medium

KQL (Azure Sentinel)

imRegistry
| where (EventType =~ "RegistryKeyCreated" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches*") and (not((RegistryKey endswith "\\Active Setup Temp Folders" or RegistryKey endswith "\\BranchCache" or RegistryKey endswith "\\Content Indexer Cleaner" or RegistryKey endswith "\\D3D Shader Cache" or RegistryKey endswith "\\Delivery Optimization Files" or RegistryKey endswith "\\Device Driver Packages" or RegistryKey endswith "\\Diagnostic Data Viewer database files" or RegistryKey endswith "\\Downloaded Program Files" or RegistryKey endswith "\\DownloadsFolder" or RegistryKey endswith "\\Feedback Hub Archive log files" or RegistryKey endswith "\\Internet Cache Files" or RegistryKey endswith "\\Language Pack" or RegistryKey endswith "\\Microsoft Office Temp Files" or RegistryKey endswith "\\Offline Pages Files" or RegistryKey endswith "\\Old ChkDsk Files" or RegistryKey endswith "\\Previous Installations" or RegistryKey endswith "\\Recycle Bin" or RegistryKey endswith "\\RetailDemo Offline Content" or RegistryKey endswith "\\Setup Log Files" or RegistryKey endswith "\\System error memory dump files" or RegistryKey endswith "\\System error minidump files" or RegistryKey endswith "\\Temporary Files" or RegistryKey endswith "\\Temporary Setup Files" or RegistryKey endswith "\\Temporary Sync Files" or RegistryKey endswith "\\Thumbnail Cache" or RegistryKey endswith "\\Update Cleanup" or RegistryKey endswith "\\Upgrade Discarded Files" or RegistryKey endswith "\\User file versions" or RegistryKey endswith "\\Windows Defender" or RegistryKey endswith "\\Windows Error Reporting Files" or RegistryKey endswith "\\Windows ESD installation files" or RegistryKey endswith "\\Windows Upgrade Log Files")))

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where (ActionType =~ "RegistryKeyCreated" and RegistryKey endswith "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\VolumeCaches*") and (not((RegistryKey endswith "\\Active Setup Temp Folders" or RegistryKey endswith "\\BranchCache" or RegistryKey endswith "\\Content Indexer Cleaner" or RegistryKey endswith "\\D3D Shader Cache" or RegistryKey endswith "\\Delivery Optimization Files" or RegistryKey endswith "\\Device Driver Packages" or RegistryKey endswith "\\Diagnostic Data Viewer database files" or RegistryKey endswith "\\Downloaded Program Files" or RegistryKey endswith "\\DownloadsFolder" or RegistryKey endswith "\\Feedback Hub Archive log files" or RegistryKey endswith "\\Internet Cache Files" or RegistryKey endswith "\\Language Pack" or RegistryKey endswith "\\Microsoft Office Temp Files" or RegistryKey endswith "\\Offline Pages Files" or RegistryKey endswith "\\Old ChkDsk Files" or RegistryKey endswith "\\Previous Installations" or RegistryKey endswith "\\Recycle Bin" or RegistryKey endswith "\\RetailDemo Offline Content" or RegistryKey endswith "\\Setup Log Files" or RegistryKey endswith "\\System error memory dump files" or RegistryKey endswith "\\System error minidump files" or RegistryKey endswith "\\Temporary Files" or RegistryKey endswith "\\Temporary Setup Files" or RegistryKey endswith "\\Temporary Sync Files" or RegistryKey endswith "\\Thumbnail Cache" or RegistryKey endswith "\\Update Cleanup" or RegistryKey endswith "\\Upgrade Discarded Files" or RegistryKey endswith "\\User file versions" or RegistryKey endswith "\\Windows Defender" or RegistryKey endswith "\\Windows Error Reporting Files" or RegistryKey endswith "\\Windows ESD installation files" or RegistryKey endswith "\\Windows Upgrade Log Files")))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml