From 32714b8527d622c72b3bb00b806eabc9ff1ea8b2 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 18 Mar 2021 15:11:42 +0100 Subject: [PATCH] [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#988) * [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Justin Ibarra * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...lege_escalation_uac_bypass_diskcleanup_hijack.toml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 009e477f8..bc5f3c309 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/08" [rule] author = ["Elastic"] @@ -22,9 +22,11 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and -process.args:"/autoclean" and process.args:"/d" and -not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", "C:\\Windows\\SysWOW64\\cleanmgr.exe") +process where event.type == "start" and + process.args : "/autoclean" and process.args : "/d" and + not process.executable : ("C:\\Windows\\System32\\cleanmgr.exe", + "C:\\Windows\\SysWOW64\\cleanmgr.exe", + "C:\\Windows\\System32\\taskhostw.exe") ''' @@ -45,4 +47,3 @@ reference = "https://attack.mitre.org/techniques/T1548/002/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" -