New cleanmgr indirect execution trick

2024-12-26 06:49:09 +01:00 · 2022-03-18 11:21:14 +01:00 · 2022-03-18 11:21:14 +01:00 · 790bbed18d
commit 790bbed18d
parent 55a7ea9a81
1 changed files with 28 additions and 0 deletions
--- a/yml/OSBinaries/Cleanmgr.yml
+++ b/yml/OSBinaries/Cleanmgr.yml
@ -0,0 +1,28 @@
+---
+Name: Cleanmgr.exe
+Description: Used for disk cleanup as part of Windows update
+Author: 'Jan Miller'
+Created: 2022-18-03
+Commands:
+  - Command: %WINDIR%\system32\cleanmgr.exe /autoclean /d %systemdrive%
+    Description: Automatically reclaim unused disc space at the specified drive (/d switch)
+    Usecase: Exploiting HKEY_CURRENT_USER\Environment\windir registry, a malicious script (e.g. dropper) may be executed by cleanmgr
+    Category: Execute
+    Privileges: User
+    MitreID: T1202
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
+Full_Path:
+  - Path: C:\Windows\System32\cleanmgr.exe
+  - Path: C:\Windows\SysWOW64\cleanmgr.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: Child process from cleanmgr.exe
+Resources:
+  - Link: https://twitter.com/filescan_itsec/status/1504615170387161089
+Acknowledgement:
+  - Person: Jan Miller
+    Handle: '@miller_itsec'
+  - Person: FileScan GmbH
+    Handle: '@filescan_itsec'
+---