bypass UAC via scheduled task environment variable

rule:
  meta:
    name: bypass UAC via scheduled task environment variable
    namespace: host-interaction/uac/bypass
    authors:
      - anamaria.martinezgom@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002]
    references:
      - https://www.tiraniddo.dev/2017/05/exploiting-environment-variables-in.html
      - https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup
  features:
    - and:
      - string: "schtasks.exe"
      - string: /Microsoft\\Windows\\DiskCleanup\\SilentCleanup/i
      - match: host-interaction/process/create
      - optional:
        - or:
          - string: "Environment"
          - string: "windir"
          - match: set registry value