Agentic Detection Engineering is here. Let’s talk at RSAC — Booth #350
Meet with us at RSAC
On-Demand Webinar

Abuse SilentCleanup Task

Threats + Use Case
May 4, 2021 12:00 AM
CST
Online
On-Demand Webinar

Abuse SilentCleanup Task

Detection Strategies

Overview of Abuse SilentCleanup Task

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file "%windir%\system32\cleanmgr.exe". Since it runs as Users, and it's possible to control user's environment variables, " %windir%" (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it'll run as admin. This use case identifies execution of the "SilentCleanup" task.

References

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

PowerShell

Splunk

APT29

BRONZE BUTLER

Cobalt Group

Honeybee

APT37

Threat Group-3390

MuddyWater

Patchwork

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series
Leave Your Data Where You Want: Detect Across Snowflake
Watch

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series
MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot
Watch
Build Detections You Want, Where You Want
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution Guides
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2025 Anvilogic. All Rights Reserved.
Agentic Detection Engineering is here. Let’s talk at RSAC — Booth #350
Meet with us at RSAC
White Paper

Abuse SilentCleanup Task

Threats + Use Case
Build Detections You Want, Where You Want
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution Guides
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2025 Anvilogic. All Rights Reserved.
Agentic Detection Engineering is here. Let’s talk at RSAC — Booth #350
Meet with us at RSAC
May 4, 2021

Abuse SilentCleanup Task

Threats + Use Case
No items found.

Overview of Abuse SilentCleanup Task

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file "%windir%\system32\cleanmgr.exe". Since it runs as Users, and it's possible to control user's environment variables, " %windir%" (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it'll run as admin. This use case identifies execution of the "SilentCleanup" task.

References

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

PowerShell

Splunk

APT29

BRONZE BUTLER

Cobalt Group

Honeybee

APT37

Threat Group-3390

MuddyWater

Patchwork

Resources

No items found.

Build Detection You Want,
Where You Want

Build Detection You Want,
Where You Want

Book a Demo