[Upcoming Session] 2024 Mid-Year Attacks & Trends. Join us August 1st.
Register
Skip to main content
On-Demand Webinar

Abuse SilentCleanup Task

Threats + Use Case
On-Demand Webinar

Abuse SilentCleanup Task

Detection Strategies

Overview of Abuse SilentCleanup Task

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file "%windir%\system32\cleanmgr.exe". Since it runs as Users, and it's possible to control user's environment variables, " %windir%" (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it'll run as admin. This use case identifies execution of the "SilentCleanup" task.

References

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

PowerShell

Splunk

APT29

BRONZE BUTLER

Cobalt Group

Honeybee

APT37

Threat Group-3390

MuddyWater

Patchwork

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series
Leave Your Data Where You Want: Detect Across Snowflake
Watch

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series
MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot
Watch
Break Free from SIEM Lock-in
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution GuidesWhite PapersData Sheets
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[Upcoming Session] 2024 Mid-Year Attacks & Trends. Join us August 1st.
Register
Skip to main content
White Paper

Abuse SilentCleanup Task

Threats + Use Case
Break Free from SIEM Lock-in
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution GuidesWhite PapersData Sheets
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[Upcoming Session] 2024 Mid-Year Attacks & Trends. Join us August 1st.
Register
Skip to main content
May 4, 2021

Abuse SilentCleanup Task

Threats + Use Case

Overview of Abuse SilentCleanup Task

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file "%windir%\system32\cleanmgr.exe". Since it runs as Users, and it's possible to control user's environment variables, " %windir%" (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it'll run as admin. This use case identifies execution of the "SilentCleanup" task.

References

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

PowerShell

Splunk

APT29

BRONZE BUTLER

Cobalt Group

Honeybee

APT37

Threat Group-3390

MuddyWater

Patchwork

Break Free from SIEM Lock-in

Break Free from SIEM Lock-in

Book a Demo