Abuse SilentCleanup Task
Abuse SilentCleanup Task
Threats + Use Case
Overview of Abuse SilentCleanup Task
There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file "%windir%\system32\cleanmgr.exe". Since it runs as Users, and it's possible to control user's environment variables, " %windir%" (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it'll run as admin. This use case identifies execution of the "SilentCleanup" task.
References
Request Access to Use Case Repository
Tags
Defense Evasion
Privilege Escalation
PowerShell
Splunk
APT29
BRONZE BUTLER
Cobalt Group
Honeybee
APT37
Threat Group-3390
MuddyWater
Patchwork
Chat with our team to receive a free maturity assessment
You May Also Like
Ready to learn more about Anvilogic?
Kickstart your security operations
Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.
