Abuse SilentCleanup Task

Share:

Overview of Abuse SilentCleanup Task

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file "%windir%\system32\cleanmgr.exe". Since it runs as Users, and it's possible to control user's environment variables, " %windir%" (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it'll run as admin. This use case identifies execution of the "SilentCleanup" task.

Example

References

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

PowerShell

Splunk

APT29

BRONZE BUTLER

Cobalt Group

Honeybee

APT37

Threat Group-3390

MuddyWater

Patchwork

Chat with our team to receive a free maturity assessment

Get in Touch

Ready to learn more about Anvilogic?

Kickstart your security operations

Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.