2021-05-05

Abuse SilentCleanup Task

Level: 
  |  Source: 
GitHub
Share:

Abuse SilentCleanup Task

Industry: N/A | Level: | Source: GitHub

There’s a task in Windows Task Scheduler called “SilentCleanup” which, while it’s executed as Users, automatically runs with elevated privileges. When it runs, it executes the file “%windir%\system32\cleanmgr.exe”. Since it runs as Users, and its possible to control user’s environment variables, ” %windir%” (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it’ll run as admin. This use case identifies execution of the “SilentCleanup” task.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now