[SANS Institute and Anvilogic Present] The 2025 State of Detection Engineering Report
Join the waitlist
Skip to main content
On-Demand Webinar

Abuse SilentCleanup Task

Threats + Use Case
On-Demand Webinar

Abuse SilentCleanup Task

Detection Strategies

Overview of Abuse SilentCleanup Task

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file "%windir%\system32\cleanmgr.exe". Since it runs as Users, and it's possible to control user's environment variables, " %windir%" (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it'll run as admin. This use case identifies execution of the "SilentCleanup" task.

References

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

PowerShell

Splunk

APT29

BRONZE BUTLER

Cobalt Group

Honeybee

APT37

Threat Group-3390

MuddyWater

Patchwork

Get the Latest Resources

Leave Your Data Where You Want: Detect Across Snowflake

Demo Series
Leave Your Data Where You Want: Detect Across Snowflake
Watch

MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot

Demo Series
MonteAI: Your Detection Engineering & Threat Hunting Co-Pilot
Watch
Build Detections You Want, Where You Want
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution Guides
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[SANS Institute and Anvilogic Present] The 2025 State of Detection Engineering Report
Join the waitlist
Skip to main content
White Paper

Abuse SilentCleanup Task

Threats + Use Case
Build Detections You Want, Where You Want
Get the latest news, blog posts and threat reports
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By submitting this form, you agree to our Terms of Use
and acknowledge our Privacy Statement.
Product
PlatformIntegrations
Learn
BlogResourcesThreat ResearchDetection DispatchWebinarsCustomersSolution Guides
Customer Resources
Log InRelease NotesKnowledge Base
Company
About UsCareersContact Us
Facebook
Twitter
Linkedin
© 2024 Anvilogic. All Rights Reserved.
[SANS Institute and Anvilogic Present] The 2025 State of Detection Engineering Report
Join the waitlist
Skip to main content
May 4, 2021

Abuse SilentCleanup Task

Threats + Use Case

Overview of Abuse SilentCleanup Task

There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges. When it runs, it executes the file "%windir%\system32\cleanmgr.exe". Since it runs as Users, and it's possible to control user's environment variables, " %windir%" (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it'll run as admin. This use case identifies execution of the "SilentCleanup" task.

References

Request Access to Use Case Repository

Tags

Defense Evasion

Privilege Escalation

PowerShell

Splunk

APT29

BRONZE BUTLER

Cobalt Group

Honeybee

APT37

Threat Group-3390

MuddyWater

Patchwork

Build Detection You Want,
Where You Want

Build Detection You Want,
Where You Want

Book a Demo