Abuse SilentCleanup Task

There’s a task in Windows Task Scheduler called “SilentCleanup” which, while it’s executed as Users, automatically runs with elevated privileges. When it runs, it executes the file “%windir%\system32\cleanmgr.exe”. Since it runs as Users, and its possible to control user’s environment variables, ” %windir%” (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it’ll run as admin. This use case identifies execution of the “SilentCleanup” task.