| Threats + Use Case

Abuse SilentCleanup Task

Hacking/Unauthorized Access

Overview of Abuse SilentCleanup Task

There’s a task in Windows Task Scheduler called “SilentCleanup” which, while it’s executed as Users, automatically runs with elevated privileges. When it runs, it executes the file “%windir%\system32\cleanmgr.exe”. Since it runs as Users, and its possible to control user’s environment variables, ” %windir%” (normally pointing to C:\Windows) can be changed to point to whatever file an adversary wants, and it’ll run as admin. This use case identifies execution of the “SilentCleanup” task.

 

Example

 

References

 

Tags

Defense Evasion
Privilege Escalation
PowerShell
Splunk
APT29
BRONZE BUTLER
Cobalt Group
Honeybee
APT37
Threat Group-3390
MuddyWater
Patchwork

Categories: ,

APT29, APT37, BRONZE BUTLER, Cobalt Group, Defense Evasion, Honeybee, MuddyWater, Patchwork, Privilege Escalation, Splunk, Threat Group-3390, Use Cases