Skip to content

Hide Navigation Hide TOC

Bypass UAC Using SilentCleanup Task (724ea201-6514-4f38-9739-e5973c34f49a)

Detects the setting of the environement variable "windir" to a non default value. Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.

Cluster A Galaxy A Cluster B Galaxy B Level
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Bypass UAC Using SilentCleanup Task (724ea201-6514-4f38-9739-e5973c34f49a) Sigma-Rules 1
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2