module
Windows Escalate UAC Protection Bypass (Via SilentCleanup)
| Disclosed | Created |
|---|---|
| 2019-02-24 | 2019-06-27 |
Disclosed
2019-02-24
Created
2019-06-27
Description
There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin.
When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin.
Authors
tyranid
enigma0x3
nyshone69
lokiuox
Carter Brainerd (cbrnrd)
enigma0x3
nyshone69
lokiuox
Carter Brainerd (cbrnrd)
Platform
Windows
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.