module
Windows Escalate UAC Protection Bypass (Via SilentCleanup)
| Disclosed |
|---|
| Feb 24, 2019 |
Disclosed
Feb 24, 2019
Description
There's a task in Windows Task Scheduler called "SilentCleanup" which, while it's executed as Users, automatically runs with elevated privileges.
When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin.
When it runs, it executes the file %windir%\system32\cleanmgr.exe. Since it runs as Users, and we can control user's environment variables,
%windir% (normally pointing to C:\Windows) can be changed to point to whatever we want, and it'll run as admin.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.