Detectionmediumtest
Potential CCleanerReactivator.DLL Sideloading
Detects potential DLL sideloading of "CCleanerReactivator.dll"
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic2 selectors
detection:
selection:
ImageLoaded|endswith: '\CCleanerReactivator.dll'
filter_main_path:
Image|startswith:
- 'C:\Program Files\CCleaner\'
- 'C:\Program Files (x86)\CCleaner\'
Image|endswith: '\CCleanerReactivator.exe'
condition: selection and not 1 of filter_main_*False Positives
False positives could occur from other custom installation paths. Apply additional filters accordingly.
References
MITRE ATT&CK
Rule Metadata
Rule ID
3735d5ac-d770-4da0-99ff-156b180bc600
Status
test
Level
medium
Type
Detection
Created
Thu Jul 13
Author
Path
rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml
Raw Tags
attack.defense-evasionattack.persistenceattack.privilege-escalationattack.t1574.001