Potential CCleanerReactivator.DLL Sideloading
Detects potential DLL sideloading of "CCleanerReactivator.dll"
Sigma rule (View on GitHub)
1title: Potential CCleanerReactivator.DLL Sideloading
2id: 3735d5ac-d770-4da0-99ff-156b180bc600
3status: test
4description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
5references:
6 - https://lab52.io/blog/2344-2/
7author: X__Junior
8date: 2023-07-13
9tags:
10 - attack.defense-evasion
11 - attack.persistence
12 - attack.privilege-escalation
13 - attack.t1574.001
14logsource:
15 category: image_load
16 product: windows
17detection:
18 selection:
19 ImageLoaded|endswith: '\CCleanerReactivator.dll'
20 filter_main_path:
21 Image|startswith:
22 - 'C:\Program Files\CCleaner\'
23 - 'C:\Program Files (x86)\CCleaner\'
24 Image|endswith: '\CCleanerReactivator.exe'
25 condition: selection and not 1 of filter_main_*
26falsepositives:
27 - False positives could occur from other custom installation paths. Apply additional filters accordingly.
28level: medium
References
-
Last month of May we were talking about the new APT29 campaign that we called “Information”. Recently, just a week ago, an unknown actor used similar techniques to APT29. This time APT29 is once ag...
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Microsoft Office DLL Sideload