Adversaries may be sideloading malicious CCleanerDU.DLL files to execute arbitrary code and maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential DLL sideloading attacks that could compromise system integrity.
Detection Rule
title: Potential CCleanerDU.DLL Sideloading
id: 1fbc0671-5596-4e17-8682-f020a0b995dc
status: test
description: Detects potential DLL sideloading of "CCleanerDU.dll"
references:
- https://lab52.io/blog/2344-2/
author: X__Junior (Nextron Systems)
date: 2023-07-13
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\CCleanerDU.dll'
filter_main_path:
Image|startswith:
- 'C:\Program Files\CCleaner\'
- 'C:\Program Files (x86)\CCleaner\'
Image|endswith:
- '\CCleaner.exe'
- '\CCleaner64.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\CCleanerDU.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\") and (InitiatingProcessFolderPath endswith "\\CCleaner.exe" or InitiatingProcessFolderPath endswith "\\CCleaner64.exe"))))Scenario: System update or patching process using Microsoft’s Update.exe or wsusutil.exe
Filter/Exclusion: Check for the presence of Update.exe or wsusutil.exe in the process tree, or filter by parent process being svchost.exe or taskhost.exe.
Scenario: Scheduled job running Microsoft’s MsMpEng.exe (Microsoft Defender) to scan or update definitions
Filter/Exclusion: Exclude processes where the parent process is MsMpEng.exe or where the command line includes mpcmdrun.exe with scan or update parameters.
Scenario: Admin task using msiexec.exe to install a legitimate enterprise application (e.g., Microsoft Office, Adobe Acrobat)
Filter/Exclusion: Filter out processes where the parent process is msiexec.exe or where the command line includes a known legitimate MSI package.
Scenario: Use of regsvr32.exe to register a legitimate DLL as part of a software deployment
Filter/Exclusion: Exclude processes where the command line includes a known legitimate DLL (e.g., shell32.dll, msvcrt.dll) or where the parent process is a known deployment tool like setup.exe.
Scenario: PowerShell script running as part of a routine system maintenance task (e.g., powershell.exe with Get-ChildItem or Copy-Item)
Filter/Exclusion: Filter by process name powershell.exe and check for presence of Get-ChildItem or Copy-Item in the command line, or exclude processes with a known legitimate script path.