Adversaries may be using CCleanerReactivator.DLL to sideload malicious code into legitimate processes, leveraging the DLL’s trusted status to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential lateral movement and persistence tactics.
Detection Rule
title: Potential CCleanerReactivator.DLL Sideloading
id: 3735d5ac-d770-4da0-99ff-156b180bc600
status: test
description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
references:
- https://lab52.io/blog/2344-2/
author: X__Junior
date: 2023-07-13
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\CCleanerReactivator.dll'
filter_main_path:
Image|startswith:
- 'C:\Program Files\CCleaner\'
- 'C:\Program Files (x86)\CCleaner\'
Image|endswith: '\CCleanerReactivator.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- False positives could occur from other custom installation paths. Apply additional filters accordingly.
level: medium
DeviceImageLoadEvents
| where FolderPath endswith "\\CCleanerReactivator.dll" and (not(((InitiatingProcessFolderPath startswith "C:\\Program Files\\CCleaner\\" or InitiatingProcessFolderPath startswith "C:\\Program Files (x86)\\CCleaner\\") and InitiatingProcessFolderPath endswith "\\CCleanerReactivator.exe")))Scenario: Scheduled Job for System Maintenance
Description: A legitimate scheduled task runs a script that copies CCleanerReactivator.DLL to a system directory as part of a maintenance routine.
Filter/Exclusion: Exclude files copied by scheduled tasks with known maintenance scripts (e.g., Task Scheduler tasks named “System Cleanup” or “Disk Maintenance”).
Scenario: Admin Tool for DLL Replacement
Description: An administrator uses a tool like Process Monitor or Process Explorer to manually replace a DLL in a system directory for debugging or compatibility reasons.
Filter/Exclusion: Exclude file modifications made by tools like Process Monitor or Process Explorer with known admin activities (e.g., Process Explorer.exe or Procmon.exe).
Scenario: Software Deployment via Group Policy
Description: A legitimate software update or patching tool (e.g., Microsoft Endpoint Configuration Manager or SCCM) deploys a DLL to a system directory as part of a patching process.
Filter/Exclusion: Exclude files modified by deployment tools like CCMExec.exe, MPStandalone.exe, or SCCM Client.
Scenario: Antivirus or Security Software Update
Description: An antivirus or endpoint protection tool (e.g., Bitdefender, Kaspersky, or Microsoft Defender) updates its own DLLs in system directories.
Filter/Exclusion: Exclude files modified by known security software (e.g., MsMpEng.exe, Bitdefender.exe, or KavService.exe).
Scenario: Custom Script for Log Analysis
Description: A custom PowerShell or Python script runs as part of log analysis or monitoring, and temporarily places CCleanerReactivator.DLL in a system directory for testing.
Filter/Exclusion: Exclude