LoFP / false positives could occur from other custom installation paths. apply additional filters accordingly.

Techniques

Sample rules

Potential CCleanerDU.DLL Sideloading

source: sigma
technicques:
- t1574
- t1574.001
- t1574.002

Description

Detects potential DLL sideloading of “CCleanerDU.dll”

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_path:
  Image|endswith:
  - \CCleaner.exe
  - \CCleaner64.exe
  Image|startswith:
  - C:\Program Files\CCleaner\
  - C:\Program Files (x86)\CCleaner\
selection:
  ImageLoaded|endswith: \CCleanerDU.dll

Potential CCleanerReactivator.DLL Sideloading

source: sigma
technicques:
- t1574
- t1574.001
- t1574.002

Description

Detects potential DLL sideloading of “CCleanerReactivator.dll”

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_path:
  Image|endswith: \CCleanerReactivator.exe
  Image|startswith:
  - C:\Program Files\CCleaner\
  - C:\Program Files (x86)\CCleaner\
selection:
  ImageLoaded|endswith: \CCleanerReactivator.dll