Sentinel One doesn't like CCleaner

CCleaner for Windows
1

Here’s the output from S1. Anybody else getting this?

Threat Info:
  Name: ccleaner_update_helper.exe
URL: https://usea1-016.sentinelone.net/incidents/threats/2263371474982612272/overview
  Path: \Device\HarddiskVolume2\PROGRAM FILES\CCleaner\ccleaner_update_helper.exe
  Command Line Arguments: "C:\Program Files\CCleaner\ccleaner_update_helper.exe"
  Process User: xxxx
  Publisher Name: PIRIFORM SOFTWARE LIMITED
  Signer Identity: PIRIFORM SOFTWARE LIMITED
  Signature Verification: SignedVerified
  Originating Process: runonce.exe
  SHA1: b5dfca4637b7dbd66aa8893f6fbe761b72ae3db8
  SHA256: 75c06549ecb4499cba622144215631b557a95adbd6ad73bd7c6d06f8eba9a9f0
  Initiated By: Agent Policy
  Engine: Behavioral AI
  Detection type: Dynamic
  Classification: Ransomware
  File Size: 804.20 KB
  Storyline: 451BB9CA51E897F0
  Threat Id: 2263371474982612272
2 
Here are the indicators:

Injection

* A library owned by one process was loaded to other process
* MITRE : Defense Evasion [[DLL](https://attack.mitre.org/techniques/T1574/001/)][[EXPLOITATION FOR DEFENSE EVASION](https://attack.mitre.org/techniques/T1211/)]
* MITRE : Privilege Escalation [[DLL](https://attack.mitre.org/techniques/T1574/001/)]
* MITRE : Persistence [[DLL](https://attack.mitre.org/techniques/T1574/001/)]

* Code injection to a remote process
* MITRE : Defense Evasion [[PROCESS INJECTION](https://attack.mitre.org/techniques/T1055/)][[PORTABLE EXECUTABLE INJECTION](https://attack.mitre.org/techniques/T1055/002/)][[REFLECTIVE CODE LOADING](https://attack.mitre.org/techniques/T1620)]
* MITRE : Privilege Escalation [[PROCESS INJECTION](https://attack.mitre.org/techniques/T1055/)][[PORTABLE EXECUTABLE INJECTION](https://attack.mitre.org/techniques/T1055/002/)]

Privilege Escalation

* Detects a UMPD callback exploitation via code hooks
* MITRE : Privilege Escalation [[EXPLOITATION FOR PRIVILEGE ESCALATION](https://attack.mitre.org/techniques/T1068/)]
* MITRE : Defense Evasion [[EXPLOITATION FOR DEFENSE EVASION](https://attack.mitre.org/techniques/T1211/)]

Malware

* Detected a process that loaded DotNet libraries dynamically after startup

* Detected suspicious redirection of data to a pipe from an interpreter with a hidden window detected
* MITRE : Defense Evasion [[HIDDEN WINDOW](https://attack.mitre.org/techniques/T1564/003/)]

* Detected redirection of data from a process

Infostealer

* Attempts to read sensitive information from LSASS
* MITRE : Credential Access [[LSASS MEMORY](https://attack.mitre.org/techniques/T1003/001/)][[WINDOWS CREDENTIAL MANAGER](https://attack.mitre.org/techniques/T1555/004/)][[CREDENTIALS FROM PASSWORD STORES](https://attack.mitre.org/techniques/T1555/)][[OS CREDENTIAL DUMPING](https://attack.mitre.org/techniques/T1003/)]
* MITRE : Initial Access [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)][[T1199](https://attack.mitre.org/techniques/T1199/)]
* MITRE : Defense Evasion [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)]
* MITRE : Persistence [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)]
* MITRE : Privilege Escalation [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)]

* Blocked read access to LSASS
* MITRE : Credential Access [[LSASS MEMORY](https://attack.mitre.org/techniques/T1003/001/)][[OS CREDENTIAL DUMPING](https://attack.mitre.org/techniques/T1003/)]
* MITRE : Initial Access [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)][[T1199](https://attack.mitre.org/techniques/T1199/)]
* MITRE : Defense Evasion [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)][[EXPLOITATION FOR DEFENSE EVASION](https://attack.mitre.org/techniques/T1211/)]
* MITRE : Persistence [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)]
* MITRE : Privilege Escalation [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)]

* Blocked attempt to open LSASS with invasive access
* MITRE : Credential Access [[LSASS MEMORY](https://attack.mitre.org/techniques/T1003/001/)][[OS CREDENTIAL DUMPING](https://attack.mitre.org/techniques/T1003/)]
* MITRE : Initial Access [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)][[T1199](https://attack.mitre.org/techniques/T1199/)]
* MITRE : Defense Evasion [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)]
* MITRE : Persistence [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)]
* MITRE : Privilege Escalation [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)]

* Detected infostealing from two or more applications
* MITRE : Credential Access [[CREDENTIALS FROM PASSWORD STORES](https://attack.mitre.org/techniques/T1555)]

* Chromium Edge's sensitive information was accessed
* MITRE : Credential Access [[CREDENTIALS FROM WEB BROWSERS](https://attack.mitre.org/techniques/T1555/003/)][[CREDENTIALS IN FILES](https://attack.mitre.org/techniques/T1552/001)][[CREDENTIALS FROM PASSWORD STORES](https://attack.mitre.org/techniques/T1555/)]

* Chrome's sensitive information was accessed
* MITRE : Credential Access [[CREDENTIALS FROM WEB BROWSERS](https://attack.mitre.org/techniques/T1555/003/)][[CREDENTIALS IN FILES](https://attack.mitre.org/techniques/T1552/001)][[CREDENTIALS FROM PASSWORD STORES](https://attack.mitre.org/techniques/T1555/)]

* Detected possible infostealing attempts from two or more applications
* MITRE : Credential Access [[CREDENTIALS FROM PASSWORD STORES](https://attack.mitre.org/techniques/T1555)]

General

* User logged on
* MITRE : Persistence [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)][[DOMAIN ACCOUNTS](https://attack.mitre.org/techniques/T1078/002/)]
* MITRE : Defense Evasion [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)][[DOMAIN ACCOUNTS](https://attack.mitre.org/techniques/T1078/002/)]
* MITRE : Privilege Escalation [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)][[DOMAIN ACCOUNTS](https://attack.mitre.org/techniques/T1078/002/)]
* MITRE : Initial Access [[VALID ACCOUNTS](https://attack.mitre.org/techniques/T1078/)][[DOMAIN ACCOUNTS](https://attack.mitre.org/techniques/T1078/002/)][[T1199](https://attack.mitre.org/techniques/T1199/)]

Evasion

* Anti-VM technique was used
* MITRE : Defense Evasion [[VIRTUALIZATION/SANDBOX EVASION](https://attack.mitre.org/techniques/T1497/)]
* MITRE : Discovery [[VIRTUALIZATION/SANDBOX EVASION](https://attack.mitre.org/techniques/T1497/)]

* Suspicious registry key was created
* MITRE : Defense Evasion [[MODIFY REGISTRY](https://attack.mitre.org/techniques/T1112/)][[OBFUSCATED FILES OR INFORMATION](https://attack.mitre.org/techniques/T1027/)][[HIDDEN FILE SYSTEM](https://attack.mitre.org/techniques/T1564/005/)][[ENVIRONMENTAL KEYING](https://attack.mitre.org/techniques/T1480/001/)]

* Non-powershell process loaded powershell module System.Management.Automation.dll or System.Management.Automation.ni.dll
* MITRE : Execution [[POWERSHELL](https://attack.mitre.org/techniques/T1059/001/)]

* The original filename is different from its actual name
* MITRE : Defense Evasion [[RENAME LEGITIMATE UTILITIES](https://attack.mitre.org/techniques/T1036/003/)][[MATCH LEGITIMATE RESOURCE NAME OR LOCATION](https://attack.mitre.org/techniques/T1036/005/)][[PATH INTERCEPTION BY SEARCH ORDER HIJACKING](https://attack.mitre.org/techniques/T1574/008/)]
* MITRE : Persistence [[PATH INTERCEPTION BY SEARCH ORDER HIJACKING](https://attack.mitre.org/techniques/T1574/008/)]
* MITRE : Privilege Escalation [[PATH INTERCEPTION BY SEARCH ORDER HIJACKING](https://attack.mitre.org/techniques/T1574/008/)]

* Code injection to other process memory space during the target process's initialization
* MITRE : Defense Evasion [[PROCESS HOLLOWING](https://attack.mitre.org/techniques/T1055/012/)]
* MITRE : Privilege Escalation [[PROCESS HOLLOWING](https://attack.mitre.org/techniques/T1055/012/)]

* User process created a process solely used by the system
* MITRE : Execution

* Process executed with PE file embedded in recource
* MITRE : Command and Control [[DATA ENCODING](https://attack.mitre.org/techniques/T1132/)]
* MITRE : Defense Evasion [[OBFUSCATED FILES OR INFORMATION](https://attack.mitre.org/techniques/T1027/)][[ENVIRONMENTAL KEYING](https://attack.mitre.org/techniques/T1480/001/)]

* Process executed with non-standard resource type
* MITRE : Command and Control [[DATA ENCODING](https://attack.mitre.org/techniques/T1132/)]
* MITRE : Defense Evasion [[OBFUSCATED FILES OR INFORMATION](https://attack.mitre.org/techniques/T1027/)][[ENVIRONMENTAL KEYING](https://attack.mitre.org/techniques/T1480/001/)]

Reconnaissance

* Suspicious WMI query was identified
* MITRE : Execution [[WINDOWS MANAGEMENT INSTRUMENTATION](https://attack.mitre.org/techniques/T1047/)]
* MITRE : Discovery [[SECURITY SOFTWARE DISCOVERY](https://attack.mitre.org/techniques/T1518/001/)][[SOFTWARE DISCOVERY](https://attack.mitre.org/techniques/T1518/)]
* MITRE : Collection [[AUTOMATED COLLECTION](https://attack.mitre.org/techniques/T1119/)][[DATA FROM LOCAL SYSTEM](https://attack.mitre.org/techniques/T1005/)]
* MITRE : Defense Evasion [[ENVIRONMENTAL KEYING](https://attack.mitre.org/techniques/T1480/001/)]

Persistence

* Application registered itself to become persistent via an autorun
* MITRE : Persistence [[REGISTRY RUN KEYS / STARTUP FOLDER](https://attack.mitre.org/techniques/T1547/001/)][[EVENT TRIGGERED EXECUTION](https://attack.mitre.org/techniques/T1546/)]
* MITRE : Privilege Escalation [[REGISTRY RUN KEYS / STARTUP FOLDER](https://attack.mitre.org/techniques/T1547/001/)]

* Application registered itself to become persistent via scheduled task
* MITRE : Persistence [[SCHEDULED TASK](https://attack.mitre.org/techniques/T1053/005/)][[SCHEDULED TASK/JOB](https://attack.mitre.org/techniques/T1053/)]
* MITRE : Execution [[SCHEDULED TASK](https://attack.mitre.org/techniques/T1053/005/)][[SCHEDULED TASK/JOB](https://attack.mitre.org/techniques/T1053/)][[EVENT TRIGGERED EXECUTION](https://attack.mitre.org/techniques/T1546/)]
* MITRE : Privilege Escalation [[SCHEDULED TASK](https://attack.mitre.org/techniques/T1053/005/)][[SCHEDULED TASK/JOB](https://attack.mitre.org/techniques/T1053/)]

Discovery

* Identified attempt to access a raw volume
* MITRE : Discovery [[SYSTEM INFORMATION DISCOVERY](https://attack.mitre.org/techniques/T1082/)][[PERMISSION GROUPS DISCOVERY](https://attack.mitre.org/techniques/T1069/)]
* MITRE : Defense Evasion [[T1006](https://attack.mitre.org/techniques/T1006)]
3

It isn’t unusual for an AV to throw up a False Positive now and again, even the major ones get it wrong ocassionaly.
Their rationale is that if they are not sure what something is then it’s better to err on the safe side and flag/block/quantine it.

I note that this flag was thrown by a ‘Behavioral AI’ as part of a policy.
The reasons given are all potential signs of possible malware, but thay are also things that have valid use.
The AI isn’t sure which it is so has blocked it;
or to put it another way - Criminals use motor vehicles, that doesn’t mean that anyone and everyone using a motor vehicle is a criminal.

FP’s are one reason why AV’s and security suites allow you to Whitelist apps that they would otherwise flag/block.

In this particular case Sentinel One is an ‘Enterprise’ security platform meant for use with user endpoints on an organisations networked computers.
Many enterprises forbid the installation of home use software on their employees endpoint computers.

So I’m not at all surprised that a security app meant for enterprise, networked, use would flag/block an app like CCleaner which is meant for home use.

Escalating privileges on an organisations network is a whole different thing from escalating privileges on a home computer.

4

I don’t just whitelist software because I think I know better. I ask around, or see if others got it too. Reach out to the software support. Etc.

5

I was mainly making the point that Sentinel One is designed for network endpoints in organisations/businesses, it is not really meant for home users.

So it could give odd/strange results, particularly FP’s, if/when used on a home PC or Laptop that is not part of or even overseeing a network.

Of course if you are running it an a network then you should be using CCleaner Business/CCleaner Cloud rather than CCleaner for home use.