http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the observed activity may indicate an adversary attempting to exfiltrate data or establish a foothold through a suspicious HTTP request to a known malicious domain. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromises and mitigate lateral movement risks.

YARA Rule

rule antivirusdetector
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

    strings:
        $s1 = "getShadyProcess"
        $s2 = "getSystemAntiviruses"
        $s3 = "AntiVirusDetector"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate a routine system cleanup task that involves downloading a script from a trusted internal repository.
  Filter/Exclusion: Exclude events where the source IP is from the internal network and the command line contains powershell.exe -Command with a known internal script URL.

• Scenario: A scheduled job in Windows Task Scheduler is configured to fetch updates from a company’s internal HTTP server.
  Filter/Exclusion: Exclude events where the URL matches the internal update server’s domain and the process is schtasks.exe.

• Scenario: A CI/CD pipeline (e.g., Jenkins or GitLab CI) is performing a deployment that requires downloading artifacts from a secure internal HTTP endpoint.
  Filter/Exclusion: Exclude events where the URL contains a known internal artifact server and the process is related to the CI/CD tool (e.g., java -jar jenkins.war or gitlab-runner).

• Scenario: A database administrator is using SQL Server Management Studio (SSMS) to execute a query that temporarily connects to an external API for data synchronization.
  Filter/Exclusion: Exclude events where the process is ssms.exe and the URL is associated with the company’s internal data sync service.

• Scenario: A log aggregation tool like ELK Stack or Splunk is configured to fetch logs from a remote server using HTTP.
  Filter/Exclusion: Exclude events where the process is splunkd or logstash and the URL is a known internal log server.