The rule detects potential adversary behavior involving the use of a suspicious domain associated with the Cylance OP Cleaver tool, which may indicate initial access or command and control activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could lead to persistent malware execution or data exfiltration.
YARA Rule
rule BackDoorLogger
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "BackDoorLogger"
$s2 = "zhuAddress"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform a scheduled maintenance task that involves downloading a script from a trusted internal repository.
Filter/Exclusion: Exclude events where the source IP is from the internal network and the command line includes powershell.exe with a known maintenance script path.
Scenario: A SQL Server Agent Job is configured to execute a stored procedure that connects to an external API for data synchronization.
Filter/Exclusion: Exclude events where the process name is sqlservr.exe and the URL matches a known internal API endpoint.
Scenario: A Windows Task Scheduler job is running a legitimate batch file that uses curl or wget to fetch a configuration file from a company’s internal server.
Filter/Exclusion: Exclude events where the process is schtasks.exe and the URL is within the company’s internal domain.
Scenario: A Docker container is being used to run a CI/CD pipeline that pulls code from a private Git repository.
Filter/Exclusion: Exclude events where the process is docker and the URL is a known private Git repository URL.
Scenario: A Log Management Tool like Splunk or ELK Stack is configured to send logs to an external monitoring service.
Filter/Exclusion: Exclude events where the process is splunkd or logstash and the URL is a known monitoring service endpoint.