http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the observed activity may indicate an adversary attempting to exfiltrate data or establish a foothold by leveraging a compromised or malicious Cylance endpoint. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration attempts early in the attack lifecycle.

YARA Rule

rule Jasus
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "pcap_dump_open"
    $s2 = "Resolving IPs to poison..."
    $s3 = "WARNNING: Gateway IP can not be found"

  condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a scheduled cleanup task that involves downloading a file from a known internal server.
  Filter/Exclusion: Exclude events where the source IP is from the internal network and the command line contains powershell.exe with a known cleanup script name.

• Scenario: A Windows Task Scheduler job is configured to run a legitimate script that uses curl or Invoke-WebRequest to fetch updates from an internal repository.
  Filter/Exclusion: Exclude events where the process is schtasks.exe and the URL matches a known internal update endpoint.

• Scenario: A Docker container is being built or managed using Docker CLI commands, which may involve downloading base images from a public registry like Docker Hub.
  Filter/Exclusion: Exclude events where the process is docker and the URL is from a trusted public registry (e.g., docker.io or hub.docker.com).

• Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is pulling code from a version control system (e.g., GitHub, GitLab) as part of a deployment process.
  Filter/Exclusion: Exclude events where the process is related to the CI/CD tool (e.g., jenkins.exe, gitlab-runner) and the URL is from a known code repository.

• Scenario: A remote desktop session (e.g., via RDP) is being used to access a server, and the user is downloading a file from a shared network location using Windows Explorer or PowerShell.
  Filter/Exclusion: Exclude events where the process is explorer.exe or powershell.exe and the file path is within a known shared network drive.