http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold through a suspicious HTTP request to a known malicious domain. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromise or data exfiltration attempts that may not be detected by traditional methods.

YARA Rule

rule kagent
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "kill command is in last machine, going back"
    $s2 = "message data length in B64: %d Bytes"

  condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a software update via a scheduled task.
  Filter/Exclusion: Exclude processes initiated by the PowerShell script with a known signature or by the Task Scheduler service.

• Scenario: A SQL Server Agent Job is executing a script that includes a URL to a public documentation site (e.g., http://cylance.com/opcleaver for example purposes).
  Filter/Exclusion: Exclude requests made by the SQL Server Agent service or from scripts associated with known SQL Server jobs.

• Scenario: A Windows Update process is downloading a patch from a legitimate Microsoft endpoint, which coincidentally has a similar URL structure.
  Filter/Exclusion: Exclude traffic originating from the Windows Update service or from known Microsoft update endpoints.

• Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is fetching a dependency from a public repository that includes a URL resembling the rule’s pattern.
  Filter/Exclusion: Exclude requests made by the CI/CD agent or from known pipeline tools like Jenkins or GitLab Runner.

• Scenario: A network monitoring tool (e.g., Wireshark, PRTG) is performing a test or scan that includes a URL similar to the rule’s pattern.
  Filter/Exclusion: Exclude traffic initiated by the network monitoring tool or from known test scripts used in network analysis.