The hypothesis is that the observed activity may indicate an adversary attempting to exfiltrate data or establish a foothold through a suspicious HTTP connection to a known malicious domain. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromises and prevent further lateral movement or data theft.
YARA Rule
rule LoggerModule
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "%s-%02d%02d%02d%02d%02d.r"
$s2 = "C:\\Users\\%s\\AppData\\Cookies\\"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using Cylance Protect to scan a system for malware.
Filter/Exclusion: Exclude processes where the parent process is cylance.exe or cylanceprotect.exe.
Scenario: A scheduled job runs PowerShell scripts to automate system maintenance tasks.
Filter/Exclusion: Exclude processes with the command line containing powershell.exe -Command and a known maintenance script path.
Scenario: A Windows Task Scheduler job is configured to run a legitimate SQL Server Agent job that connects to a database.
Filter/Exclusion: Exclude processes where the command line includes sqlcmd or sqlagent.exe.
Scenario: A Windows Update installation is in progress, and the update process is executing a temporary script.
Filter/Exclusion: Exclude processes with the command line containing wusa.exe or WindowsUpdate.exe.
Scenario: A Docker container is running a legitimate application, and the container process is interacting with the host system.
Filter/Exclusion: Exclude processes where the command line includes docker or the process is running inside a container (container_id is known).