The hypothesis is that the observed activity may indicate an adversary attempting to exfiltrate data or establish a foothold through a suspicious HTTP connection associated with the Cylance OP Cleaver tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromise or data exfiltration attempts that may not be detected by traditional methods.
YARA Rule
rule NetC
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "NetC.exe" wide
$s2 = "Net Service"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a software update via a scheduled task.
Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes -Command with a script that matches known administrative update scripts.
Scenario: A Windows Task Scheduler job is configured to run a legitimate script that performs system diagnostics or log cleanup.
Filter/Exclusion: Exclude events where the process name is schtasks.exe and the task name matches a known enterprise task scheduler job (e.g., DailyLogCleanup).
Scenario: A SQL Server Agent Job is executing a stored procedure that interacts with the file system to back up database files.
Filter/Exclusion: Exclude events where the process name is sqlservr.exe and the command line includes sqlcmd or references a known backup script path.
Scenario: A Windows Update installation is occurring via Group Policy or Windows Server Update Services (WSUS).
Filter/Exclusion: Exclude events where the process name is wuauclt.exe or msiexec.exe and the command line includes known Windows Update-related arguments.
Scenario: A backup tool such as Veeam or Commvault is performing a scheduled backup that involves file system access.
Filter/Exclusion: Exclude events where the process name matches the backup tool’s executable (e.g., veeam.exe, cvbackup.exe) and the command line includes backup-related flags or paths.