The hypothesis is that the detection identifies the use of a hack tool associated with Operation Cleaver, which is likely used to bypass antivirus detection and execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential advanced persistent threat (APT) activity early.
YARA Rule
rule OPCLEAVER_antivirusdetector
{
meta:
description = "Hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "getShadyProcess"
$s2 = "getSystemAntiviruses"
$s3 = "AntiVirusDetector"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate scheduled job running a known antivirus scanner
Filter/Exclusion: process.name != "avastui.exe" OR process.name != "mcafee.exe" OR process.name != "bitdefender.exe"
Scenario: System administrator using a known malware analysis tool for sandbox testing
Filter/Exclusion: process.name != "vmtoolsd.exe" OR process.name != "sandboxie.exe" OR process.name != "qemu-system-x86_64.exe"
Scenario: Regular system update or patching task using a legitimate tool like Windows Update or Chocolatey
Filter/Exclusion: process.name != "wuauclt.exe" OR process.name != "choco.exe" OR process.name != "msiexec.exe"
Scenario: IT staff performing a disk cleanup or defragmentation using built-in Windows tools
Filter/Exclusion: process.name != "cleanmgr.exe" OR process.name != "defrag.exe" OR process.name != "diskdefrag.exe"
Scenario: Use of a legitimate security tool for endpoint detection and response (EDR)
Filter/Exclusion: process.name != "carbonblack.exe" OR process.name != "crowdstrike.exe" OR process.name != "sentinel.exe"