Keylogger used by attackers in Operation Cleaver

Hunt Hypothesis

Attackers in Operation Cleaver are deploying keyloggers to exfiltrate sensitive credentials and data from compromised systems. Proactively hunting for this behavior in Azure Sentinel enables early detection and mitigation of advanced persistent threats before significant data loss occurs.

YARA Rule

rule OPCLEAVER_BackDoorLogger
{

    meta:
        description = "Keylogger used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "BackDoorLogger"
        $s2 = "zhuAddress"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job for log analysis
  Description: A system administrator schedules a PowerShell script using schtasks to analyze system logs for compliance purposes. The script uses Get-WinEvent and writes to a log file.
  Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes Get-WinEvent or schtasks.

• Scenario: Admin task for user password reset
  Description: An admin uses a tool like PsExec to remotely reset a user’s password via net user command. This may trigger keylogger-like behavior due to credential handling.
  Filter/Exclusion: Exclude events where the process is PsExec and the command line includes net user or password reset.

• Scenario: Use of Mimikatz for credential dumping
  Description: A red team member uses Mimikatz (mimikatz.exe) to extract credentials from memory, which may be misclassified as keylogger activity.
  Filter/Exclusion: Exclude events where the process is mimikatz.exe and the command line includes sekurlsa::logonpasswords or privilege::debug.

• Scenario: Automated backup script with sensitive data
  Description: A backup script (e.g., wbadmin or vssadmin) is configured to store credentials in a file for automated backups, which may be flagged as keylogger activity.
  Filter/Exclusion: Exclude events where the process is wbadmin.exe or vssadmin.exe and the command line includes backup or store.

• Scenario: Use of a legitimate password manager
  Description: An employee uses a password manager like 1Password or Bitwarden to store credentials, which may be flagged due to the presence