CCProxy config known from Operation Cleaver

Hunt Hypothesis

The detection identifies potential adversary use of a known CCProxy configuration associated with Operation Cleaver, indicating possible command and control infrastructure deployment. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threat activity leveraging compromised proxy configurations in their Azure Sentinel environment.

YARA Rule

rule OPCLEAVER_CCProxy_Config
{

    meta:
        description = "CCProxy config known from Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Florian Roth"
        score = "70"

    strings:
        $s1 = "UserName=User-001" fullword ascii
        $s2 = "Web=1" fullword ascii
        $s3 = "Mail=1" fullword ascii
        $s4 = "FTP=0" fullword ascii
        $x1 = "IPAddressLow=78.109.194.114" fullword ascii

    condition:
        all of ($s*) or $x1
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: System administrator configures CCProxy for internal network traffic monitoring using legitimate enterprise tools.
  Filter/Exclusion: process.name != "ccproxy.exe" OR process.parent.name == "task scheduler" AND process.name == "schtasks.exe"

• Scenario: Scheduled job runs CCProxy to generate reports for compliance audits.
  Filter/Exclusion: process.name == "schtasks.exe" AND process.parent.name == "ccproxy.exe" OR file.path contains "audit"

• Scenario: IT team uses CCProxy as part of a network diagnostic tool during troubleshooting.
  Filter/Exclusion: process.name == "ccproxy.exe" AND process.parent.name == "networkdiag.exe" OR file.path contains "diagnostic"

• Scenario: Security team deploys CCProxy as a honeypot to monitor potential threats.
  Filter/Exclusion: file.path contains "honeypot" OR process.name == "ccproxy.exe" AND file.path contains "test"

• Scenario: CCProxy is used by a third-party service provider to manage network access for a client.
  Filter/Exclusion: process.name == "ccproxy.exe" AND process.parent.name == "service.exe" OR file.path contains "third-party"