Attackers in Operation Cleaver are using a backdoor to maintain persistent access and exfiltrate data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
YARA Rule
rule OPCLEAVER_csext
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "COM+ System Extentions"
$s2 = "csext.exe"
$s3 = "COM_Extentions_bin"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate scheduled job using PsExec for remote system administration
Filter/Exclusion: Exclude processes initiated by scheduled tasks with PsExec and originating from trusted domains or IP ranges used for internal maintenance.
Scenario: System administrator using Invoke-Command for remote PowerShell management
Filter/Exclusion: Exclude processes where the user is a domain admin and the command is executed via Invoke-Command against known management servers.
Scenario: Regular backup job using VSSAdmin to create volume shadow copies
Filter/Exclusion: Exclude processes involving VSSAdmin that are initiated by backup services and occur during scheduled backup windows.
Scenario: Patch deployment using msiexec with signed Microsoft installer packages
Filter/Exclusion: Exclude processes where msiexec is used to install signed Microsoft updates or patches from known enterprise software distribution servers.
Scenario: Database maintenance task using sqlcmd to run T-SQL scripts
Filter/Exclusion: Exclude processes where sqlcmd is executed by a database admin user and the script path is within the enterprise SQL Server maintenance directory.