Attackers in Operation Cleaver are likely using ARP cache poisoning to intercept and manipulate network traffic, enabling lateral movement and data exfiltration. Proactively hunting for this behavior in Azure Sentinel can help identify early-stage network compromise and prevent further damage within the environment.
YARA Rule
rule OPCLEAVER_Jasus
{
meta:
description = "ARP cache poisoner used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "pcap_dump_open"
$s2 = "Resolving IPs to poison..."
$s3 = "WARNNING: Gateway IP can not be found"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system cleanup task using arp -a to refresh ARP cache
Filter/Exclusion: process.name != "arp" or process.args != "-a"
Scenario: Administrative task to manually flush ARP cache using ipconfig /flushdns or arp -d
Filter/Exclusion: process.name != "ipconfig" AND process.name != "arp" or process.args != "/flushdns" AND process.args != "-d"
Scenario: Network discovery tool like nmap performing ARP scan on internal subnet
Filter/Exclusion: process.name != "nmap" or nmap.arguments NOT LIKE '%arp%'
Scenario: Automated patching job that temporarily modifies ARP cache entries during network configuration updates
Filter/Exclusion: process.name != "patchmgr" or process.args NOT LIKE '%network%'
Scenario: Virtualization management tool like VMware vSphere Client updating ARP entries for virtual machines
Filter/Exclusion: process.name != "vmware-vim-cmd" or process.args NOT LIKE '%vmnet%'