Backdoor used by attackers in Operation Cleaver

Hunt Hypothesis

Attackers are establishing a backdoor to maintain persistent access and exfiltrate data, as seen in Operation Cleaver. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.

YARA Rule

rule OPCLEAVER_kagent
{

    meta:
        description = "Backdoor used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "kill command is in last machine, going back"
        $s2 = "message data length in B64: %d Bytes"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using nc (Netcat) for internal monitoring
  Description: A system administrator uses Netcat to set up a scheduled job for internal network monitoring or log forwarding.
  Filter/Exclusion: Exclude processes where the command line includes -z (port scan) or -w (timeout) flags, or where the process is initiated by a known monitoring tool like tcpdump or nmap.

• Scenario: Admin task using nc for remote file transfer
  Description: An administrator uses Netcat to transfer configuration files between servers in a secure, internal environment.
  Filter/Exclusion: Exclude processes initiated from a known admin account (e.g., root, admin, or svc-secure) and where the destination IP is within the internal network range.

• Scenario: Use of nc in a DevOps pipeline for CI/CD communication
  Description: A DevOps pipeline uses Netcat to communicate between build servers and artifact repositories during deployment.
  Filter/Exclusion: Exclude processes where the command line includes pipeline-specific flags or where the process is initiated by a CI/CD tool like Jenkins, GitLab CI, or Ansible.

• Scenario: Legitimate remote desktop connection using nc
  Description: An IT support technician uses Netcat to establish a remote desktop connection to a user’s machine for troubleshooting.
  Filter/Exclusion: Exclude processes where the command line includes --ssl or --tcp flags, or where the process is initiated from a known support tool like RDP or TeamViewer.

• Scenario: Use of nc for internal API testing
  Description: A developer uses Netcat to test an internal API endpoint for connectivity and response validation.
  Filter/Exclusion: Exclude processes where the command line