Keylogger used by attackers in Operation Cleaver

Hunt Hypothesis

Attackers in Operation Cleaver are deploying keyloggers to exfiltrate sensitive credentials and data from compromised systems. Proactively hunting for this behavior in Azure Sentinel can help identify and mitigate advanced persistent threats before significant data loss occurs.

YARA Rule

rule OPCLEAVER_LoggerModule
{

    meta:
        description = "Keylogger used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "%s-%02d%02d%02d%02d%02d.r"
        $s2 = "C:\\Users\\%s\\AppData\\Cookies\\"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job for system cleanup
  Description: A scheduled task using PsExec or Task Scheduler is running a legitimate system cleanup tool like CCleaner or Disk Cleanup.
  Filter/Exclusion: Exclude processes initiated by Task Scheduler with known cleanup tools or check for cmd.exe or powershell.exe with command lines containing ccleaner, cleanmgr, or diskcleanup.

• Scenario: Admin performing remote PowerShell scripting
  Description: A system administrator is using PowerShell remoting (Invoke-Command) to perform routine administrative tasks, such as patching or configuration changes.
  Filter/Exclusion: Exclude processes with PowerShell.exe that are initiated via Invoke-Command or have a command line containing PSRemoting, Invoke-Command, or Register-ScheduledTask.

• Scenario: User running a legitimate keylogger for monitoring purposes
  Description: A security team or IT department is using a legitimate keylogger tool like Keylogger Pro or Logitech Options for internal monitoring or device management.
  Filter/Exclusion: Exclude processes associated with known legitimate keylogger tools or check for user accounts with administrative privileges that are known to use such tools for monitoring.

• Scenario: Malware analysis or sandbox environment
  Description: A security researcher is running a sandboxed environment to analyze a suspected malicious file, which may trigger keylogger-like behavior during analysis.
  Filter/Exclusion: Exclude processes running in a sandboxed environment (e.g., Cuckoo Sandbox, FireEye Sandbox) or check for environment variables like SANDBOXED or VIRTUALBOX.

• Scenario: Automated log collection or monitoring tool
  Description: A legitimate log collection tool like Splunk, ELK Stack, or `Graylog