Net Crawler used by attackers in Operation Cleaver

Hunt Hypothesis

Attackers are using a Net Crawler to systematically explore and map network resources, indicating reconnaissance for lateral movement and data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of advanced persistent threats like those in Operation Cleaver.

YARA Rule

rule OPCLEAVER_NetC
{

    meta:
        description = "Net Crawler used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "NetC.exe" wide
        $s2 = "Net Service"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: Legitimate system update via Windows Update
  Description: A Windows Update process is scanning the network for updates, which may trigger the crawler detection due to similar network traversal behavior.
  Filter/Exclusion: Check for process.name = "wuauclt.exe" or process.name = "svchost.exe" with parent.name = "services.exe" and process.args containing wuauclt.exe or Windows Update.

• Scenario: Scheduled backup job using rsync or robocopy
  Description: A scheduled backup job using rsync or robocopy may traverse the network to copy files, which could be mistaken for a crawler.
  Filter/Exclusion: Filter by process.name = "rsync.exe" or process.name = "robocopy.exe" and check for command_line containing backup or copy in the arguments.

• Scenario: Admin performing network discovery using Nmap
  Description: A system administrator using nmap to perform a network discovery scan may trigger the crawler rule due to the scanning behavior.
  Filter/Exclusion: Filter by process.name = "nmap.exe" and check for command_line containing --scan or --discover as part of the scan command.

• Scenario: Legitimate file synchronization with Syncthing
  Description: A file synchronization tool like Syncthing may traverse the network to sync files between nodes, which could be flagged as a crawler.
  Filter/Exclusion: Filter by process.name = "syncthing.exe" and check for command_line containing --sync or --rescan as part of the configuration.

• Scenario: Internal DNS enumeration by a security tool
  Description: A security tool like dnsenum