Parviz developer known from Operation Cleaver

Hunt Hypothesis

The Parviz developer is likely associated with the Operation Cleaver group and may be attempting to establish a foothold in the environment through unknown initial access techniques. SOC teams should proactively hunt for this behavior to identify and mitigate potential advanced persistent threats linked to known malicious actors.

YARA Rule

rule OPCLEAVER_Parviz_Developer
{

    meta:
        description = "Parviz developer known from Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Florian Roth"
        score = "70"

    strings:
        $s1 = "Users\\parviz\\documents\\" nocase

    condition:
        $s1
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a new application using a script named Deploy-App.ps1, which includes the term “Parviz” in the script’s comments for documentation purposes.
  Filter/Exclusion: Exclude events where the script path contains C:\Windows\System32\WindowsPowerShell\v1.0\ or where the script name contains Deploy-App.

• Scenario: A DevOps engineer is running a scheduled job in Azure DevOps to build and deploy code, and the job name includes “Parviz” as part of a project code name.
  Filter/Exclusion: Exclude events where the job name contains ProjectCodeName or where the source code repository is a known internal repo.

• Scenario: A database administrator is executing a SQL query in SQL Server Management Studio (SSMS) to generate a report, and the query includes a table named Parviz_Report as part of a naming convention.
  Filter/Exclusion: Exclude events where the query contains SELECT * FROM Parviz_Report and the database is a known internal reporting database.

• Scenario: A security analyst is performing a log review using ELK Stack and manually searches for the term “Parviz” in logs to investigate potential threats, as part of a routine security assessment.
  Filter/Exclusion: Exclude events where the log source is a known internal security tool (e.g., logstash, filebeat) or where the search term is part of a predefined security query.

• Scenario: A developer is using Git to commit changes to a repository, and the commit message includes “Parviz” as part of a branch name or feature tag (e.g., feature/Parviz-Auth).
  Filter/Exclusion: Exclude events where the commit message