Parviz tool used by attackers in Operation Cleaver

Hunt Hypothesis

Attackers are using the Parviz tool to exfiltrate data and establish persistence within compromised systems, indicating potential involvement in the Operation Cleaver campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats before significant data loss occurs.

YARA Rule

rule OPCLEAVER_pvz_in
{

    meta:
        description = "Parviz tool used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "LAST_TIME=00/00/0000:00:00PM$"
        $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: System administrators use the Parviz tool for legitimate network monitoring and traffic analysis.
  Filter/Exclusion: Check for user context (e.g., user.name == "admin") or filter by process owner (process.owner == "network_ops").

• Scenario: A scheduled job runs the Parviz tool as part of a routine security audit or log analysis task.
  Filter/Exclusion: Include a time-based filter (timestamp >= [start_of_audit_window] AND timestamp <= [end_of_audit_window]) or check for job ID (job_id == "audit_12345").

• Scenario: The Parviz tool is used by a security team to analyze potential threats or test incident response scenarios.
  Filter/Exclusion: Filter by user group (user.group == "security_team") or check for specific command-line arguments indicating testing (arguments LIKE "%--test%").

• Scenario: The Parviz tool is part of a SIEM integration or log aggregation system, used to collect and analyze logs from various sources.
  Filter/Exclusion: Filter by source IP or log type (source_ip IN ("10.0.0.1", "10.0.0.2") or log_type == "syslog").

• Scenario: The Parviz tool is used in a devops pipeline to monitor system health or perform automated checks.
  Filter/Exclusion: Filter by process name or pipeline identifier (process.name == "parviz_health_check" or pipeline_id == "devops_pipeline_001")