Parviz tool used by attackers in Operation Cleaver

Hunt Hypothesis

The Parviz tool is likely used by adversaries in Operation Cleaver to exfiltrate data and establish persistence within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before significant data loss occurs.

YARA Rule

rule OPCLEAVER_pvz_out
{

    meta:
        description = "Parviz tool used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "Network Connectivity Module" wide
        $s2 = "OSPPSVC" wide

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: System administrators use the Parviz tool for legitimate network monitoring and log analysis.
  Filter/Exclusion: Check for user context (e.g., user.name == "admin" OR user.name == "network_ops") and verify if the tool is installed in a known monitoring directory (e.g., /opt/monitoring/parviz).

• Scenario: A scheduled job runs Parviz to collect system metrics and generate reports for performance tuning.
  Filter/Exclusion: Filter by process name or command line arguments (e.g., process.name == "parviz" AND command_line LIKE "%report%") and check for scheduled job IDs or cron entries.

• Scenario: Security team members use Parviz to analyze traffic for internal threat hunting activities.
  Filter/Exclusion: Include users with security roles (e.g., user.role == "security_team") and verify if the activity is part of a known threat hunting playbook.

• Scenario: The Parviz tool is used in a DevOps pipeline to automate infrastructure checks and configuration validation.
  Filter/Exclusion: Check for pipeline context (e.g., process.parent_process == "jenkins" OR process.parent_process == "gitlab-runner") and verify if the tool is part of a CI/CD toolchain.

• Scenario: IT staff use Parviz to perform routine system health checks and maintenance tasks.
  Filter/Exclusion: Filter by user group (e.g., user.group == "it_support") and check for known maintenance scripts or tasks (e.g., command_line LIKE "%health_check%").