Shell Creator used by attackers in Operation Cleaver to create ASPX web shells

Hunt Hypothesis

Attackers are using Shell Creator to deploy ASPX web shells as part of Operation Cleaver, indicating a targeted persistence mechanism. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats before they exfiltrate data or execute further malicious actions.

YARA Rule

rule OPCLEAVER_ShellCreator2
{

    meta:
        description = "Shell Creator used by attackers in Operation Cleaver to create ASPX web shells"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "ShellCreator2.Properties"
        $s2 = "set_IV"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: Legitimate ASPX file deployment via CI/CD pipeline
  Description: A developer uses a CI/CD tool like Jenkins or Azure DevOps to deploy a legitimate ASPX file as part of a web application update.
  Filter/Exclusion: Check for presence of known deployment tools or check for file hashes matching signed/verified application artifacts.

• Scenario: Scheduled job to generate dynamic ASPX content
  Description: A system administrator schedules a PowerShell or batch job to generate ASPX files dynamically for a custom reporting tool.
  Filter/Exclusion: Filter based on process name (e.g., powershell.exe with known job scripts) or check for presence of a legitimate reporting tool in the system.

• Scenario: Admin task to create ASPX file for internal web service
  Description: An admin creates an ASPX file manually to host an internal web service or API endpoint.
  Filter/Exclusion: Check for presence of a known internal web service or check for file creation by a user with elevated privileges and a known admin task.

• Scenario: Use of ASPX file in a legacy application update
  Description: A legacy application requires an ASPX file for compatibility, and an admin updates the file as part of a routine maintenance task.
  Filter/Exclusion: Check for presence of a known legacy application or check for file modifications in a specific directory used by the legacy system.

• Scenario: Testing ASPX file with a web development tool
  Description: A developer tests a new ASPX file using a local development environment or a tool like Visual Studio.
  Filter/Exclusion: Check for presence of development tools or check for file creation in a known development directory.