Attackers in Operation Cleaver are likely using specific malware or hack tools to execute their attacks, which could indicate a targeted and sophisticated threat. Proactively hunting for these indicators in Azure Sentinel can help identify and mitigate advanced threats before they cause significant damage.
YARA Rule
rule OPCLEAVER_SmartCopy2
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "SmartCopy2.Properties"
$s2 = "ZhuFrameWork"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Scheduled system maintenance job using schtasks.exe to perform routine disk cleanup
Filter/Exclusion: Check for CommandLine containing /create or /delete with known maintenance job names (e.g., CleanupJob)
Scenario: Admin using PsExec to remotely execute a script for patch deployment
Filter/Exclusion: Filter on CommandLine containing /s (server) and known patch script names (e.g., patch_deployment.ps1)
Scenario: Legitimate use of PowerShell for automated log rotation and archiving
Filter/Exclusion: Filter on ProcessName being powershell.exe and CommandLine containing logrotate.ps1 or similar script names
Scenario: System administrator using taskkill.exe to terminate a non-responsive service
Filter/Exclusion: Filter on CommandLine containing /F and known service names (e.g., ServiceName)
Scenario: Use of net use to map a network drive for file access
Filter/Exclusion: Filter on CommandLine containing /user: and known internal network paths (e.g., \\fileserver\share)