Attackers in Operation Cleaver are using custom malware or hack tools to establish persistence and exfiltrate data from compromised systems. Proactively hunting for this behavior in Azure Sentinel can help identify early-stage compromise and prevent further lateral movement and data theft.
YARA Rule
rule OPCLEAVER_SynFlooder
{
meta:
description = "Malware or hack tool used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Unable to resolve [ %s ]. ErrorCode %d"
$s2 = "your target’s IP is : %s"
$s3 = "Raw TCP Socket Created successfully."
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system maintenance task using schtasks.exe to perform disk cleanup
Filter/Exclusion: Check for CommandLine containing /schedule or DELETE and exclude tasks with known maintenance names (e.g., Cleanup-System)
Scenario: Admin using PsExec to remotely execute a legitimate script for patch deployment
Filter/Exclusion: Filter by ProcessName containing PsExec and check for CommandLine including patch or update keywords
Scenario: Legitimate use of PowerShell to automate log rotation or backup jobs
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine including logrotate, backup, or archive
Scenario: User running a legitimate security tool like Malwarebytes or Bitdefender for malware scanning
Filter/Exclusion: Filter by ProcessName matching known security software and exclude processes with scan, detect, or remove in the command line
Scenario: System using Task Scheduler to run a legitimate third-party monitoring tool
Filter/Exclusion: Check for TaskName containing known monitoring tool names (e.g., Nagios, Zabbix) and exclude tasks with run or execute in the command line