Attackers in Operation Cleaver are using a backdoor to maintain persistent access and exfiltrate data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats before significant data loss occurs.
YARA Rule
rule OPCLEAVER_wndTest
{
meta:
description = "Backdoor used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "[Alt]" wide
$s2 = "<< %s >>:" wide
$s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate scheduled job using schtasks.exe to run a maintenance script
Filter/Exclusion: process.parent_process_name == "schtasks.exe" AND process.command_line LIKE "%\\Windows\\System32\\taskhost.exe%"
Scenario: System update using msiexec.exe to install a legitimate patch
Filter/Exclusion: process.name == "msiexec.exe" AND process.command_line LIKE "%\\Windows\\Temp\\patch.msi%"
Scenario: Admin task using taskmgr.exe to configure system services
Filter/Exclusion: process.name == "taskmgr.exe" AND process.parent_process_name == "explorer.exe" AND process.command_line LIKE "%\\System32\\services.exe%"
Scenario: Database backup using sqlcmd.exe with scheduled SQL Agent job
Filter/Exclusion: process.name == "sqlcmd.exe" AND process.parent_process_name == "sqlagent.exe" AND process.command_line LIKE "%BACKUP DATABASE%"
Scenario: Log file rotation using logrotate.exe (Windows equivalent)
Filter/Exclusion: process.name == "logrotate.exe" AND process.command_line LIKE "%\\Windows\\System32\\logrotate.conf%"