The detection identifies the use of a network tool associated with Iranian hacking groups and Operation Cleaver, indicating potential adversarial network reconnaissance or command and control activity. SOC teams should proactively hunt for this behavior to detect and mitigate advanced persistent threat (APT) activity targeting Azure environments.
YARA Rule
rule OPCLEAVER_zhCat
{
meta:
description = "Network tool used by Iranian hackers and used by attackers in Operation Cleaver"
reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
date = "2014/12/02"
author = "Cylance Inc."
score = "70"
strings:
$s1 = "Mozilla/4.0 ( compatible; MSIE 7.0; AOL 8.0 )" ascii fullword
$s2 = "ABC ( A Big Company )" wide fullword
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Legitimate system update using wget to download a Microsoft patch
Filter/Exclusion: process.name != "wget" OR file.name != "msu_file.exe"
Scenario: Scheduled job using curl to fetch internal configuration data from a central server
Filter/Exclusion: destination.ip IN (internal_server_ip) OR process.name != "curl"
Scenario: Admin task using netsh to configure network settings during routine maintenance
Filter/Exclusion: process.name != "netsh" OR event_id != 1000
Scenario: Internal tool using PsExec to remotely execute a script for patch deployment
Filter/Exclusion: process.name != "PsExec.exe" OR user.name IN (approved_admins)
Scenario: Log collection using LogParser to gather IIS logs for compliance reporting
Filter/Exclusion: process.name != "LogParser.exe" OR file.path != "C:\\Windows\\System32\\LogParser.exe"