Hack tool used by attackers in Operation Cleaver

Hunt Hypothesis

The detection identifies the use of a specific hack tool associated with the Operation Cleaver adversary group, indicating potential compromise and lateral movement within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threat activity early.

YARA Rule

rule OPCLEAVER_zhLookUp
{

    meta:
        description = "Hack tool used by attackers in Operation Cleaver"
        reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
        date = "2014/12/02"
        author = "Cylance Inc."
        score = "70"

    strings:
        $s1 = "zhLookUp.Properties"

    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
• Source Rule

False Positive Guidance

• Scenario: System administrators using the PowerShell script Invoke-Command to remotely manage servers as part of routine maintenance.
  Filter/Exclusion: Exclude events where the script is executed from known admin scripts or where the user is a member of the Administrators group and the command is part of a scheduled job.

• Scenario: LogonHours scheduled task is executed to enforce login restrictions during non-business hours.
  Filter/Exclusion: Exclude tasks that are scheduled via Task Scheduler and have a known name like LogonHours or RestrictLogons, and are associated with a user account with administrative privileges.

• Scenario: Windows Task Scheduler runs a legitimate backup job using VSS (Volume Shadow Copy Service) to create system snapshots.
  Filter/Exclusion: Exclude tasks that are associated with the Backup or System service, and have a known command line including vssadmin or wbadmin.

• Scenario: PsExec is used by IT staff to remotely execute commands on workstations for software deployment.
  Filter/Exclusion: Exclude processes where the executable path includes psexec.exe and the user is a member of the IT or Admin group, and the command is part of a known deployment script.

• Scenario: Windows Event Log is queried using PowerShell to generate reports on system health, such as checking for failed login attempts.
  Filter/Exclusion: Exclude PowerShell scripts that are executed from a known reporting tool or script repository, and that are run by users with the Security Administrator role.