http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the observed activity may indicate an adversary attempting to exfiltrate data or establish a covert communication channel using a malicious domain associated with the Cylance OP Cleaver tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that may evade traditional detection methods.

YARA Rule

rule pvz_in
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "LAST_TIME=00/00/0000:00:00PM$"
    $s2 = "if %%ERRORLEVEL%% == 1 GOTO line"

  condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a scheduled maintenance task that involves downloading a script from a trusted internal repository.
  Filter/Exclusion: Exclude events where the source IP is from the internal network and the command line includes powershell.exe with a known maintenance script path.

• Scenario: A Windows Task Scheduler job is configured to run a legitimate batch file that connects to an external API for data synchronization.
  Filter/Exclusion: Exclude events where the process name is schtasks.exe and the command line includes a known internal API endpoint.

• Scenario: A Docker container is being built using Jenkins as part of a CI/CD pipeline, which involves pulling an image from a public registry.
  Filter/Exclusion: Exclude events where the process name is docker and the command line includes pull with a known public registry URL.

• Scenario: A SQL Server Agent job is running a script that connects to an external service for database backup purposes.
  Filter/Exclusion: Exclude events where the process name is sqlservr.exe and the command line includes a known backup script or external service endpoint.

• Scenario: A Linux cron job is configured to fetch updates from a trusted internal repository using wget or curl.
  Filter/Exclusion: Exclude events where the process name is cron and the command line includes a known internal update URL or repository path.