http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold through a suspicious HTTP request associated with the Cylance OP Cleaver tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromise or data exfiltration attempts that may not be detected by traditional methods.

YARA Rule

rule pvz_out
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "Network Connectivity Module" wide
    $s2 = "OSPPSVC" wide

  condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a scheduled maintenance task that involves downloading a script from a trusted internal repository.
  Filter/Exclusion: Exclude events where the source IP is from the internal network and the command line contains powershell.exe with a known maintenance script path.

• Scenario: A Windows Task Scheduler job is configured to run a legitimate batch file that connects to an external API for data synchronization.
  Filter/Exclusion: Exclude events where the process name is schtasks.exe and the command line includes a known internal API endpoint.

• Scenario: A Docker container is being built using a CI/CD pipeline, which involves pulling an image from a public registry like Docker Hub.
  Filter/Exclusion: Exclude events where the process is related to Docker (e.g., docker.exe) and the image name is from a known trusted registry.

• Scenario: A Microsoft SQL Server Agent job is executing a stored procedure that connects to an external service for reporting purposes.
  Filter/Exclusion: Exclude events where the process is sqlagent.exe and the connection string matches a known internal reporting service.

• Scenario: A Windows Update task is running in the background, which temporarily connects to Microsoft servers to download patches.
  Filter/Exclusion: Exclude events where the process is wuauserv.exe or svchost.exe associated with Windows Update.