The hypothesis is that the observed activity may indicate an adversary attempting to exfiltrate data or establish a covert communication channel using a malicious domain associated with the Cylance OP Cleaver tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that may evade traditional detection methods.
YARA Rule
rule ShellCreator2
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "ShellCreator2.Properties"
$s2 = "set_IV"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform routine system cleanup tasks, such as removing temporary files or logs.
Filter/Exclusion: Check for the presence of powershell.exe in the process name and filter out processes initiated by a known admin account (e.g., Administrator or Domain Admin).
Scenario: A scheduled job runs via Task Scheduler to back up user profiles or system state.
Filter/Exclusion: Exclude processes launched by the Task Scheduler service (svchost.exe with TaskScheduler as the service name) or filter based on the job name (e.g., BackupJob).
Scenario: A Windows Update installation is occurring, which may involve downloading and extracting files from the internet.
Filter/Exclusion: Exclude processes associated with Windows Update (e.g., wusa.exe, svchost.exe with wuauserv as the service name) or filter based on the URL containing windowsupdate.microsoft.com.
Scenario: A remote desktop session is active, and a user is manually copying files from a shared network location.
Filter/Exclusion: Exclude processes initiated from a known internal IP range or filter based on the source IP address. Also, check for the presence of rdpclip.exe or mstsc.exe in the process tree.
Scenario: A configuration management tool like Chef or Puppet is deploying configuration changes that involve downloading files from a trusted internal repository.
Filter/Exclusion: Exclude processes initiated by the configuration management agent (e.g., chef-client.exe, puppet.exe) or filter based on the URL domain (e.g., internal-repo.example.com).