http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold through a suspicious HTTP connection to a known malicious domain. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromises and prevent further lateral movement or data theft.

YARA Rule

rule SmartCopy2
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "SmartCopy2.Properties"
    $s2 = "ZhuFrameWork"

  condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform routine system diagnostics or script-based maintenance tasks that involve HTTP requests to internal or external endpoints.
  Filter/Exclusion: Exclude processes initiated by powershell.exe with a command line containing system or diagnostic.

• Scenario: A scheduled job (e.g., via Task Scheduler or cron) is configured to fetch updates or perform automated checks from a known internal or external server.
  Filter/Exclusion: Exclude processes with a command line containing schtasks.exe or cron and associated job names.

• Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI, or Azure DevOps) is making HTTP requests to a remote repository or artifact server during a build or deployment process.
  Filter/Exclusion: Exclude processes with parent process names like jenkins.exe, gitlab-runner, or azure-pipelines and associated job IDs.

• Scenario: A network monitoring tool (e.g., Wireshark, tcpdump, or Microsoft Network Monitor) is capturing or analyzing HTTP traffic for analysis or troubleshooting.
  Filter/Exclusion: Exclude processes with names like wireshark.exe, tcpdump, or nmm.exe and associated monitoring sessions.

• Scenario: A remote management tool (e.g., Microsoft Remote Desktop, TeamViewer, or AnyDesk) is establishing a connection to a remote system, which may involve HTTP-based communication for session management.
  Filter/Exclusion: Exclude processes with names like mstsc.exe, teamviewer, or anydesk and associated connection sessions.