http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold through a suspicious HTTP connection associated with the Cylance OP Cleaver tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromises and mitigate lateral movement risks.

YARA Rule

rule SynFlooder
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "Unable to resolve [ %s ]. ErrorCode %d"
    $s2 = "your target's IP is : %s"
    $s3 = "Raw TCP Socket Created successfully."

  condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a software update via a scheduled task.
  Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes Invoke-Command or Start-Process with known update deployment scripts.

• Scenario: A SQL Server Agent Job is executing a script that makes HTTP requests to a remote API for data synchronization.
  Filter/Exclusion: Exclude events where the process is sqlagent.exe and the URL matches a known internal API endpoint used for data synchronization.

• Scenario: A Windows Task Scheduler job is running a legitimate script that uses curl or wget to fetch configuration files from a secure internal server.
  Filter/Exclusion: Exclude events where the process is schtasks.exe and the URL is within a predefined list of internal servers used for configuration management.

• Scenario: A Docker container is running a service that communicates with an external service for logging or monitoring purposes.
  Filter/Exclusion: Exclude events where the process is docker or containerd and the URL is associated with a known monitoring or logging service.

• Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is making HTTP requests to a third-party API to fetch dependencies or build artifacts.
  Filter/Exclusion: Exclude events where the process is java (for Jenkins) or gitlab-runner and the URL matches known CI/CD API endpoints.