http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a covert communication channel using a malicious domain associated with the Cylance OP Cleaver tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential advanced persistent threats that leverage domain-based command and control mechanisms.

YARA Rule

rule wndTest
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "[Alt]" wide
    $s2 = "<< %s >>:" wide
    $s3 = "Content-Disposition: inline; comp=%s; account=%s; product=%d;"

  condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a scheduled maintenance task that involves downloading a script from a trusted internal repository.
  Filter/Exclusion: Exclude events where the source IP is from the internal network and the process is powershell.exe with a known maintenance script path.

• Scenario: A SQL Server Agent Job is configured to run a script that connects to a remote database using HTTP for data synchronization.
  Filter/Exclusion: Exclude events where the process is sqlservr.exe and the destination URL matches a known internal database sync endpoint.

• Scenario: A Windows Update task is initiated via Task Scheduler that temporarily connects to Microsoft’s update servers.
  Filter/Exclusion: Exclude events where the process is schtasks.exe and the URL contains windowsupdate.microsoft.com.

• Scenario: A CI/CD pipeline (e.g., Jenkins or GitLab CI) is executing a build step that fetches dependencies from a public HTTP repository.
  Filter/Exclusion: Exclude events where the process is java.exe (for Jenkins) or gitlab-runner and the URL is from a known public package source.

• Scenario: A network monitoring tool (e.g., Wireshark or tcpdump) is capturing and analyzing HTTP traffic for diagnostic purposes.
  Filter/Exclusion: Exclude events where the process is wireshark.exe or tcpdump and the traffic is associated with a known monitoring tool’s internal analysis tool.