The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold through a malicious domain associated with the Cylance OP Cleaver tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise early, especially given the low severity rating which may mask a more sophisticated attack.
YARA Rule
rule Zh0uSh311
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "Zh0uSh311"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using Cylance Protect to scan a system for malware.
Filter/Exclusion: process.name != "cylance.exe"
Scenario: A scheduled job runs PowerShell scripts to automate system maintenance tasks.
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%-Command%'
Scenario: A Windows Update task is initiated via Task Scheduler to install critical patches.
Filter/Exclusion: process.name != "schtasks.exe" OR process.args NOT LIKE '%/create%'
Scenario: A backup tool like Veeam Backup & Replication is performing a scheduled backup.
Filter/Exclusion: process.name != "veeam.exe" OR process.args NOT LIKE '%backup%'
Scenario: An IT admin is using Sysinternals Process Explorer to investigate a suspicious process.
Filter/Exclusion: process.name != "procexp.exe" OR process.args NOT LIKE '%-enable%'