The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold by leveraging a compromised or malicious Cylance component. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or data exfiltration tactics that may not be captured by traditional detection methods.
YARA Rule
rule zhLookUp
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "zhLookUp.Properties"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform a scheduled system cleanup task that involves downloading a file from a known internal server.
Filter/Exclusion: Exclude events where the source IP is from the internal network and the command line includes powershell.exe with a known cleanup script path.
Scenario: A SQL Server Agent Job is configured to run a maintenance task that requires downloading a script from a secure internal repository.
Filter/Exclusion: Exclude events where the URL matches internal repository patterns (e.g., https://internal-repo.example.com/*) and the process is associated with sqlservr.exe.
Scenario: A Windows Update task is initiated via Task Scheduler to download and install updates from Microsoft’s public servers.
Filter/Exclusion: Exclude events where the URL starts with https://download.microsoft.com/ and the process is associated with schtasks.exe.
Scenario: A CI/CD pipeline (e.g., Jenkins) is pulling code from a private Git repository as part of a deployment process.
Filter/Exclusion: Exclude events where the URL matches the internal Git repository URL and the process is associated with java.exe (or the specific Jenkins agent process).
Scenario: A backup tool like Veeam is transferring data to an external backup server, which involves HTTP communication for metadata.
Filter/Exclusion: Exclude events where the destination IP is the backup server’s IP and the process is associated with veeam.exe or the backup service name.