http://cylance.com/opcleaver

Hunt Hypothesis

The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold by leveraging a compromised or malicious domain. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromises and prevent further lateral movement or data loss.

YARA Rule

rule zhmimikatz
{

  meta:
    author = "Cylance"
    date = "2014-12-02"
    description = "http://cylance.com/opcleaver"

  strings:
    $s1 = "MimikatzRunner"
    $s2 = "zhmimikatz"

  condition:
    all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate the deployment of a software update via a scheduled task.
  Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes Invoke-Command or Start-Process with known update deployment scripts.

• Scenario: A SQL Server Agent Job is executing a script that temporarily accesses a URL for licensing validation.
  Filter/Exclusion: Exclude events where the process is sqlagent.exe and the URL matches a known licensing validation endpoint (e.g., https://license.example.com/validate).

• Scenario: A Windows Task Scheduler job is configured to fetch a configuration file from an internal HTTP server.
  Filter/Exclusion: Exclude events where the process is schtasks.exe and the URL is within the internal domain (e.g., http://configserver.internal.com/).

• Scenario: A CI/CD pipeline (e.g., Jenkins or GitLab CI) is pulling code from a remote repository using HTTP.
  Filter/Exclusion: Exclude events where the process is java.exe (for Jenkins) or git and the URL is a known repository endpoint (e.g., https://gitlab.example.com/api/v4/projects/).

• Scenario: A remote desktop session is being used to access a server, and the user is browsing to a legitimate website.
  Filter/Exclusion: Exclude events where the process is iexplorer.exe or chrome.exe and the URL is a known corporate or public website (e.g., https://www.google.com, https://intranet.example.com).