The hypothesis is that the detected activity may indicate an adversary attempting to exfiltrate data or establish a foothold through a suspicious HTTP request associated with the Cylance OP Cleaver tool. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential early-stage compromise or data exfiltration attempts that may not be detected by traditional methods.
YARA Rule
rule ZhoupinExploitCrew
{
meta:
author = "Cylance"
date = "2014-12-02"
description = "http://cylance.com/opcleaver"
strings:
$s1 = "zhoupin exploit crew" nocase
$s2 = "zhopin exploit crew" nocase
condition:
1 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to automate the deployment of a software update via a scheduled task.
Filter/Exclusion: Exclude processes where the command line contains powershell.exe and the script path includes C:\Windows\System32\WindowsPowerShell\v1.0\ or contains keywords like update, deploy, or install.
Scenario: A SQL Server Agent Job is executing a script that temporarily accesses a URL for database backup purposes.
Filter/Exclusion: Exclude processes with the parent process sqlservr.exe and command lines containing sqlcmd, backup, or restore.
Scenario: A Windows Task Scheduler job is configured to run a legitimate script that communicates with an external API for monitoring purposes.
Filter/Exclusion: Exclude processes with the parent process schtasks.exe and command lines containing api, monitor, or check.
Scenario: A Windows Defender scan is initiated, which may temporarily access external URLs for signature updates.
Filter/Exclusion: Exclude processes with the parent process MsMpEng.exe or command lines containing signature, update, or definition.
Scenario: A Docker container is running a service that requires outbound HTTP requests to a known legitimate endpoint for service health checks.
Filter/Exclusion: Exclude processes where the parent process is dockerd.exe and the command line includes --healthcheck or the destination URL is a known internal or trusted endpoint.