Ezcob Identifying Strings

Hunt Hypothesis

Adversaries may be using hardcoded strings to identify or communicate with command-and-control servers, which could indicate malicious activity. SOC teams should proactively hunt for these strings in Azure Sentinel to detect potential compromise and disrupt C2 communications early.

YARA Rule

rule EzcobStrings : Ezcob Family
{
    meta:
        description = "Ezcob Identifying Strings"
        author = "Seth Hardy"
        last_modified = "2014-06-23"
        
    strings:
        $ = "\x12F\x12F\x129\x12E\x12A\x12E\x12B\x12A\x12-\x127\x127\x128\x123\x12"
        $ = "\x121\x12D\x128\x123\x12B\x122\x12E\x128\x12-\x12B\x122\x123\x12D\x12"
        $ = "Ezcob" wide ascii
        $ = "l\x12i\x12u\x122\x120\x121\x123\x120\x124\x121\x126"
        $ = "20110113144935"
        
    condition:
       any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: A system administrator is running a scheduled backup job that includes the string “ezcob” in the backup script or log file.
  Filter/Exclusion: Exclude processes related to backup tools like Veeam, Commvault, or Veritas NetBackup by checking the process name or command line arguments.

• Scenario: A developer is using a code linter or formatter tool (e.g., ESLint, Prettier) that contains the string “ezcob” in its configuration or output.
  Filter/Exclusion: Exclude processes associated with development tools or IDEs like Visual Studio Code, IntelliJ, or Atom by checking the process name or user context.

• Scenario: A system update or patching task (e.g., via Ansible, Chef, or Puppet) includes a script or log that contains the string “ezcob” as part of a placeholder or variable.
  Filter/Exclusion: Exclude processes related to configuration management tools by checking the process name or user (e.g., root, sudo, or specific service accounts).

• Scenario: A log aggregation tool (e.g., ELK Stack, Splunk, or Graylog) is processing logs that include the string “ezcob” as part of a legitimate log message or metadata.
  Filter/Exclusion: Exclude processes related to log management tools by checking the process name or command line arguments (e.g., logstash, splunkd, graylog-server).

• Scenario: A user is manually testing a system or running a diagnostic script that contains the string “ezcob” for testing purposes.
  Filter/Exclusion: Exclude processes initiated by users with elevated privileges or specific test accounts, or filter by user ID or session context.