Grozlex Stealer - Possible HCStealer

Hunt Hypothesis

The hypothesis is that the detection rule identifies potential reconnaissance or credential extraction activity associated with the Grozlex Stealer, which may indicate an adversary attempting to exfiltrate sensitive data from compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise by adversaries leveraging this stealer variant.

YARA Rule

rule Grozlex : Stealer
{
	meta:
		author="Kevin Falcoz"
		date="20/08/2013"
		description="Grozlex Stealer - Possible HCStealer"
		
	strings:
		$signature={4C 00 6F 00 67 00 73 00 20 00 61 00 74 00 74 00 61 00 63 00 68 00 65 00 64 00 20 00 62 00 79 00 20 00 69 00 43 00 6F 00 7A 00 65 00 6E}
	
	condition:
		$signature
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task (e.g., schtasks.exe) is configured to run at scheduled intervals, which may trigger the rule due to similar process creation patterns.
  Filter/Exclusion: Exclude processes initiated by schtasks.exe with known maintenance scripts or tasks (e.g., C:\Windows\System32\sched\tasks\maintenance_task.bat).

• Scenario: Admin PowerShell Script Execution
  Description: An administrator runs a PowerShell script (e.g., powershell.exe -Command "Get-EventLog") that may be flagged due to command-line arguments resembling malicious activity.
  Filter/Exclusion: Exclude processes where the command line contains powershell.exe and the script path is within a trusted admin directory (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\).

• Scenario: Database Backup Job Execution
  Description: A database backup job (e.g., sqlbackup.exe) is executed by a service account, which may be misidentified as suspicious behavior.
  Filter/Exclusion: Exclude processes initiated by the SQL Server service account (e.g., NT SERVICE\SQLSERVER) and associated with backup directories (e.g., C:\Program Files\Microsoft SQL Server\).

• Scenario: Antivirus Quarantine Scan
  Description: An antivirus tool (e.g., avgscan.exe) performs a quarantine scan and creates temporary files that may trigger the rule.
  Filter/Exclusion: Exclude processes associated with known antivirus tools (e.g., avgscan.exe, mcafee.exe) and their temporary directories (e.g., C:\Windows\Temp\av_quarantine\).

• Scenario: Remote Desktop Session Initialization
  Description: A remote desktop session (