Home/Pioneer Kitten/YARA rules
YARA

YARA rules for Pioneer Kitten

51 rules · scoped to actor · back to Pioneer Kitten
YARA rules whose family, name, or description matches this actor or its tooling. Use these for binary-pattern hunts.

YARA rules

1 of 51
direct ASPX
WEBSHELL_ASPX_ProxyShell_Aug15
Webshells iisstart.aspx and Logout.aspx
author Moritz Oettle license see source repo
view YARA rule 
rule WEBSHELL_ASPX_ProxyShell_Aug15 {
   meta:
      description = "Webshells iisstart.aspx and Logout.aspx"
      author = "Moritz Oettle"
      reference = "https://github.com/hvs-consulting/ioc_signatures/tree/main/Proxyshell"
      date = "2021-09-04"
      modified = "2025-11-03"
      score = 75
      id = "b1e6c0f3-787f-59b8-8123-4045522047ca"
   strings:
      $g1 = "language=\"JScript\"" ascii
      $g2 = "function getErrorWord" ascii
      $g3 = "errorWord" ascii
      $g4 = "Response.Redirect" ascii
      $g5 = "function Page_Load" ascii
      $g6 = "runat=\"server\"" ascii
      $g7 = "Request[" ascii
      $g8 = "eval/*" ascii

      $s1 = "AppcacheVer" ascii  /* HTTP Request Parameter */
      //$s2 = "clientCode" ascii /* HTTP Request Parameter */
      $s3 = "LaTkWfI64XeDAXZS6pU1KrsvLAcGH7AZOQXjrFkT816RnFYJQR" ascii

      $fp1 = "<input type=\"submit\" Value=\"Refresh This Page\""
   condition:
      filesize < 1KB
      and (
         1 of ($s*)
         or 4 of ($g*)
      )
      and not 1 of ($fp*)
}
Showing 51-51 of 51
Prev 2 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin