Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_CN_Project1
Chinese Hacktool Set - file Project1.exe
view YARA rule
rule HKTL_CN_Project1 {
meta:
description = "Chinese Hacktool Set - file Project1.exe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "Project1"
hash = "d1a5e3b646a16a7fcccf03759bd0f96480111c96"
id = "12cc7a82-d7a9-58c6-b283-3bb0df477cd8"
strings:
$s1 = "EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'" fullword ascii
$s2 = "Password.txt" fullword ascii
$s3 = "LoginPrompt" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 5000KB and all of them
}
HKTL_CN_dat_xpf
Chinese Hacktool Set - file xpf.sys
view YARA rule
rule HKTL_CN_dat_xpf {
meta:
description = "Chinese Hacktool Set - file xpf.sys"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "dat_xpf"
hash = "761125ab594f8dc996da4ce8ce50deba49c81846"
id = "fe2de535-4f86-5c29-b67e-153423a897f7"
strings:
$s1 = "UnHook IoGetDeviceObjectPointer ok!" fullword ascii
$s2 = "\\Device\\XScanPF" wide
$s3 = "\\DosDevices\\XScanPF" wide
condition:
uint16(0) == 0x5a4d and filesize < 25KB and all of them
}
HKTL_CN_update_PcMain
Chinese Hacktool Set - file PcMain.dll
view YARA rule
rule HKTL_CN_update_PcMain {
meta:
description = "Chinese Hacktool Set - file PcMain.dll"
author = "Florian Roth (Nextron Systems)"
score = 90
reference = "http://tools.zjqhr.com/"
date = "2015-06-13"
modified = "2023-01-06"
old_rule_name = "update_PcMain"
hash = "aa68323aaec0269b0f7e697e69cce4d00a949caa"
id = "24c9ba6f-0772-59c9-8bea-3a8bf7823e4c"
strings:
$s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322" ascii
$s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
$s2 = "SOFTWARE\\Classes\\HTTP\\shell\\open\\command" fullword ascii
$s3 = "\\svchost.exe -k " ascii
$s4 = "SYSTEM\\ControlSet001\\Services\\%s" fullword ascii
$s9 = "Global\\%s-key-event" fullword ascii
$s10 = "%d%d.exe" fullword ascii
$s14 = "%d.exe" fullword ascii
$s15 = "Global\\%s-key-metux" fullword ascii
$s18 = "GET / HTTP/1.1" fullword ascii
$s19 = "\\Services\\" ascii
$s20 = "qy001id=%d;qy001guid=%s" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
}
HKTL_EXPL_WIN_PS1_BadSuccessor_May25
Detects PowerShell tool called Get-BadSuccessorOUPermissions.ps1 that helps exploit a vulnerability in Active Directory. Lists every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions.
view YARA rule
rule HKTL_EXPL_WIN_PS1_BadSuccessor_May25 {
meta:
description = "Detects PowerShell tool called Get-BadSuccessorOUPermissions.ps1 that helps exploit a vulnerability in Active Directory. Lists every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions."
author = "Florian Roth"
reference = "https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory"
date = "2025-05-22"
score = 75
id = "4f6ff5ff-831a-520c-8bc5-6fec5e65f9de"
strings:
$x1 = "function Get-BadSuccessorOUPermissions" ascii wide
$x2 = "\"0feb936f-47b3-49f2-9386-1dedc2c23765\"=\"msDS-DelegatedManagedServiceAccount\"" ascii wide
$x3 = "CreateChild|GenericAll|WriteDACL|WriteOwner" ascii wide
condition:
filesize < 20MB and 1 of them
}
HKTL_NET_AdCollector_Sep22_1
Detects ADCollector Tool - a lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending
view YARA rule
rule HKTL_NET_AdCollector_Sep22_1 {
meta:
description = "Detects ADCollector Tool - a lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/dev-2null/ADCollector"
date = "2022-09-15"
score = 75
hash1 = "241390219a0a773463601ca68b77af97453c20af00a66492a7a78c04d481d338"
hash2 = "cc086eb7316e68661e3d547b414890d5029c5cc460134d8b628f4b0be7f27fb3"
id = "48b376e4-752b-523e-b34e-65b6944c33fb"
strings:
$x1 = "ADCollector.exe --SPNs --Term key --Acls 'CN=Domain Admins,CN=Users,DC=lab,DC=local'" wide fullword
$s1 = "ADCollector.exe" wide fullword
$s2 = "ENCRYPTED_TEXT_PASSWORD_ALLOWED" ascii fullword
$s3 = "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" wide
$s4 = "[-] Password Does Not Expire Accounts:" wide
$s5 = " * runAs: {0}" wide fullword
condition:
uint16(0) == 0x5a4d and
filesize < 300KB and ( 1 of ($x*) or 3 of them )
}
HKTL_NET_Edge_Saved_Passwords_Dumper_May26
Detects an .NET based tool used to dump saved passwords from Microsoft Edge browser processes
view YARA rule
rule HKTL_NET_Edge_Saved_Passwords_Dumper_May26 {
meta:
description = "Detects an .NET based tool used to dump saved passwords from Microsoft Edge browser processes"
author = "Florian Roth"
reference = "https://github.com/L1v1ng0ffTh3L4N/Proof-of-Concepts/tree/main/EdgeSavedPasswordsDumper"
date = "2026-05-05"
score = 80
id = "9d09b27e-16a4-5396-af53-2a2c672bc985"
strings:
$x1 = "SELECT ProcessId, Name, ParentProcessId FROM Win32_Process WHERE Name='msedge.exe'" wide
$x2 = "Scanning process PID: " wide
$s1 = "NSC\\t1_" wide
$s2 = "\\*\\(\\)_\\-\\+=\\{\\}\\[\\]:;<>\\?/~\\s]{6,40})\\x20\\x00" wide
condition:
2 of them
}
HKTL_NET_GUID_ADFSDump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ADFSDump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/fireeye/ADFSDump"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "8cb2edcd-3696-5857-90ca-e99b1af54320"
strings:
$typelibguid0lo = "9ee27d63-6ac9-4037-860b-44e91bae7f0d" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ADFSDump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ADFSDump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/fireeye/ADFSDump"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "9ee27d63-6ac9-4037-860b-44e91bae7f0d" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ADSearch
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ADSearch {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/tomcarver16/ADSearch"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "399ea06d-b36a-542b-bccc-8e8f935a35c6"
strings:
$typelibguid0lo = "4da5f1b7-8936-4413-91f7-57d6e072b4a7" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ADSearch
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ADSearch {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/tomcarver16/ADSearch"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "4da5f1b7-8936-4413-91f7-57d6e072b4a7" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AESShellCodeInjector
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AESShellCodeInjector {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/san3ncrypt3d/AESShellCodeInjector"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "6253e30b-7c92-5237-a706-e93403a7c0b6"
strings:
$typelibguid0lo = "b016da9e-12a1-4f1d-91a1-d681ae54e92c" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AMSI_Handler
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AMSI_Handler {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/two06/AMSI_Handler"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "40768acf-fa9e-531a-83fd-187814ddc2d4"
strings:
$typelibguid0lo = "d829426c-986c-40a4-8ee2-58d14e090ef2" ascii wide
$typelibguid1lo = "86652418-5605-43fd-98b5-859828b072be" ascii wide
$typelibguid2lo = "1043649f-18e1-41c4-ae8d-ac4d9a86c2fc" ascii wide
$typelibguid3lo = "1d920b03-c537-4659-9a8c-09fb1d615e98" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AMSI_Handler
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AMSI_Handler {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/two06/AMSI_Handler"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "d829426c-986c-40a4-8ee2-58d14e090ef2" ascii nocase wide
$typelibguid1 = "86652418-5605-43fd-98b5-859828b072be" ascii nocase wide
$typelibguid2 = "1043649f-18e1-41c4-ae8d-ac4d9a86c2fc" ascii nocase wide
$typelibguid3 = "1d920b03-c537-4659-9a8c-09fb1d615e98" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AVIator
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AVIator {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Ch0pin/AVIator"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "52acd520-52aa-5bb9-ab3b-66a940aa5f5a"
strings:
$typelibguid0lo = "4885a4a3-4dfa-486c-b378-ae94a221661a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AVIator
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AVIator {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Ch0pin/AVIator"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "4885a4a3-4dfa-486c-b378-ae94a221661a" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AV_Evasion_Tool
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AV_Evasion_Tool {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/1y0n/AV_Evasion_Tool"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "d4257465-38a0-56b9-8402-b92e21b96cb0"
strings:
$typelibguid0lo = "1937ee16-57d7-4a5f-88f4-024244f19dc6" ascii wide
$typelibguid1lo = "7898617d-08d2-4297-adfe-5edd5c1b828b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AV_Evasion_Tool
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AV_Evasion_Tool {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/1y0n/AV_Evasion_Tool"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "1937ee16-57d7-4a5f-88f4-024244f19dc6" ascii nocase wide
$typelibguid1 = "7898617d-08d2-4297-adfe-5edd5c1b828b" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Absinthe
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Absinthe {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cameronhotchkies/Absinthe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-21"
modified = "2025-08-15"
id = "8f25593b-b9d2-5807-b299-b039ecfd43a5"
strings:
$typelibguid0lo = "9936ae73-fb4e-4c5e-a5fb-f8aaeb3b9bd6" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Absinthe
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Absinthe {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cameronhotchkies/Absinthe"
author = "Arnim Rupp"
date = "2020-12-21"
strings:
$typelibguid0 = "9936ae73-fb4e-4c5e-a5fb-f8aaeb3b9bd6" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Adamantium_Thief
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Adamantium_Thief {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/LimerBoy/Adamantium-Thief"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "82225b2e-ab4a-50b8-a3fd-7ad4947d052e"
strings:
$typelibguid0lo = "e6104bc9-fea9-4ee9-b919-28156c1f2ede" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Adamantium_Thief
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Adamantium_Thief {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/LimerBoy/Adamantium-Thief"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "e6104bc9-fea9-4ee9-b919-28156c1f2ede" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AddReferenceDotRedTeam
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AddReferenceDotRedTeam {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ceramicskate0/AddReferenceDotRedTeam"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "59299a72-9b7a-5108-81c2-d8f6d2e99b20"
strings:
$typelibguid0lo = "73c79d7e-17d4-46c9-be5a-ecef65b924e4" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AddReferenceDotRedTeam
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AddReferenceDotRedTeam {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ceramicskate0/AddReferenceDotRedTeam"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "73c79d7e-17d4-46c9-be5a-ecef65b924e4" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AggressorScripts
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AggressorScripts {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/harleyQu1nn/AggressorScripts"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "d5903db5-010b-5b9d-8a5b-5d61aec52e7a"
strings:
$typelibguid0lo = "afd1ff09-2632-4087-a30c-43591f32e4e8" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AggressorScripts
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AggressorScripts {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/harleyQu1nn/AggressorScripts"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "afd1ff09-2632-4087-a30c-43591f32e4e8" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Aladdin
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Aladdin {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/nettitude/Aladdin"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-13"
modified = "2025-08-15"
id = "3f0a954c-f3b3-5e5d-a71d-11f60b026a48"
strings:
$typelibguid0lo = "b2b3adb0-1669-4b94-86cb-6dd682ddbea3" ascii wide
$typelibguid1lo = "c47e4d64-cc7f-490e-8f09-055e009f33ba" ascii wide
$typelibguid2lo = "32a91b0f-30cd-4c75-be79-ccbd6345de99" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AllTheThings
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AllTheThings {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/johnjohnsp1/AllTheThings"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "c35160cb-ad31-5195-a7c6-0af91a58737d"
strings:
$typelibguid0lo = "0547ff40-5255-42a2-beb7-2ff0dbf7d3ba" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AllTheThings
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AllTheThings {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/johnjohnsp1/AllTheThings"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "0547ff40-5255-42a2-beb7-2ff0dbf7d3ba" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Altman
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Altman {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/keepwn/Altman"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "21acc8af-9497-5842-90a9-7a9300585d5d"
strings:
$typelibguid0lo = "64cdcd2b-7356-4079-af78-e22210e66154" ascii wide
$typelibguid1lo = "f1dee29d-ca98-46ea-9d13-93ae1fda96e1" ascii wide
$typelibguid2lo = "33568320-56e8-4abb-83f8-548e8d6adac2" ascii wide
$typelibguid3lo = "470ec930-70a3-4d71-b4ff-860fcb900e85" ascii wide
$typelibguid4lo = "9514574d-6819-44f2-affa-6158ac1143b3" ascii wide
$typelibguid5lo = "0f3a9c4f-0b11-4373-a0a6-3a6de814e891" ascii wide
$typelibguid6lo = "9624b72e-9702-4d78-995b-164254328151" ascii wide
$typelibguid7lo = "faae59a8-55fc-48b1-a9b5-b1759c9c1010" ascii wide
$typelibguid8lo = "37af4988-f6f2-4f0c-aa2b-5b24f7ed3bf3" ascii wide
$typelibguid9lo = "c82aa2fe-3332-441f-965e-6b653e088abf" ascii wide
$typelibguid10lo = "6e531f6c-2c89-447f-8464-aaa96dbcdfff" ascii wide
$typelibguid11lo = "231987a1-ea32-4087-8963-2322338f16f6" ascii wide
$typelibguid12lo = "7da0d93a-a0ae-41a5-9389-42eff85bb064" ascii wide
$typelibguid13lo = "a729f9cc-edc2-4785-9a7d-7b81bb12484c" ascii wide
$typelibguid14lo = "55a1fd43-d23e-4d72-aadb-bbd1340a6913" ascii wide
$typelibguid15lo = "d43f240d-e7f5-43c5-9b51-d156dc7ea221" ascii wide
$typelibguid16lo = "c2e6c1a0-93b1-4bbc-98e6-8e2b3145db8e" ascii wide
$typelibguid17lo = "714ae6f3-0d03-4023-b753-fed6a31d95c7" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Altman
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Altman {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/keepwn/Altman"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "64cdcd2b-7356-4079-af78-e22210e66154" ascii nocase wide
$typelibguid1 = "f1dee29d-ca98-46ea-9d13-93ae1fda96e1" ascii nocase wide
$typelibguid2 = "33568320-56e8-4abb-83f8-548e8d6adac2" ascii nocase wide
$typelibguid3 = "470ec930-70a3-4d71-b4ff-860fcb900e85" ascii nocase wide
$typelibguid4 = "9514574d-6819-44f2-affa-6158ac1143b3" ascii nocase wide
$typelibguid5 = "0f3a9c4f-0b11-4373-a0a6-3a6de814e891" ascii nocase wide
$typelibguid6 = "9624b72e-9702-4d78-995b-164254328151" ascii nocase wide
$typelibguid7 = "faae59a8-55fc-48b1-a9b5-b1759c9c1010" ascii nocase wide
$typelibguid8 = "37af4988-f6f2-4f0c-aa2b-5b24f7ed3bf3" ascii nocase wide
$typelibguid9 = "c82aa2fe-3332-441f-965e-6b653e088abf" ascii nocase wide
$typelibguid10 = "6e531f6c-2c89-447f-8464-aaa96dbcdfff" ascii nocase wide
$typelibguid11 = "231987a1-ea32-4087-8963-2322338f16f6" ascii nocase wide
$typelibguid12 = "7da0d93a-a0ae-41a5-9389-42eff85bb064" ascii nocase wide
$typelibguid13 = "a729f9cc-edc2-4785-9a7d-7b81bb12484c" ascii nocase wide
$typelibguid14 = "55a1fd43-d23e-4d72-aadb-bbd1340a6913" ascii nocase wide
$typelibguid15 = "d43f240d-e7f5-43c5-9b51-d156dc7ea221" ascii nocase wide
$typelibguid16 = "c2e6c1a0-93b1-4bbc-98e6-8e2b3145db8e" ascii nocase wide
$typelibguid17 = "714ae6f3-0d03-4023-b753-fed6a31d95c7" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AmsiScanBufferBypass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AmsiScanBufferBypass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/AmsiScanBufferBypass"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "12a15e61-30fb-50a3-a59b-39f9871444f0"
strings:
$typelibguid0lo = "431ef2d9-5cca-41d3-87ba-c7f5e4582dd2" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AmsiScanBufferBypass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AmsiScanBufferBypass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/AmsiScanBufferBypass"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "431ef2d9-5cca-41d3-87ba-c7f5e4582dd2" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AntiDebug
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AntiDebug {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malcomvetter/AntiDebug"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "f381081b-d0cb-593d-ad3d-28816f770b67"
strings:
$typelibguid0lo = "997265c1-1342-4d44-aded-67964a32f859" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AntiDebug
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AntiDebug {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malcomvetter/AntiDebug"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "997265c1-1342-4d44-aded-67964a32f859" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Anti_Analysis
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Anti_Analysis {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Anti-Analysis"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "bd527841-065e-57e9-b70e-c9d232072f1b"
strings:
$typelibguid0lo = "3092c8df-e9e4-4b75-b78e-f81a0058a635" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Anti_Analysis
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Anti_Analysis {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Anti-Analysis"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "3092c8df-e9e4-4b75-b78e-f81a0058a635" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AsyncRAT_C_Sharp
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AsyncRAT_C_Sharp {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "858a079d-71e8-516e-a2a9-f0969edc758b"
strings:
$typelibguid0lo = "619b7612-dfea-442a-a927-d997f99c497b" ascii wide
$typelibguid1lo = "424b81be-2fac-419f-b4bc-00ccbe38491f" ascii wide
$typelibguid2lo = "37e20baf-3577-4cd9-bb39-18675854e255" ascii wide
$typelibguid3lo = "dafe686a-461b-402b-bbd7-2a2f4c87c773" ascii wide
$typelibguid4lo = "ee03faa9-c9e8-4766-bd4e-5cd54c7f13d3" ascii wide
$typelibguid5lo = "8bfc8ed2-71cc-49dc-9020-2c8199bc27b6" ascii wide
$typelibguid6lo = "d640c36b-2c66-449b-a145-eb98322a67c8" ascii wide
$typelibguid7lo = "8de42da3-be99-4e7e-a3d2-3f65e7c1abce" ascii wide
$typelibguid8lo = "bee88186-769a-452c-9dd9-d0e0815d92bf" ascii wide
$typelibguid9lo = "9042b543-13d1-42b3-a5b6-5cc9ad55e150" ascii wide
$typelibguid10lo = "6aa4e392-aaaf-4408-b550-85863dd4baaf" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AsyncRAT_C_Sharp
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AsyncRAT_C_Sharp {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "619b7612-dfea-442a-a927-d997f99c497b" ascii nocase wide
$typelibguid1 = "424b81be-2fac-419f-b4bc-00ccbe38491f" ascii nocase wide
$typelibguid2 = "37e20baf-3577-4cd9-bb39-18675854e255" ascii nocase wide
$typelibguid3 = "dafe686a-461b-402b-bbd7-2a2f4c87c773" ascii nocase wide
$typelibguid4 = "ee03faa9-c9e8-4766-bd4e-5cd54c7f13d3" ascii nocase wide
$typelibguid5 = "8bfc8ed2-71cc-49dc-9020-2c8199bc27b6" ascii nocase wide
$typelibguid6 = "d640c36b-2c66-449b-a145-eb98322a67c8" ascii nocase wide
$typelibguid7 = "8de42da3-be99-4e7e-a3d2-3f65e7c1abce" ascii nocase wide
$typelibguid8 = "bee88186-769a-452c-9dd9-d0e0815d92bf" ascii nocase wide
$typelibguid9 = "9042b543-13d1-42b3-a5b6-5cc9ad55e150" ascii nocase wide
$typelibguid10 = "6aa4e392-aaaf-4408-b550-85863dd4baaf" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AtYourService
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AtYourService {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/mitchmoser/AtYourService"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "3077dd0c-6936-5340-8da9-e8643de4d864"
strings:
$typelibguid0lo = "bc72386f-8b4c-44de-99b7-b06a8de3ce3f" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AtYourService
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AtYourService {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/mitchmoser/AtYourService"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "bc72386f-8b4c-44de-99b7-b06a8de3ce3f" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AzureCLI_Extractor
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AzureCLI_Extractor {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0x09AL/AzureCLI-Extractor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "f595545a-a7a6-577c-b3f4-febf7bf1b6c3"
strings:
$typelibguid0lo = "a73cad74-f8d6-43e6-9a4c-b87832cdeace" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_AzureCLI_Extractor
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_AzureCLI_Extractor {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0x09AL/AzureCLI-Extractor"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "a73cad74-f8d6-43e6-9a4c-b87832cdeace" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BYTAGE
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BYTAGE {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/KNIF/BYTAGE"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "4f87ca2c-3ac1-5733-893e-79665b80ffc3"
strings:
$typelibguid0lo = "8e46ba56-e877-4dec-be1e-394cb1b5b9de" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BYTAGE
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BYTAGE {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/KNIF/BYTAGE"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "8e46ba56-e877-4dec-be1e-394cb1b5b9de" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BackNet
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BackNet {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/valsov/BackNet"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "91824d18-f46b-5b95-b650-4d710d711cf9"
strings:
$typelibguid0lo = "9fdae122-cd1e-467d-a6fa-a98c26e76348" ascii wide
$typelibguid1lo = "243c279e-33a6-46a1-beab-2864cc7a499f" ascii wide
$typelibguid2lo = "a7301384-7354-47fd-a4c5-65b74e0bbb46" ascii wide
$typelibguid3lo = "982dc5b6-1123-428a-83dd-d212490c859f" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BackNet
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BackNet {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/valsov/BackNet"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "9fdae122-cd1e-467d-a6fa-a98c26e76348" ascii nocase wide
$typelibguid1 = "243c279e-33a6-46a1-beab-2864cc7a499f" ascii nocase wide
$typelibguid2 = "a7301384-7354-47fd-a4c5-65b74e0bbb46" ascii nocase wide
$typelibguid3 = "982dc5b6-1123-428a-83dd-d212490c859f" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BadPotato
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BadPotato {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/BeichenDream/BadPotato"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "8bee12fc-fc29-5256-b559-d914ef202c0c"
strings:
$typelibguid0lo = "0527a14f-1591-4d94-943e-d6d784a50549" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BadPotato
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BadPotato {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/BeichenDream/BadPotato"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "0527a14f-1591-4d94-943e-d6d784a50549" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BlackNET
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BlackNET {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/BlackHacker511/BlackNET"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-30"
modified = "2025-08-15"
id = "9fbb3c11-7b11-5910-9c8b-247aeefbaa87"
strings:
$typelibguid0lo = "c2b90883-abee-4cfa-af66-dfd93ec617a5" ascii wide
$typelibguid1lo = "8bb6f5b4-e7c7-4554-afd1-48f368774837" ascii wide
$typelibguid2lo = "983ae28c-91c3-4072-8cdf-698b2ff7a967" ascii wide
$typelibguid3lo = "9ac18cdc-3711-4719-9cfb-5b5f2d51fd5a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BlackNET
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BlackNET {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/BlackHacker511/BlackNET"
author = "Arnim Rupp"
date = "2020-12-30"
strings:
$typelibguid0 = "c2b90883-abee-4cfa-af66-dfd93ec617a5" ascii nocase wide
$typelibguid1 = "8bb6f5b4-e7c7-4554-afd1-48f368774837" ascii nocase wide
$typelibguid2 = "983ae28c-91c3-4072-8cdf-698b2ff7a967" ascii nocase wide
$typelibguid3 = "9ac18cdc-3711-4719-9cfb-5b5f2d51fd5a" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 451-500 of 18,880