Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_BlockEtw
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BlockEtw {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Soledge/BlockEtw"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-29"
modified = "2025-08-15"
id = "c2b72fef-6549-5b53-8ccf-232e8d152e96"
strings:
$typelibguid0lo = "daedf7b3-8262-4892-adc4-425dd5f85bca" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BlockEtw
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BlockEtw {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Soledge/BlockEtw"
author = "Arnim Rupp"
date = "2020-12-29"
strings:
$typelibguid0 = "daedf7b3-8262-4892-adc4-425dd5f85bca" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BrowserGhost
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BrowserGhost {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/QAX-A-Team/BrowserGhost"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
modified = "2025-08-15"
id = "adcc5d12-c393-5708-ae0b-a85f2187c881"
strings:
$typelibguid0lo = "2133c634-4139-466e-8983-9a23ec99e01b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
and not pe.is_dll()
}
HKTL_NET_GUID_BrowserGhost
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BrowserGhost {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/QAX-A-Team/BrowserGhost"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "2133c634-4139-466e-8983-9a23ec99e01b" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BrowserPass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BrowserPass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jabiel/BrowserPass"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "bad36c36-dbed-527c-a2f5-4dceff1abe4b"
strings:
$typelibguid0lo = "3cb59871-0dce-453b-857a-2d1e515b0b66" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BrowserPass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BrowserPass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jabiel/BrowserPass"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "3cb59871-0dce-453b-857a-2d1e515b0b66" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Browser_ExternalC2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Browser_ExternalC2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mdsecactivebreach/Browser-ExternalC2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "8c309522-90e7-5f5a-b456-3a472756d397"
strings:
$typelibguid0lo = "10a730cd-9517-42d5-b3e3-a2383515cca9" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Browser_ExternalC2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Browser_ExternalC2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mdsecactivebreach/Browser-ExternalC2"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "10a730cd-9517-42d5-b3e3-a2383515cca9" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BypassUAC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BypassUAC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cnsimo/BypassUAC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "327f581e-1d8c-5d20-bdd7-a29810c619c9"
strings:
$typelibguid0lo = "4e7c140d-bcc4-4b15-8c11-adb4e54cc39a" ascii wide
$typelibguid1lo = "cec553a7-1370-4bbc-9aae-b2f5dbde32b0" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_BypassUAC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_BypassUAC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cnsimo/BypassUAC"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "4e7c140d-bcc4-4b15-8c11-adb4e54cc39a" ascii nocase wide
$typelibguid1 = "cec553a7-1370-4bbc-9aae-b2f5dbde32b0" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CSharpSetThreadContext
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CSharpSetThreadContext {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/CSharpSetThreadContext"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "883bb859-d5ab-501d-8c83-0c5a2cf1f6c8"
strings:
$typelibguid0lo = "a1e28c8c-b3bd-44de-85b9-8aa7c18a714d" ascii wide
$typelibguid1lo = "87c5970e-0c77-4182-afe2-3fe96f785ebb" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CSharpSetThreadContext
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CSharpSetThreadContext {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/CSharpSetThreadContext"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "a1e28c8c-b3bd-44de-85b9-8aa7c18a714d" ascii nocase wide
$typelibguid1 = "87c5970e-0c77-4182-afe2-3fe96f785ebb" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2019_1064
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2019_1064 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/RythmStick/CVE-2019-1064"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "4640e874-faa4-58dc-a3f3-18246a343f15"
strings:
$typelibguid0lo = "ff97e98a-635e-4ea9-b2d0-1a13f6bdbc38" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2019_1064
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2019_1064 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/RythmStick/CVE-2019-1064"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "ff97e98a-635e-4ea9-b2d0-1a13f6bdbc38" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2019_1253
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2019_1253 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/padovah4ck/CVE-2019-1253"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "3e18b533-1b85-5eaf-bb3d-aa5b90fd2e28"
strings:
$typelibguid0lo = "584964c1-f983-498d-8370-23e27fdd0399" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2019_1253
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2019_1253 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/padovah4ck/CVE-2019-1253"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "584964c1-f983-498d-8370-23e27fdd0399" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2020_0668
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2020_0668 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/RedCursorSecurityConsulting/CVE-2020-0668"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "54c87578-f0f1-5108-a736-b6acd9624d29"
strings:
$typelibguid0lo = "1b4c5ec1-2845-40fd-a173-62c450f12ea5" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2020_0668
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2020_0668 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/RedCursorSecurityConsulting/CVE-2020-0668"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "1b4c5ec1-2845-40fd-a173-62c450f12ea5" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2020_1206_POC
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2020_1206_POC {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/ZecOps/CVE-2020-1206-POC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "d70472f3-b19f-5097-bd70-99a7e7812ac4"
strings:
$typelibguid0lo = "3523ca04-a12d-4b40-8837-1a1d28ef96de" ascii wide
$typelibguid1lo = "d3a2f24a-ddc6-4548-9b3d-470e70dbcaab" ascii wide
$typelibguid2lo = "fb30ee05-4a35-45f7-9a0a-829aec7e47d9" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2020_1206_POC
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2020_1206_POC {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/ZecOps/CVE-2020-1206-POC"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "3523ca04-a12d-4b40-8837-1a1d28ef96de" ascii nocase wide
$typelibguid1 = "d3a2f24a-ddc6-4548-9b3d-470e70dbcaab" ascii nocase wide
$typelibguid2 = "fb30ee05-4a35-45f7-9a0a-829aec7e47d9" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2020_1337
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2020_1337 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/neofito/CVE-2020-1337"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "4b79867d-761c-5aa8-bf8a-60caa50d8aa6"
strings:
$typelibguid0lo = "d9c2e3c1-e9cc-42b0-a67c-b6e1a4f962cc" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CVE_2020_1337
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CVE_2020_1337 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/neofito/CVE-2020-1337"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "d9c2e3c1-e9cc-42b0-a67c-b6e1a4f962cc" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_C_Sharp_R_A_T_Client
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_C_Sharp_R_A_T_Client {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/AdvancedHacker101/C-Sharp-R.A.T-Client"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "f5df8257-d202-58e3-9c4a-1dfc9dd52f2a"
strings:
$typelibguid0lo = "6d9e8852-e86c-4e36-9cb4-b3c3853ed6b8" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_C_Sharp_R_A_T_Client
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_C_Sharp_R_A_T_Client {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/AdvancedHacker101/C-Sharp-R.A.T-Client"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "6d9e8852-e86c-4e36-9cb4-b3c3853ed6b8" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Carbuncle
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Carbuncle {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/checkymander/Carbuncle"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "4a87882e-570b-5b40-a8e3-47ebac01d257"
strings:
$typelibguid0lo = "3f239b73-88ae-413b-b8c8-c01a35a0d92e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Carbuncle
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Carbuncle {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/checkymander/Carbuncle"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "3f239b73-88ae-413b-b8c8-c01a35a0d92e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CasperStager
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CasperStager {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ustayready/CasperStager"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "0ad18d2b-b7cc-5316-a8e8-b05d4439b8e1"
strings:
$typelibguid0lo = "c653a9f2-0939-43c8-9b93-fed5e2e4c7e6" ascii wide
$typelibguid1lo = "48dfc55e-6ae5-4a36-abef-14bc09d7510b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CasperStager
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CasperStager {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ustayready/CasperStager"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "c653a9f2-0939-43c8-9b93-fed5e2e4c7e6" ascii nocase wide
$typelibguid1 = "48dfc55e-6ae5-4a36-abef-14bc09d7510b" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Certify
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Certify {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/Certify"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-06"
modified = "2025-08-11"
hash = "da585a8d4985082873cb86204d546d3f53668e034c61e42d247b11e92b5e8fc3"
id = "69f120fe-bd4d-59ba-b1b9-528ab300e450"
strings:
$typelibguid0_v1 = "64524ca5-e4d0-41b3-acc3-3bdbefd40c97" ascii wide
$typelibguid0_v2 = "15cfadd8-5f6c-424b-81dc-c028312d025f" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Change_Lockscreen
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Change_Lockscreen {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nccgroup/Change-Lockscreen"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "a817c6e8-95f9-56c6-97b8-4be06658629f"
strings:
$typelibguid0lo = "78642ab3-eaa6-4e9c-a934-e7b0638bc1cc" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Change_Lockscreen
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Change_Lockscreen {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nccgroup/Change-Lockscreen"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "78642ab3-eaa6-4e9c-a934-e7b0638bc1cc" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CinaRAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CinaRAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/wearelegal/CinaRAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "c6b4c919-0fc6-5096-b29b-963142a2c831"
strings:
$typelibguid0lo = "8586f5b1-2ef4-4f35-bd45-c6206fdc0ebc" ascii wide
$typelibguid1lo = "fe184ab5-f153-4179-9bf5-50523987cf1f" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CinaRAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CinaRAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/wearelegal/CinaRAT"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "8586f5b1-2ef4-4f35-bd45-c6206fdc0ebc" ascii nocase wide
$typelibguid1 = "fe184ab5-f153-4179-9bf5-50523987cf1f" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CloneVault
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CloneVault {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/mdsecactivebreach/CloneVault"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "3340a095-d926-5c85-b7ed-03151712538d"
strings:
$typelibguid0lo = "0a344f52-6780-4d10-9a4a-cb9439f9d3de" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CloneVault
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CloneVault {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/mdsecactivebreach/CloneVault"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "0a344f52-6780-4d10-9a4a-cb9439f9d3de" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Crassus
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Crassus {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/vu-ls/Crassus"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-18"
modified = "2025-08-15"
id = "d4f94aa3-0431-5ac1-8718-0f0526c3714f"
strings:
$typelibguid0lo = "7e9729aa-4cf2-4d0a-8183-7fb7ce7a5b1a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Crypter_Runtime_AV_s_bypass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Crypter_Runtime_AV_s_bypass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/netreverse/Crypter-Runtime-AV-s-bypass"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "726cd57b-d88a-5854-b2e1-76d9bd71a155"
strings:
$typelibguid0lo = "c25e39a9-8215-43aa-96a3-da0e9512ec18" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Crypter_Runtime_AV_s_bypass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Crypter_Runtime_AV_s_bypass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/netreverse/Crypter-Runtime-AV-s-bypass"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "c25e39a9-8215-43aa-96a3-da0e9512ec18" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CsharpAmsiBypass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CsharpAmsiBypass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/WayneJLee/CsharpAmsiBypass"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "ca97004e-edc1-5b5a-ac67-e81ae24631aa"
strings:
$typelibguid0lo = "4ab3b95d-373c-4197-8ee3-fe0fa66ca122" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_CsharpAmsiBypass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_CsharpAmsiBypass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/WayneJLee/CsharpAmsiBypass"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "4ab3b95d-373c-4197-8ee3-fe0fa66ca122" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Csharp_Loader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Csharp_Loader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Csharp-Loader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "bf0c3d93-cbea-54c7-b950-fd4e5a600d07"
strings:
$typelibguid0lo = "5fd7f9fc-0618-4dde-a6a0-9faefe96c8a1" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Csharp_Loader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Csharp_Loader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Csharp-Loader"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "5fd7f9fc-0618-4dde-a6a0-9faefe96c8a1" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DInvisibleRegistry
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DInvisibleRegistry {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NVISO-BE/DInvisibleRegistry"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "98409bbe-6346-5825-b7f7-c1afeac2b038"
strings:
$typelibguid0lo = "31d576fb-9fb9-455e-ab02-c78981634c65" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DInvisibleRegistry
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DInvisibleRegistry {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NVISO-BE/DInvisibleRegistry"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "31d576fb-9fb9-455e-ab02-c78981634c65" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DInvoke
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DInvoke {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TheWover/DInvoke"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "f3b0ef47-a92c-5c5d-a9e2-09579fcb438e"
strings:
$typelibguid0lo = "b77fdab5-207c-4cdb-b1aa-348505c54229" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DInvoke
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DInvoke {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TheWover/DInvoke"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "b77fdab5-207c-4cdb-b1aa-348505c54229" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DInvoke_PoC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DInvoke_PoC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/dtrizna/DInvoke_PoC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "f3b0ef47-a92c-5c5d-a9e2-09579fcb438e"
strings:
$typelibguid0lo = "5a869ab2-291a-49e6-a1b7-0d0f051bef0e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DInvoke_PoC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DInvoke_PoC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/dtrizna/DInvoke_PoC"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "5a869ab2-291a-49e6-a1b7-0d0f051bef0e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DLL_Injection
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DLL_Injection {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ihack4falafel/DLL-Injection"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "aec4fc28-9aa2-5eef-9fb1-d187a83a72b3"
strings:
$typelibguid0lo = "3d7e1433-f81a-428a-934f-7cc7fcf1149d" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DLL_Injection
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DLL_Injection {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ihack4falafel/DLL-Injection"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "3d7e1433-f81a-428a-934f-7cc7fcf1149d" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 501-550 of 18,880