Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_DLL_Injector
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DLL_Injector {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tmthrgd/DLL-Injector"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "301e70f4-89ed-539c-b7f3-9fc6ae1393b3"
strings:
$typelibguid0lo = "4581a449-7d20-4c59-8da2-7fd830f1fd5e" ascii wide
$typelibguid1lo = "05f4b238-25ce-40dc-a890-d5bbb8642ee4" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DLL_Injector
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DLL_Injector {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tmthrgd/DLL-Injector"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "4581a449-7d20-4c59-8da2-7fd830f1fd5e" ascii nocase wide
$typelibguid1 = "05f4b238-25ce-40dc-a890-d5bbb8642ee4" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DarkEye
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DarkEye {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/K1ngSoul/DarkEye"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "5dc6702f-a398-5be2-9df8-9a2ddc636a1f"
strings:
$typelibguid0lo = "0bdb9c65-14ed-4205-ab0c-ea2151866a7f" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DarkEye
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DarkEye {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/K1ngSoul/DarkEye"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "0bdb9c65-14ed-4205-ab0c-ea2151866a7f" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DarkFender
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DarkFender {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xyg3n/DarkFender"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0aea5e05-7788-5581-8bcc-d2e75a291dd9"
strings:
$typelibguid0lo = "12fdf7ce-4a7c-41b6-9b32-766ddd299beb" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DarkFender
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DarkFender {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xyg3n/DarkFender"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "12fdf7ce-4a7c-41b6-9b32-766ddd299beb" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DecryptAutoLogon
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DecryptAutoLogon {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/securesean/DecryptAutoLogon"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "3ef58da9-16c1-54cf-9d06-a05680548cf5"
strings:
$typelibguid0lo = "015a37fc-53d0-499b-bffe-ab88c5086040" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DecryptAutoLogon
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DecryptAutoLogon {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/securesean/DecryptAutoLogon"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "015a37fc-53d0-499b-bffe-ab88c5086040" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DesktopGrabber
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DesktopGrabber {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/DesktopGrabber"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "7db07291-d6d4-5527-a879-27f899dbd6fe"
strings:
$typelibguid0lo = "e6aa0cd5-9537-47a0-8c85-1fbe284a4380" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DesktopGrabber
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DesktopGrabber {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/DesktopGrabber"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "e6aa0cd5-9537-47a0-8c85-1fbe284a4380" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DeviceGuardBypasses
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DeviceGuardBypasses {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tyranid/DeviceGuardBypasses"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "3790faac-b5be-5999-b35f-71a2ef02b6ed"
strings:
$typelibguid0lo = "f318466d-d310-49ad-a967-67efbba29898" ascii wide
$typelibguid1lo = "3705800f-1424-465b-937d-586e3a622a4f" ascii wide
$typelibguid2lo = "256607c2-4126-4272-a2fa-a1ffc0a734f0" ascii wide
$typelibguid3lo = "4e6ceea1-f266-401c-b832-f91432d46f42" ascii wide
$typelibguid4lo = "1e6e9b03-dd5f-4047-b386-af7a7904f884" ascii wide
$typelibguid5lo = "d85e3601-0421-4efa-a479-f3370c0498fd" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DeviceGuardBypasses
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DeviceGuardBypasses {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tyranid/DeviceGuardBypasses"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "f318466d-d310-49ad-a967-67efbba29898" ascii nocase wide
$typelibguid1 = "3705800f-1424-465b-937d-586e3a622a4f" ascii nocase wide
$typelibguid2 = "256607c2-4126-4272-a2fa-a1ffc0a734f0" ascii nocase wide
$typelibguid3 = "4e6ceea1-f266-401c-b832-f91432d46f42" ascii nocase wide
$typelibguid4 = "1e6e9b03-dd5f-4047-b386-af7a7904f884" ascii nocase wide
$typelibguid5 = "d85e3601-0421-4efa-a479-f3370c0498fd" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Disable_Windows_Defender
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Disable_Windows_Defender {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Disable-Windows-Defender"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "9a673427-e66e-594b-942a-64a2272319f3"
strings:
$typelibguid0lo = "501e3fdc-575d-492e-90bc-703fb6280ee2" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Disable_Windows_Defender
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Disable_Windows_Defender {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Disable-Windows-Defender"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "501e3fdc-575d-492e-90bc-703fb6280ee2" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DoHC2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DoHC2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SpiderLabs/DoHC2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0bb38f10-ca5c-5c18-97c9-540b6367d150"
strings:
$typelibguid0lo = "9877a948-2142-4094-98de-e0fbb1bc4062" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DoHC2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DoHC2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SpiderLabs/DoHC2"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "9877a948-2142-4094-98de-e0fbb1bc4062" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DotNetAVBypass_Master
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DotNetAVBypass_Master {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/lockfale/DotNetAVBypass-Master"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "4004271b-4fbe-58bb-9613-a077e76324b3"
strings:
$typelibguid0lo = "4854c8dc-82b0-4162-86e0-a5bbcbc10240" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DotNetAVBypass_Master
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DotNetAVBypass_Master {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/lockfale/DotNetAVBypass-Master"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "4854c8dc-82b0-4162-86e0-a5bbcbc10240" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DotNetToJScript
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DotNetToJScript {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tyranid/DotNetToJScript"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "31827074-fc63-5690-b6c7-8e89daacc07f"
strings:
$typelibguid0lo = "7e3f231c-0d0b-4025-812c-0ef099404861" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DotNetToJScript
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DotNetToJScript {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tyranid/DotNetToJScript"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "7e3f231c-0d0b-4025-812c-0ef099404861" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DotNetToJScript_LanguageModeBreakout
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DotNetToJScript_LanguageModeBreakout {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/FuzzySecurity/DotNetToJScript-LanguageModeBreakout"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "8c8cf79f-8e69-5293-b27a-1f8593061627"
strings:
$typelibguid0lo = "deadb33f-fa94-41b5-813d-e72d8677a0cf" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DotNetToJScript_LanguageModeBreakout
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DotNetToJScript_LanguageModeBreakout {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/FuzzySecurity/DotNetToJScript-LanguageModeBreakout"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "deadb33f-fa94-41b5-813d-e72d8677a0cf" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DreamProtectorFree
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DreamProtectorFree {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Paskowsky/DreamProtectorFree"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "9ebee989-3441-5a76-b243-08de978b541c"
strings:
$typelibguid0lo = "f7e8a902-2378-426a-bfa5-6b14c4b40aa3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_DreamProtectorFree
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_DreamProtectorFree {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Paskowsky/DreamProtectorFree"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "f7e8a902-2378-426a-bfa5-6b14c4b40aa3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Driver_Template
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Driver_Template {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/FuzzySecurity/Driver-Template"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "539f88c5-e779-55e0-98df-299a9068de9b"
strings:
$typelibguid0lo = "bdb79ad6-639f-4dc2-8b8a-cd9107da3d69" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Driver_Template
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Driver_Template {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/FuzzySecurity/Driver-Template"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "bdb79ad6-639f-4dc2-8b8a-cd9107da3d69" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Dropless_Malware
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Dropless_Malware {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Dropless-Malware"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0da3b6d8-2002-590e-a8d5-f6c84acfb083"
strings:
$typelibguid0lo = "23b739f7-2355-491e-a7cd-a8485d39d6d6" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Dropless_Malware
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Dropless_Malware {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/Dropless-Malware"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "23b739f7-2355-491e-a7cd-a8485d39d6d6" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ESC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ESC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NetSPI/ESC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "a57c47e8-62bf-5425-9735-35a3e3a0c218"
strings:
$typelibguid0lo = "06260ce5-61f4-4b81-ad83-7d01c3b37921" ascii wide
$typelibguid1lo = "87fc7ede-4dae-4f00-ac77-9c40803e8248" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ESC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ESC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NetSPI/ESC"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "06260ce5-61f4-4b81-ad83-7d01c3b37921" ascii nocase wide
$typelibguid1 = "87fc7ede-4dae-4f00-ac77-9c40803e8248" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EWSToolkit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EWSToolkit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/EWSToolkit"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "acde7744-d17f-5e47-a5e2-ff4f4c4d8093"
strings:
$typelibguid0lo = "ca536d67-53c9-43b5-8bc8-9a05fdc567ed" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EWSToolkit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EWSToolkit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/EWSToolkit"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "ca536d67-53c9-43b5-8bc8-9a05fdc567ed" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EasyNet
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EasyNet {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TheWover/EasyNet"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "8408a057-4910-5d7b-80bc-78df17c95bf7"
strings:
$typelibguid0lo = "3097d856-25c2-42c9-8d59-2cdad8e8ea12" ascii wide
$typelibguid1lo = "ba33f716-91e0-4cf7-b9bd-b4d558f9a173" ascii wide
$typelibguid2lo = "37d6dd3f-5457-4d8b-a2e1-c7b156b176e5" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EasyNet
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EasyNet {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TheWover/EasyNet"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "3097d856-25c2-42c9-8d59-2cdad8e8ea12" ascii nocase wide
$typelibguid1 = "ba33f716-91e0-4cf7-b9bd-b4d558f9a173" ascii nocase wide
$typelibguid2 = "37d6dd3f-5457-4d8b-a2e1-c7b156b176e5" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EducationalRAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EducationalRAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/securesean/EducationalRAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "b1d54bea-a6c4-5c57-9ee1-7438d503b01d"
strings:
$typelibguid0lo = "8a18fbcf-8cac-482d-8ab7-08a44f0e278e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EducationalRAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EducationalRAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/securesean/EducationalRAT"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "8a18fbcf-8cac-482d-8ab7-08a44f0e278e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Evasor
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Evasor {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cyberark/Evasor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "457959ed-3e90-52c7-89f9-e1b17b35260e"
strings:
$typelibguid0lo = "1c8849ef-ad09-4727-bf81-1f777bd1aef8" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Evasor
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Evasor {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cyberark/Evasor"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "1c8849ef-ad09-4727-bf81-1f777bd1aef8" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EvilFOCA
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EvilFOCA {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ElevenPaths/EvilFOCA"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "2b2f5f6f-4224-5013-9e85-0ac088826bea"
strings:
$typelibguid0lo = "f26bdb4a-5846-4bec-8f52-3c39d32df495" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EvilFOCA
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EvilFOCA {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ElevenPaths/EvilFOCA"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "f26bdb4a-5846-4bec-8f52-3c39d32df495" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EvilWMIProvider
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EvilWMIProvider {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/sunnyc7/EvilWMIProvider"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "3a6cf00e-28c4-5e6f-a28d-b3f28fca6eed"
strings:
$typelibguid0lo = "a4020626-f1ec-4012-8b17-a2c8a0204a4b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_EvilWMIProvider
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_EvilWMIProvider {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/sunnyc7/EvilWMIProvider"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "a4020626-f1ec-4012-8b17-a2c8a0204a4b" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ExploitRemotingService
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ExploitRemotingService {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tyranid/ExploitRemotingService"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-21"
modified = "2025-08-15"
id = "2f0b9635-2b2e-5825-baeb-69d7ae3791b1"
strings:
$typelibguid0lo = "fd17ae38-2fd3-405f-b85b-e9d14e8e8261" ascii wide
$typelibguid1lo = "1850b9bb-4a23-4d74-96b8-58f274674566" ascii wide
$typelibguid2lo = "297cbca1-efa3-4f2a-8d5f-e1faf02ba587" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ExploitRemotingService
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ExploitRemotingService {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tyranid/ExploitRemotingService"
author = "Arnim Rupp"
date = "2020-12-21"
strings:
$typelibguid0 = "fd17ae38-2fd3-405f-b85b-e9d14e8e8261" ascii nocase wide
$typelibguid1 = "1850b9bb-4a23-4d74-96b8-58f274674566" ascii nocase wide
$typelibguid2 = "297cbca1-efa3-4f2a-8d5f-e1faf02ba587" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ExternalC2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ExternalC2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ryhanson/ExternalC2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "1bbdfbb9-a3e8-5ffe-9db9-b50937e6a14d"
strings:
$typelibguid0lo = "7266acbb-b10d-4873-9b99-12d2043b1d4e" ascii wide
$typelibguid1lo = "5d9515d0-df67-40ed-a6b2-6619620ef0ef" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ExternalC2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ExternalC2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/ryhanson/ExternalC2"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "7266acbb-b10d-4873-9b99-12d2043b1d4e" ascii nocase wide
$typelibguid1 = "5d9515d0-df67-40ed-a6b2-6619620ef0ef" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Farmer
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Farmer {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/mdsecactivebreach/Farmer"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "f69745b9-4ebd-547a-9af3-bc340b076e5d"
strings:
$typelibguid0lo = "37da2573-d9b5-4fc2-ae11-ccb6130cea9f" ascii wide
$typelibguid1lo = "49acf861-1c10-49a1-bf26-139a3b3a9227" ascii wide
$typelibguid2lo = "9a6c028f-423f-4c2c-8db3-b3499139b822" ascii wide
$typelibguid3lo = "1c896837-e729-46a9-92b9-3bbe7ac2c90d" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Fenrir
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Fenrir {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nccgroup/Fenrir"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "cfc6312d-5997-5261-b771-c7f3f30bf86c"
strings:
$typelibguid0lo = "aecec195-f143-4d02-b946-df0e1433bd2e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Fenrir
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Fenrir {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nccgroup/Fenrir"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "aecec195-f143-4d02-b946-df0e1433bd2e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_FileSearcher
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_FileSearcher {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NVISO-BE/FileSearcher"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "1b5f1f68-f87b-5e60-94a4-e2556b4e6c5d"
strings:
$typelibguid0lo = "2c879479-5027-4ce9-aaac-084db0e6d630" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 551-600 of 18,880