Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_FileSearcher
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_FileSearcher {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NVISO-BE/FileSearcher"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "2c879479-5027-4ce9-aaac-084db0e6d630" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ForgeCert
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ForgeCert {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/ForgeCert"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-18"
modified = "2025-08-15"
id = "06b3ffbb-5a76-50a0-86dc-b9658bf2d7ec"
strings:
$typelibguid0lo = "bd346689-8ee6-40b3-858b-4ed94f08d40a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_GMSAPasswordReader
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_GMSAPasswordReader {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/rvazarkar/GMSAPasswordReader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-12-06"
id = "dc74bfce-90a1-53bd-bfe4-cb7c9c75da53"
strings:
$typelibguid0 = "c8112750-972d-4efa-a75b-da9b8a4533c7" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_GRAT2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_GRAT2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/r3nhat/GRAT2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "e731d563-0d16-5f84-8127-624a71f8b646"
strings:
$typelibguid0lo = "5e7fce78-1977-444f-a18e-987d708a2cff" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_GRAT2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_GRAT2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/r3nhat/GRAT2"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "5e7fce78-1977-444f-a18e-987d708a2cff" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_GadgetToJScript
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_GadgetToJScript {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/med0x2e/GadgetToJScript"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "e296795f-d006-52a9-92c4-fb60c930564b"
strings:
$typelibguid0lo = "af9c62a1-f8d2-4be0-b019-0a7873e81ea9" ascii wide
$typelibguid1lo = "b2b3adb0-1669-4b94-86cb-6dd682ddbea3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_GadgetToJScript
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_GadgetToJScript {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/med0x2e/GadgetToJScript"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "af9c62a1-f8d2-4be0-b019-0a7873e81ea9" ascii nocase wide
$typelibguid1 = "b2b3adb0-1669-4b94-86cb-6dd682ddbea3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Get_RBCD_Threaded
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Get_RBCD_Threaded {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/FatRodzianko/Get-RBCD-Threaded"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "fdef6dc3-da1a-5a98-a822-94e443981fdd"
strings:
$typelibguid0lo = "e20dc2ed-6455-4101-9d78-fccac1cb7a18" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Gopher
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Gopher {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/EncodeGroup/Gopher"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "e3015719-9085-584d-8237-f377ec995149"
strings:
$typelibguid0lo = "b5152683-2514-49ce-9aca-1bc43df1e234" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Gopher
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Gopher {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/EncodeGroup/Gopher"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "b5152683-2514-49ce-9aca-1bc43df1e234" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Group3r
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Group3r {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/Group3r/Group3r.git"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2022-11-21"
modified = "2025-08-15"
id = "0571d71e-50ca-5c1b-b750-34acc2d06687"
strings:
$typelibguid0lo = "868a6c76-c903-4a94-96fd-a2c6ba75691c" ascii wide
$typelibguid1lo = "caa7ab97-f83b-432c-8f9c-c5f1530f59f7" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Grouper2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Grouper2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/l0ss/Grouper2/"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "a9cd9a16-b2a5-5d15-af89-7a8d0f1835bb"
strings:
$typelibguid0lo = "5decaea3-2610-4065-99dc-65b9b4ba6ccd" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Grouper2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Grouper2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/l0ss/Grouper2/"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "5decaea3-2610-4065-99dc-65b9b4ba6ccd" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HTTPSBeaconShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HTTPSBeaconShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/limbenjamin/HTTPSBeaconShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "d66e3566-6082-570a-a168-f44c9d8c7619"
strings:
$typelibguid0lo = "aca853dc-9e74-4175-8170-e85372d5f2a9" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HTTPSBeaconShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HTTPSBeaconShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/limbenjamin/HTTPSBeaconShell"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "aca853dc-9e74-4175-8170-e85372d5f2a9" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HWIDbypass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HWIDbypass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/yunseok/HWIDbypass"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "62b0541b-6eec-546e-8445-85d25bb0d784"
strings:
$typelibguid0lo = "47e08791-d124-4746-bc50-24bd1ee719a6" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HWIDbypass
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HWIDbypass {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/yunseok/HWIDbypass"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "47e08791-d124-4746-bc50-24bd1ee719a6" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HastySeries
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HastySeries {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/obscuritylabs/HastySeries"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0d35acf4-c763-593c-94e2-c499d3826375"
strings:
$typelibguid0lo = "8435531d-675c-4270-85bf-60db7653bcf6" ascii wide
$typelibguid1lo = "47db989f-7e33-4e6b-a4a5-c392b429264b" ascii wide
$typelibguid2lo = "300c7489-a05f-4035-8826-261fa449dd96" ascii wide
$typelibguid3lo = "41bf8781-ae04-4d80-b38d-707584bf796b" ascii wide
$typelibguid4lo = "620ed459-18de-4359-bfb0-6d0c4841b6f6" ascii wide
$typelibguid5lo = "91e7cdfe-0945-45a7-9eaa-0933afe381f2" ascii wide
$typelibguid6lo = "c28e121a-60ca-4c21-af4b-93eb237b882f" ascii wide
$typelibguid7lo = "698fac7a-bff1-4c24-b2c3-173a6aae15bf" ascii wide
$typelibguid8lo = "63a40d94-5318-42ad-a573-e3a1c1284c57" ascii wide
$typelibguid9lo = "56b8311b-04b8-4e57-bb58-d62adc0d2e68" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HastySeries
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HastySeries {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/obscuritylabs/HastySeries"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "8435531d-675c-4270-85bf-60db7653bcf6" ascii nocase wide
$typelibguid1 = "47db989f-7e33-4e6b-a4a5-c392b429264b" ascii nocase wide
$typelibguid2 = "300c7489-a05f-4035-8826-261fa449dd96" ascii nocase wide
$typelibguid3 = "41bf8781-ae04-4d80-b38d-707584bf796b" ascii nocase wide
$typelibguid4 = "620ed459-18de-4359-bfb0-6d0c4841b6f6" ascii nocase wide
$typelibguid5 = "91e7cdfe-0945-45a7-9eaa-0933afe381f2" ascii nocase wide
$typelibguid6 = "c28e121a-60ca-4c21-af4b-93eb237b882f" ascii nocase wide
$typelibguid7 = "698fac7a-bff1-4c24-b2c3-173a6aae15bf" ascii nocase wide
$typelibguid8 = "63a40d94-5318-42ad-a573-e3a1c1284c57" ascii nocase wide
$typelibguid9 = "56b8311b-04b8-4e57-bb58-d62adc0d2e68" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HideFromAMSI
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HideFromAMSI {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0r13lc0ch4v1/HideFromAMSI"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0fa1ce82-b662-5e18-a5da-8359c96cd6e9"
strings:
$typelibguid0lo = "b91d2d44-794c-49b8-8a75-2fbec3fe3fe3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HideFromAMSI
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HideFromAMSI {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0r13lc0ch4v1/HideFromAMSI"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "b91d2d44-794c-49b8-8a75-2fbec3fe3fe3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HiveJack
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HiveJack {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Viralmaniar/HiveJack"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "10567ef4-780f-5e93-9061-3214116d6bbb"
strings:
$typelibguid0lo = "e12e62fe-bea3-4989-bf04-6f76028623e3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HiveJack
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_HiveJack {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Viralmaniar/HiveJack"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "e12e62fe-bea3-4989-bf04-6f76028623e3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_IIS_backdoor
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_IIS_backdoor {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/WBGlIl/IIS_backdoor"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "44264dd9-f8e9-5a60-847f-94378e07a327"
strings:
$typelibguid0lo = "3fda4aa9-6fc1-473f-9048-7edc058c4f65" ascii wide
$typelibguid1lo = "73ca4159-5d13-4a27-8965-d50c41ab203c" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_IIS_backdoor
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_IIS_backdoor {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/WBGlIl/IIS_backdoor"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "3fda4aa9-6fc1-473f-9048-7edc058c4f65" ascii nocase wide
$typelibguid1 = "73ca4159-5d13-4a27-8965-d50c41ab203c" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Inception
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Inception {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/two06/Inception"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "8d18f1d5-9c9a-5258-9f96-fa24b702c6ad"
strings:
$typelibguid0lo = "03d96b8c-efd1-44a9-8db2-0b74db5d247a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Inception
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Inception {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/two06/Inception"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "03d96b8c-efd1-44a9-8db2-0b74db5d247a" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Inferno
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Inferno {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/LimerBoy/Inferno"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "af2d9832-c7f9-5879-a19b-a3c4d91b8b3f"
strings:
$typelibguid0lo = "26d498f7-37ae-476c-97b0-3761e3a919f0" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Inferno
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Inferno {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/LimerBoy/Inferno"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "26d498f7-37ae-476c-97b0-3761e3a919f0" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Internal_Monologue
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Internal_Monologue {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/eladshamir/Internal-Monologue"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "ce2773a2-b0b7-560e-ba21-3f018ddcacb3"
strings:
$typelibguid0lo = "0c0333db-8f00-4b68-b1db-18a9cacc1486" ascii wide
$typelibguid1lo = "84701ace-c584-4886-a3cf-76c57f6e801a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Internal_Monologue
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Internal_Monologue {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/eladshamir/Internal-Monologue"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "0c0333db-8f00-4b68-b1db-18a9cacc1486" ascii nocase wide
$typelibguid1 = "84701ace-c584-4886-a3cf-76c57f6e801a" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_IronKit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_IronKit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nshalabi/IronKit"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
score = 50
date = "2020-12-13"
modified = "2025-08-15"
strings:
$typelibguid0lo = "68e40495-c34a-4539-b43e-9e4e6f11a9fb" ascii wide
$typelibguid1lo = "641cd52d-3886-4a74-b590-2a05621502a4" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_IronKit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_IronKit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nshalabi/IronKit"
author = "Arnim Rupp"
score = 50
date = "2020-12-13"
strings:
$typelibguid0 = "68e40495-c34a-4539-b43e-9e4e6f11a9fb" ascii nocase wide
$typelibguid1 = "641cd52d-3886-4a74-b590-2a05621502a4" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KeeThief
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_KeeThief {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/KeeThief"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "71fef0e9-223a-5834-9d1c-f3fb8b66a809"
strings:
$typelibguid1lo = "39aa6f93-a1c9-497f-bad2-cc42a61d5710" ascii wide
$typelibguid3lo = "3fca8012-3bad-41e4-91f4-534aa9a44f96" ascii wide
$typelibguid4lo = "ea92f1e6-3f34-48f8-8b0a-f2bbc19220ef" ascii wide
$typelibguid5lo = "c23b51c4-2475-4fc6-9b3a-27d0a2b99b0f" ascii wide
/* $typelibguid6 = "94432a8e-3e06-4776-b9b2-3684a62bb96a" ascii nocase wide FIX FPS with Microsoft files */
$typelibguid7lo = "80ba63a4-7d41-40e9-a722-6dd58b28bf7e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KeeThief
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_KeeThief {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/KeeThief"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid1 = "39aa6f93-a1c9-497f-bad2-cc42a61d5710" ascii nocase wide
$typelibguid3 = "3fca8012-3bad-41e4-91f4-534aa9a44f96" ascii nocase wide
$typelibguid4 = "ea92f1e6-3f34-48f8-8b0a-f2bbc19220ef" ascii nocase wide
$typelibguid5 = "c23b51c4-2475-4fc6-9b3a-27d0a2b99b0f" ascii nocase wide
$typelibguid6 = "94432a8e-3e06-4776-b9b2-3684a62bb96a" ascii nocase wide
$typelibguid7 = "80ba63a4-7d41-40e9-a722-6dd58b28bf7e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Keylogger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Keylogger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/BlackVikingPro/Keylogger"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0576756e-26d5-5165-b621-917126a75a38"
strings:
$typelibguid0lo = "7afbc9bf-32d9-460f-8a30-35e30aa15879" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Keylogger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Keylogger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/BlackVikingPro/Keylogger"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "7afbc9bf-32d9-460f-8a30-35e30aa15879" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KeystrokeAPI
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_KeystrokeAPI {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/fabriciorissetto/KeystrokeAPI"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "e715bce8-531b-5e2a-bd02-b2fc4990c499"
strings:
$typelibguid0lo = "f6fec17e-e22d-4149-a8a8-9f64c3c905d3" ascii wide
$typelibguid1lo = "b7aa4e23-39a4-49d5-859a-083c789bfea2" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KeystrokeAPI
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_KeystrokeAPI {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/fabriciorissetto/KeystrokeAPI"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "f6fec17e-e22d-4149-a8a8-9f64c3c905d3" ascii nocase wide
$typelibguid1 = "b7aa4e23-39a4-49d5-859a-083c789bfea2" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KittyLitter
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_KittyLitter {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/KittyLitter"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "f457b91f-4adb-5be6-b9c2-f6cc39d4bdaf"
strings:
$typelibguid0lo = "449cf269-4798-4268-9a0d-9a17a08869ba" ascii wide
$typelibguid1lo = "e7a509a4-2d44-4e10-95bf-b86cb7767c2c" ascii wide
$typelibguid2lo = "b2b8dd4f-eba6-42a1-a53d-9a00fe785d66" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Koh
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Koh {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/Koh"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-18"
modified = "2025-08-15"
id = "9702526c-b10d-553d-a803-47e352533858"
strings:
$typelibguid0lo = "4d5350c8-7f8c-47cf-8cde-c752018af17e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KrbRelay
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_KrbRelay {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/cube0x0/KrbRelay"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2022-11-21"
modified = "2025-08-15"
id = "3f59986c-8bd8-5e70-b3eb-038247d1ccd7"
strings:
$typelibguid0lo = "ed839154-90d8-49db-8cdd-972d1a6b2cfd" ascii wide
$typelibguid1lo = "3b47eebc-0d33-4e0b-bab5-782d2d3680af" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LOLBITS
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LOLBITS {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Kudaes/LOLBITS"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "66454ac0-742b-51a3-ac45-1ac9606e8b89"
strings:
$typelibguid0lo = "29d09aa4-ea0c-47c2-973c-1d768087d527" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LOLBITS
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LOLBITS {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Kudaes/LOLBITS"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "29d09aa4-ea0c-47c2-973c-1d768087d527" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Ladon
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Ladon {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/k8gege/Ladon"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "57e3d2fa-d430-561b-9d42-cf58cda5ed7a"
strings:
$typelibguid0lo = "c335405f-5df2-4c7d-9b53-d65adfbed412" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Ladon
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Ladon {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/k8gege/Ladon"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "c335405f-5df2-4c7d-9b53-d65adfbed412" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LdapSignCheck
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LdapSignCheck {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/cube0x0/LdapSignCheck"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-15"
modified = "2025-08-15"
id = "a8b902f0-61a5-509e-8307-79bf557e5f61"
strings:
$typelibguid0lo = "21f398a9-bc35-4bd2-b906-866f21409744" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LethalHTA
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LethalHTA {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/codewhitesec/LethalHTA"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "e8e1ad03-a5f0-5508-b78d-0de7bdaf4704"
strings:
$typelibguid0lo = "784cde17-ff0f-4e43-911a-19119e89c43f" ascii wide
$typelibguid1lo = "7e2de2c0-61dc-43ab-a0ec-c27ee2172ea6" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LethalHTA
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LethalHTA {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/codewhitesec/LethalHTA"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "784cde17-ff0f-4e43-911a-19119e89c43f" ascii nocase wide
$typelibguid1 = "7e2de2c0-61dc-43ab-a0ec-c27ee2172ea6" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LimeLogger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_LimeLogger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/LimeLogger"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0798f01b-76b7-5c4d-9ddb-5e377b86f8b9"
strings:
$typelibguid0lo = "068d14ef-f0a1-4f9d-8e27-58b4317830c6" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 601-650 of 18,880