Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_RunAsUser
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_RunAsUser {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/atthacks/RunAsUser"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "ead7819a-1397-5953-888f-2176e4041375"
strings:
$typelibguid0lo = "9dff282c-93b9-4063-bf8a-b6798371d35a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RunAsUser
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_RunAsUser {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/atthacks/RunAsUser"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "9dff282c-93b9-4063-bf8a-b6798371d35a" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RunShellcode
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_RunShellcode {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/zerosum0x0/RunShellcode"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "249da967-68b0-59b1-b414-4eb4fe67b8f3"
strings:
$typelibguid0lo = "a3ec18a3-674c-4131-a7f5-acbed034b819" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RunShellcode
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_RunShellcode {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/zerosum0x0/RunShellcode"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "a3ec18a3-674c-4131-a7f5-acbed034b819" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RuralBishop
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_RuralBishop {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/RuralBishop"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "8fd89465-1ecc-5eda-b2ab-273172ad945d"
strings:
$typelibguid0lo = "fe4414d9-1d7e-4eeb-b781-d278fe7a5619" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RuralBishop
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_RuralBishop {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/RuralBishop"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "fe4414d9-1d7e-4eeb-b781-d278fe7a5619" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SHAPESHIFTER
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SHAPESHIFTER {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/matterpreter/SHAPESHIFTER"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "8903c65a-624f-5e8d-a3f6-4572b56bd2f7"
strings:
$typelibguid0lo = "a3ddfcaa-66e7-44fd-ad48-9d80d1651228" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SHAPESHIFTER
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SHAPESHIFTER {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/matterpreter/SHAPESHIFTER"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "a3ddfcaa-66e7-44fd-ad48-9d80d1651228" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SQLRecon
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SQLRecon {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/skahwah/SQLRecon"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-01-20"
modified = "2025-08-15"
id = "f9ea5283-0a5c-5bde-966c-80869ee25888"
strings:
$typelibguid0lo = "612c7c82-d501-417a-b8db-73204fdfda06" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SafetyKatz
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SafetyKatz {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/SafetyKatz"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "5f6d7432-0bb5-5782-98ec-2c2168f2fc1f"
strings:
$typelibguid0lo = "8347e81b-89fc-42a9-b22c-f59a6a572dec" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SafetyKatz
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SafetyKatz {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/SafetyKatz"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "8347e81b-89fc-42a9-b22c-f59a6a572dec" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Salsa_tools
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Salsa_tools {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Hackplayers/Salsa-tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "50db578e-6ddb-54d1-a978-e3630a3548c3"
strings:
$typelibguid0lo = "276004bb-5200-4381-843c-934e4c385b66" ascii wide
$typelibguid1lo = "cfcbf7b6-1c69-4b1f-8651-6bdb4b55f6b9" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Salsa_tools
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Salsa_tools {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Hackplayers/Salsa-tools"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "276004bb-5200-4381-843c-934e4c385b66" ascii nocase wide
$typelibguid1 = "cfcbf7b6-1c69-4b1f-8651-6bdb4b55f6b9" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SauronEye
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SauronEye {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/vivami/SauronEye"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "3b624dde-a63e-58ac-a4db-af931f1d8553"
strings:
$typelibguid0lo = "0f43043d-8957-4ade-a0f4-25c1122e8118" ascii wide
$typelibguid1lo = "086bf0ca-f1e4-4e8f-9040-a8c37a49fa26" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SauronEye
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SauronEye {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/vivami/SauronEye"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "0f43043d-8957-4ade-a0f4-25c1122e8118" ascii nocase wide
$typelibguid1 = "086bf0ca-f1e4-4e8f-9040-a8c37a49fa26" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ShadowSpray
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ShadowSpray {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/Dec0ne/ShadowSpray"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "91dd52ef-07a1-5ffd-b5c3-59bca18d4c7c"
strings:
$typelibguid0lo = "7e47d586-ddc6-4382-848c-5cf0798084e1" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharPermission
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharPermission {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/mitchmoser/SharPermission"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "d5027f51-f3ca-53cd-96d7-c355b5c2e6fa"
strings:
$typelibguid0lo = "84d2b661-3267-49c8-9f51-8f72f21aea47" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharPermission
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharPermission {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/mitchmoser/SharPermission"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "84d2b661-3267-49c8-9f51-8f72f21aea47" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharPersist
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharPersist {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/fireeye/SharPersist"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "0c181186-7bb4-502b-8937-60cfd88ce689"
strings:
$typelibguid0lo = "9d1b853e-58f1-4ba5-aefc-5c221ca30e48" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharPersist
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharPersist {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/fireeye/SharPersist"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "9d1b853e-58f1-4ba5-aefc-5c221ca30e48" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpAdidnsdump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpAdidnsdump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/b4rtik/SharpAdidnsdump"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "51d50b22-4e73-5378-9e0d-ad7730987293"
strings:
$typelibguid0lo = "cdb02bc2-5f62-4c8a-af69-acc3ab82e741" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpAdidnsdump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpAdidnsdump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/b4rtik/SharpAdidnsdump"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "cdb02bc2-5f62-4c8a-af69-acc3ab82e741" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpAllowedToAct
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpAllowedToAct {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/pkb1s/SharpAllowedToAct"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "13b7f5e0-4d34-533d-a182-b3fe7c93ca43"
strings:
$typelibguid0lo = "dac5448a-4ad1-490a-846a-18e4e3e0cf9a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpAllowedToAct
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpAllowedToAct {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/pkb1s/SharpAllowedToAct"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "dac5448a-4ad1-490a-846a-18e4e3e0cf9a" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpAttack
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpAttack {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jaredhaight/SharpAttack"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "1eb911ab-3fb9-54b7-8afb-66328f30d563"
strings:
$typelibguid0lo = "5f0ceca3-5997-406c-adf5-6c7fbb6cba17" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpAttack
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpAttack {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jaredhaight/SharpAttack"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "5f0ceca3-5997-406c-adf5-6c7fbb6cba17" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpBlock
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpBlock {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/CCob/SharpBlock"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "b84538da-1b0e-50c7-abfa-e93d6de5a49b"
strings:
$typelibguid0lo = "3cf25e04-27e4-4d19-945e-dadc37c81152" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpBlock
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpBlock {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/CCob/SharpBlock"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "3cf25e04-27e4-4d19-945e-dadc37c81152" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpBox
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpBox {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/P1CKLES/SharpBox"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "fda1a67f-d746-5ddb-a33f-97d608b13bc9"
strings:
$typelibguid0lo = "616c1afb-2944-42ed-9951-bf435cadb600" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpBox
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpBox {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/P1CKLES/SharpBox"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "616c1afb-2944-42ed-9951-bf435cadb600" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpByeBear
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpByeBear {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/S3cur3Th1sSh1t/SharpByeBear"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "4a7f2514-2519-5fd5-9d17-110a67f829e7"
strings:
$typelibguid0lo = "a6b84e35-2112-4df2-a31b-50fde4458c5e" ascii wide
$typelibguid1lo = "3e82f538-6336-4fff-aeec-e774676205da" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpByeBear
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpByeBear {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/S3cur3Th1sSh1t/SharpByeBear"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "a6b84e35-2112-4df2-a31b-50fde4458c5e" ascii nocase wide
$typelibguid1 = "3e82f538-6336-4fff-aeec-e774676205da" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpBypassUAC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpBypassUAC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FatRodzianko/SharpBypassUAC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "474d40aa-4bcc-58b5-a129-40bbd3a89e99"
strings:
$typelibguid0lo = "0d588c86-c680-4b0d-9aed-418f1bb94255" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpBypassUAC
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpBypassUAC {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FatRodzianko/SharpBypassUAC"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "0d588c86-c680-4b0d-9aed-418f1bb94255" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpC2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpC2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SharpC2/SharpC2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "2ed6d74e-2b95-5c70-807a-4da5e62f5853"
strings:
$typelibguid0lo = "62b9ee4f-1436-4098-9bc1-dd61b42d8b81" ascii wide
$typelibguid1lo = "d2f17a91-eb2d-4373-90bf-a26e46c68f76" ascii wide
$typelibguid2lo = "a9db9fcc-7502-42cd-81ec-3cd66f511346" ascii wide
$typelibguid3lo = "ca6cc2ee-75fd-4f00-b687-917fa55a4fae" ascii wide
$typelibguid4lo = "a1167b68-446b-4c0c-a8b8-2a7278b67511" ascii wide
$typelibguid5lo = "4d8c2a88-1da5-4abe-8995-6606473d7cf1" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpC2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpC2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SharpC2/SharpC2"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "62b9ee4f-1436-4098-9bc1-dd61b42d8b81" ascii nocase wide
$typelibguid1 = "d2f17a91-eb2d-4373-90bf-a26e46c68f76" ascii nocase wide
$typelibguid2 = "a9db9fcc-7502-42cd-81ec-3cd66f511346" ascii nocase wide
$typelibguid3 = "ca6cc2ee-75fd-4f00-b687-917fa55a4fae" ascii nocase wide
$typelibguid4 = "a1167b68-446b-4c0c-a8b8-2a7278b67511" ascii nocase wide
$typelibguid5 = "4d8c2a88-1da5-4abe-8995-6606473d7cf1" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCOM
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCOM {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/SharpCOM"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "94da3da4-a8aa-5735-9a04-1f2447a330aa"
strings:
$typelibguid0lo = "51960f7d-76fe-499f-afbd-acabd7ba50d1" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCOM
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCOM {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/SharpCOM"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "51960f7d-76fe-499f-afbd-acabd7ba50d1" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCall
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCall {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jhalon/SharpCall"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "172415b6-0383-5da4-a88f-8ebe5daf9294"
strings:
$typelibguid0lo = "c1b0a923-0f17-4bc8-ba0f-c87aff43e799" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCall
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCall {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jhalon/SharpCall"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "c1b0a923-0f17-4bc8-ba0f-c87aff43e799" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpChisel
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpChisel {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/shantanu561993/SharpChisel"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "3b7e6703-ebe8-5a98-839f-7d0349ab483f"
strings:
$typelibguid0lo = "f5f21e2d-eb7e-4146-a7e1-371fd08d6762" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpChisel
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpChisel {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/shantanu561993/SharpChisel"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "f5f21e2d-eb7e-4146-a7e1-371fd08d6762" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpChromium
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpChromium {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/SharpChromium"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "5364956a-e199-556a-8055-0e7b9a7b14c8"
strings:
$typelibguid0lo = "2133c634-4139-466e-8983-9a23ec99e01b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpClipHistory
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpClipHistory {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FSecureLABS/SharpClipHistory"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-21"
modified = "2025-08-15"
id = "89ca4717-a4ec-5371-8dc3-bdb9933384af"
strings:
$typelibguid0lo = "1126d5b4-efc7-4b33-a594-b963f107fe82" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpClipHistory
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpClipHistory {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FSecureLABS/SharpClipHistory"
author = "Arnim Rupp"
date = "2020-12-21"
strings:
$typelibguid0 = "1126d5b4-efc7-4b33-a594-b963f107fe82" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpClipboard
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpClipboard {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/slyd0g/SharpClipboard"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "fd1b7786-8853-5858-ab03-da350e44f738"
strings:
$typelibguid0lo = "97484211-4726-4129-86aa-ae01d17690be" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpClipboard
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpClipboard {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/slyd0g/SharpClipboard"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "97484211-4726-4129-86aa-ae01d17690be" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCloud
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCloud {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/chrismaddalena/SharpCloud"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "048b0239-ea13-58ff-af35-fd505b4c977a"
strings:
$typelibguid0lo = "ca4e257e-69c1-45c5-9375-ba7874371892" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCompile
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCompile {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SpiderLabs/SharpCompile"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "c5e053c4-1c90-581a-a6c3-087b252254b2"
strings:
$typelibguid0lo = "63f81b73-ff18-4a36-b095-fdcb4776da4c" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCompile
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCompile {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/SpiderLabs/SharpCompile"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "63f81b73-ff18-4a36-b095-fdcb4776da4c" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 751-800 of 18,880