Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_SharpCookieMonster
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCookieMonster {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/m0rv4i/SharpCookieMonster"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "87be6949-f4f5-5a5a-b804-c627ed0f4355"
strings:
$typelibguid0lo = "566c5556-1204-4db9-9dc8-a24091baaa8e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCookieMonster
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCookieMonster {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/m0rv4i/SharpCookieMonster"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "566c5556-1204-4db9-9dc8-a24091baaa8e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCradle
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCradle {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/anthemtotheego/SharpCradle"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "e2123a73-2609-559d-a122-923ebf8fd668"
strings:
$typelibguid0lo = "f70d2b71-4aae-4b24-9dae-55bc819c78bb" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCradle
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCradle {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/anthemtotheego/SharpCradle"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "f70d2b71-4aae-4b24-9dae-55bc819c78bb" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCrashEventLog
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCrashEventLog {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/slyd0g/SharpCrashEventLog"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "85d31989-ad96-5005-a747-8a19a67fdd80"
strings:
$typelibguid0lo = "98cb495f-4d47-4722-b08f-cefab2282b18" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCrashEventLog
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpCrashEventLog {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/slyd0g/SharpCrashEventLog"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "98cb495f-4d47-4722-b08f-cefab2282b18" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDPAPI
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpDPAPI {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/SharpDPAPI"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "1394323f-b336-548f-925c-c276d439e9eb"
strings:
$typelibguid0lo = "5f026c27-f8e6-4052-b231-8451c6a73838" ascii wide
$typelibguid1lo = "2f00a05b-263d-4fcc-846b-da82bd684603" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDPAPI
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpDPAPI {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/SharpDPAPI"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "5f026c27-f8e6-4052-b231-8451c6a73838" ascii nocase wide
$typelibguid1 = "2f00a05b-263d-4fcc-846b-da82bd684603" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDir
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpDir {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpDir"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "f64ed564-d198-59e8-9abe-b2814b95c85f"
strings:
$typelibguid0lo = "c7a07532-12a3-4f6a-a342-161bb060b789" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDir
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpDir {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpDir"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "c7a07532-12a3-4f6a-a342-161bb060b789" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDomainSpray
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpDomainSpray {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/HunnicCyber/SharpDomainSpray"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "cffd3350-4a86-5035-ab15-adbc3ac2a0e9"
strings:
$typelibguid0lo = "76ffa92b-429b-4865-970d-4e7678ac34ea" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDomainSpray
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpDomainSpray {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/HunnicCyber/SharpDomainSpray"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "76ffa92b-429b-4865-970d-4e7678ac34ea" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpDump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/SharpDump"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "b613092f-9006-5405-b07e-59737410ac1e"
strings:
$typelibguid0lo = "79c9bba3-a0ea-431c-866c-77004802d8a0" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpDump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/SharpDump"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "79c9bba3-a0ea-431c-866c-77004802d8a0" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpEDRChecker
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpEDRChecker {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/PwnDexter/SharpEDRChecker"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-18"
modified = "2025-08-15"
id = "f7ff344e-f8ee-5c3a-bdd1-de3cae8e7dfb"
strings:
$typelibguid0lo = "bdfee233-3fed-42e5-aa64-492eb2ac7047" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpEDRChecker
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpEDRChecker {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/PwnDexter/SharpEDRChecker"
author = "Arnim Rupp"
date = "2020-12-18"
strings:
$typelibguid0 = "bdfee233-3fed-42e5-aa64-492eb2ac7047" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpExcel4_DCOM
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpExcel4_DCOM {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/SharpExcel4-DCOM"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "12d3f26b-40ca-5034-a7c2-9be9c8a7599b"
strings:
$typelibguid0lo = "68b83ce5-bbd9-4ee3-b1cc-5e9223fab52b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpExcel4_DCOM
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpExcel4_DCOM {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/SharpExcel4-DCOM"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "68b83ce5-bbd9-4ee3-b1cc-5e9223fab52b" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/anthemtotheego/SharpExec"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "5faff0aa-9ffe-5ac0-b9e0-ca9f79350036"
strings:
$typelibguid0lo = "7fbad126-e21c-4c4e-a9f0-613fcf585a71" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/anthemtotheego/SharpExec"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "7fbad126-e21c-4c4e-a9f0-613fcf585a71" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpFruit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpFruit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/SharpFruit"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "bf318530-b17d-5275-84b2-c284528bdae6"
strings:
$typelibguid0lo = "3da2f6de-75be-4c9d-8070-08da45e79761" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpFruit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpFruit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/SharpFruit"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "3da2f6de-75be-4c9d-8070-08da45e79761" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpGPOAbuse
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpGPOAbuse {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FSecureLABS/SharpGPOAbuse"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-21"
modified = "2025-08-15"
id = "ea27044f-69be-5db7-8d77-28dafb18c7e5"
strings:
$typelibguid0lo = "4f495784-b443-4838-9fa6-9149293af785" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpGPOAbuse
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpGPOAbuse {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FSecureLABS/SharpGPOAbuse"
author = "Arnim Rupp"
date = "2020-12-21"
strings:
$typelibguid0 = "4f495784-b443-4838-9fa6-9149293af785" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpGPO_RemoteAccessPolicies
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpGPO_RemoteAccessPolicies {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FSecureLABS/SharpGPO-RemoteAccessPolicies"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-21"
modified = "2025-08-15"
id = "642c2672-2327-5a4a-af91-6e0559996908"
strings:
$typelibguid0lo = "fbb1abcf-2b06-47a0-9311-17ba3d0f2a50" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpGPO_RemoteAccessPolicies
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpGPO_RemoteAccessPolicies {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FSecureLABS/SharpGPO-RemoteAccessPolicies"
author = "Arnim Rupp"
date = "2020-12-21"
strings:
$typelibguid0 = "fbb1abcf-2b06-47a0-9311-17ba3d0f2a50" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpHandler
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpHandler {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/jfmaes/SharpHandler"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "b71198a9-4d00-5d75-bc36-7c40655c84a3"
strings:
$typelibguid0lo = "46e39aed-0cff-47c6-8a63-6826f147d7bd" ascii wide
$typelibguid1lo = "11dc83c6-8186-4887-b228-9dc4fd281a23" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpHandler
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpHandler {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/jfmaes/SharpHandler"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "46e39aed-0cff-47c6-8a63-6826f147d7bd" ascii nocase wide
$typelibguid1 = "11dc83c6-8186-4887-b228-9dc4fd281a23" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpHide
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpHide {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/outflanknl/SharpHide"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "928e00c1-549a-58f5-9e7e-982a4319691a"
strings:
$typelibguid0lo = "443d8cbf-899c-4c22-b4f6-b7ac202d4e37" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpHide
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpHide {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/outflanknl/SharpHide"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "443d8cbf-899c-4c22-b4f6-b7ac202d4e37" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpHound3
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpHound3 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/BloodHoundAD/SharpHound3"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-29"
modified = "2025-08-15"
id = "58001912-88a1-527d-9d3e-d7c376a1fce4"
strings:
$typelibguid0lo = "a517a8de-5834-411d-abda-2d0e1766539c" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpHound3
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpHound3 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/BloodHoundAD/SharpHound3"
author = "Arnim Rupp"
date = "2020-12-29"
strings:
$typelibguid0 = "a517a8de-5834-411d-abda-2d0e1766539c" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpImpersonation
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpImpersonation {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/S3cur3Th1sSh1t/SharpImpersonation"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "5815c5bd-e3e8-5f2f-b03e-8a05fb4f6e91"
strings:
$typelibguid0lo = "27a85262-8c87-4147-a908-46728ab7fc73" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpKatz
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpKatz {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/b4rtik/SharpKatz"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "ff084b4c-4b00-5504-85ee-d6d17b5be504"
strings:
$typelibguid0lo = "8568b4c1-2940-4f6c-bf4e-4383ef268be9" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpKatz
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpKatz {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/b4rtik/SharpKatz"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "8568b4c1-2940-4f6c-bf4e-4383ef268be9" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLdapRelayScan
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpLdapRelayScan {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/klezVirus/SharpLdapRelayScan"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-15"
modified = "2025-08-15"
id = "554a5487-ac53-512f-8f6f-ad8186144715"
strings:
$typelibguid0lo = "a93ee706-a71c-4cc1-bf37-f26c27825b68" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLocker
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpLocker {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Pickfordmatt/SharpLocker"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "9525422a-d670-5475-abdc-b7ecd1ab9943"
strings:
$typelibguid0lo = "a6f8500f-68bc-4efc-962a-6c6e68d893af" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLocker
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpLocker {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Pickfordmatt/SharpLocker"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "a6f8500f-68bc-4efc-962a-6c6e68d893af" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLogger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpLogger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/SharpLogger"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "5cce395b-4f6f-5015-b45e-7eb79853296a"
strings:
$typelibguid0lo = "36e00152-e073-4da8-aa0c-375b6dd680c4" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLogger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpLogger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/SharpLogger"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "36e00152-e073-4da8-aa0c-375b6dd680c4" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLoginPrompt
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpLoginPrompt {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/shantanu561993/SharpLoginPrompt"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "e9a493d9-21b6-5ff1-9e5e-e8fbacc34c0c"
strings:
$typelibguid0lo = "c12e69cd-78a0-4960-af7e-88cbd794af97" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLoginPrompt
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpLoginPrompt {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/shantanu561993/SharpLoginPrompt"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "c12e69cd-78a0-4960-af7e-88cbd794af97" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpMapExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpMapExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cube0x0/SharpMapExec"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-29"
modified = "2025-08-15"
id = "b4922734-a486-5c4d-9bd7-5146cfecbf01"
strings:
$typelibguid0lo = "bd5220f7-e1fb-41d2-91ec-e4c50c6e9b9f" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpMapExec
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpMapExec {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cube0x0/SharpMapExec"
author = "Arnim Rupp"
date = "2020-12-29"
strings:
$typelibguid0 = "bd5220f7-e1fb-41d2-91ec-e4c50c6e9b9f" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpMiniDump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpMiniDump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/b4rtik/SharpMiniDump"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "e91e6711-d992-5a8a-97e6-1ed7847f38a4"
strings:
$typelibguid0lo = "6ffccf81-6c3c-4d3f-b15f-35a86d0b497f" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpMiniDump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpMiniDump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/b4rtik/SharpMiniDump"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "6ffccf81-6c3c-4d3f-b15f-35a86d0b497f" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpMove
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpMove {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xthirteen/SharpMove"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "e52392f9-614c-596e-8efd-aa0a2fa44e60"
strings:
$typelibguid0lo = "8bf82bbe-909c-4777-a2fc-ea7c070ff43e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpMove
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpMove {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xthirteen/SharpMove"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "8bf82bbe-909c-4777-a2fc-ea7c070ff43e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpNamedPipePTH
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpNamedPipePTH {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-11-30"
id = "561b95a5-f32b-5fe8-9e67-3f702306be93"
strings:
$typelibguid0 = "344ee55a-4e32-46f2-a003-69ad52b55945" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpOxidResolver
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpOxidResolver {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/S3cur3Th1sSh1t/SharpOxidResolver"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "e8a957bc-3319-51c2-8289-01bd0b8a632a"
strings:
$typelibguid0lo = "ce59f8ff-0ecf-41e9-a1fd-1776ca0b703d" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 801-850 of 18,880