Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_SharpPack
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpPack {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Lexus89/SharpPack"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "633d074a-b8c2-5148-ad80-6226b99be818"
strings:
$typelibguid1lo = "b59c7741-d522-4a41-bf4d-9badddebb84a" ascii wide
$typelibguid2lo = "fd6bdf7a-fef4-4b28-9027-5bf750f08048" ascii wide
$typelibguid3lo = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii wide
$typelibguid5lo = "f3037587-1a3b-41f1-aa71-b026efdb2a82" ascii wide
$typelibguid6lo = "41a90a6a-f9ed-4a2f-8448-d544ec1fd753" ascii wide
$typelibguid7lo = "3787435b-8352-4bd8-a1c6-e5a1b73921f4" ascii wide
$typelibguid8lo = "fdd654f5-5c54-4d93-bf8e-faf11b00e3e9" ascii wide
$typelibguid9lo = "aec32155-d589-4150-8fe7-2900df4554c8" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpPack
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpPack {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Lexus89/SharpPack"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid1 = "b59c7741-d522-4a41-bf4d-9badddebb84a" ascii nocase wide
$typelibguid2 = "fd6bdf7a-fef4-4b28-9027-5bf750f08048" ascii nocase wide
$typelibguid3 = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii nocase wide
$typelibguid5 = "f3037587-1a3b-41f1-aa71-b026efdb2a82" ascii nocase wide
$typelibguid6 = "41a90a6a-f9ed-4a2f-8448-d544ec1fd753" ascii nocase wide
$typelibguid7 = "3787435b-8352-4bd8-a1c6-e5a1b73921f4" ascii nocase wide
$typelibguid8 = "fdd654f5-5c54-4d93-bf8e-faf11b00e3e9" ascii nocase wide
$typelibguid9 = "aec32155-d589-4150-8fe7-2900df4554c8" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpPrinter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpPrinter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/SharpPrinter"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "10270351-ad80-5330-971b-bc8f635f05f4"
strings:
$typelibguid0lo = "41b2d1e5-4c5d-444c-aa47-629955401ed9" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpPrinter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpPrinter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/SharpPrinter"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "41b2d1e5-4c5d-444c-aa47-629955401ed9" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpRDP
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpRDP {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xthirteen/SharpRDP"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "d316ec0b-0313-52bb-923d-512fa08112f9"
strings:
$typelibguid0lo = "f1df1d0f-ff86-4106-97a8-f95aaf525c54" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpRDP
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpRDP {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xthirteen/SharpRDP"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "f1df1d0f-ff86-4106-97a8-f95aaf525c54" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpRODC
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpRODC {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/wh0amitz/SharpRODC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-12-06"
id = "60779e7a-048f-5095-b853-fd90c4f7449e"
strings:
$typelibguid0 = "d305f8a3-019a-4cdf-909c-069d5b483613" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpReg
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpReg {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpReg"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "d89b07b0-bb29-5c77-888b-322e439b4c82"
strings:
$typelibguid0lo = "8ef25b00-ed6a-4464-bdec-17281a4aa52f" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpReg
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpReg {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpReg"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "8ef25b00-ed6a-4464-bdec-17281a4aa52f" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSCCM
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSCCM {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/Mayyhem/SharpSCCM"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-15"
modified = "2025-08-15"
id = "276269b1-e3b3-5774-a86a-1c3a8bca8209"
strings:
$typelibguid0lo = "03652836-898e-4a9f-b781-b7d86e750f60" ascii wide
$typelibguid1lo = "e4d9ef39-0fce-4573-978b-abf8df6aec23" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSQLPwn
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSQLPwn {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/lefayjey/SharpSQLPwn.git"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2022-11-21"
modified = "2025-08-15"
id = "b533d61a-8693-5c3c-8b31-2117262cad4e"
strings:
$typelibguid0lo = "c442ea6a-9aa1-4d9c-9c9d-7560a327089c" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSSDP
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSSDP {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/rvrsh3ll/SharpSSDP"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "8441e940-ab7c-5467-9db8-35f71bd57580"
strings:
$typelibguid0lo = "6e383de4-de89-4247-a41a-79db1dc03aaa" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpScribbles
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpScribbles {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/V1V1/SharpScribbles"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "47125b76-9388-5372-8810-d198f623367a"
strings:
$typelibguid0lo = "aa61a166-31ef-429d-a971-ca654cd18c3b" ascii wide
$typelibguid1lo = "0dc1b824-c6e7-4881-8788-35aecb34d227" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpScribbles
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpScribbles {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/V1V1/SharpScribbles"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "aa61a166-31ef-429d-a971-ca654cd18c3b" ascii nocase wide
$typelibguid1 = "0dc1b824-c6e7-4881-8788-35aecb34d227" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSearch
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSearch {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/SharpSearch"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "459d8a34-f311-5459-8257-e7aa519174b5"
strings:
$typelibguid0lo = "98fee742-8410-4f20-8b2d-d7d789ab003d" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSearch
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSearch {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/SharpSearch"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "98fee742-8410-4f20-8b2d-d7d789ab003d" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSecDump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSecDump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/G0ldenGunSec/SharpSecDump"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "492dfb79-541a-589d-ac69-468e9b2ab9db"
strings:
$typelibguid0lo = "e2fdd6cc-9886-456c-9021-ee2c47cf67b7" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSecDump
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSecDump {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/G0ldenGunSec/SharpSecDump"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "e2fdd6cc-9886-456c-9021-ee2c47cf67b7" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpShareFinder
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpShareFinder {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/mvelazc0/SharpShareFinder"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-12-19"
id = "bb485347-ea9b-5f26-99ad-bedc38bfecd5"
strings:
$typelibguid0 = "64bfeb18-b65c-4a83-bde0-b54363b09b71" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpShares
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpShares {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/SharpShares/"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "e96aa79b-1da2-5b0c-9ac2-b6e201e06ec6"
strings:
$typelibguid0lo = "fe9fdde5-3f38-4f14-8c64-c3328c215cf2" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpShares
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpShares {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/SharpShares/"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "fe9fdde5-3f38-4f14-8c64-c3328c215cf2" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cobbr/SharpShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "5966be44-c010-5c63-9576-1aaf36397d6c"
strings:
$typelibguid0lo = "bdba47c5-e823-4404-91d0-7f6561279525" ascii wide
$typelibguid1lo = "b84548dc-d926-4b39-8293-fa0bdef34d49" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/cobbr/SharpShell"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "bdba47c5-e823-4404-91d0-7f6561279525" ascii nocase wide
$typelibguid1 = "b84548dc-d926-4b39-8293-fa0bdef34d49" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpShooter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpShooter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mdsecactivebreach/SharpShooter"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "a59e6fe9-dbaf-5830-8cf1-485ff4dd939a"
strings:
$typelibguid0lo = "56598f1c-6d88-4994-a392-af337abe5777" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpShooter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpShooter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mdsecactivebreach/SharpShooter"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "56598f1c-6d88-4994-a392-af337abe5777" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpShot
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpShot {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tothi/SharpShot"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "9d59cd53-53b1-57db-b391-eee4dd6feec0"
strings:
$typelibguid0lo = "057aef75-861b-4e4b-a372-cfbd8322c8e1" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpShot
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpShot {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tothi/SharpShot"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "057aef75-861b-4e4b-a372-cfbd8322c8e1" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSniper
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSniper {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/HunnicCyber/SharpSniper"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-29"
modified = "2025-08-15"
id = "14e6a3b8-5e1f-5dd8-9b51-22522ac317e7"
strings:
$typelibguid0lo = "c8bb840c-04ce-4b60-a734-faf15abf7b18" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSniper
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSniper {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/HunnicCyber/SharpSniper"
author = "Arnim Rupp"
date = "2020-12-29"
strings:
$typelibguid0 = "c8bb840c-04ce-4b60-a734-faf15abf7b18" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSocks
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSocks {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nettitude/SharpSocks"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "343061d9-e24e-5d49-939f-b94c295b17ac"
strings:
$typelibguid0lo = "2f43992e-5703-4420-ad0b-17cb7d89c956" ascii wide
$typelibguid1lo = "86d10a34-c374-4de4-8e12-490e5e65ddff" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSocks
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSocks {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nettitude/SharpSocks"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "2f43992e-5703-4420-ad0b-17cb7d89c956" ascii nocase wide
$typelibguid1 = "86d10a34-c374-4de4-8e12-490e5e65ddff" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSpray
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSpray {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpSpray"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "e9312c96-be10-5942-a4da-1fe708cc6699"
strings:
$typelibguid0lo = "51c6e016-1428-441d-82e9-bb0eb599bbc8" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSpray
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSpray {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpSpray"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "51c6e016-1428-441d-82e9-bb0eb599bbc8" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpStat
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpStat {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Raikia/SharpStat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "649c6cc0-e43b-558c-9567-00f352af528b"
strings:
$typelibguid0lo = "ffc5c721-49c8-448d-8ff4-2e3a7b7cc383" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpStat
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpStat {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Raikia/SharpStat"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "ffc5c721-49c8-448d-8ff4-2e3a7b7cc383" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpStay
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpStay {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xthirteen/SharpStay"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "e5bde5a9-8e09-59ce-ad01-e29836813cf8"
strings:
$typelibguid0lo = "2963c954-7b1e-47f5-b4fa-2fc1f0d56aea" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpStay
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpStay {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xthirteen/SharpStay"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "2963c954-7b1e-47f5-b4fa-2fc1f0d56aea" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSvc
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSvc {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpSvc"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "cbc1d7d4-f3b4-5d02-84ae-621398cb7b51"
strings:
$typelibguid0lo = "52856b03-5acd-45e0-828e-13ccb16942d1" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSvc
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpSvc {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpSvc"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "52856b03-5acd-45e0-828e-13ccb16942d1" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpTask
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpTask {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpTask"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "2cdd1a15-c70c-5eea-b5a7-8b4a445b9323"
strings:
$typelibguid0lo = "13e90a4d-bf7a-4d5a-9979-8b113e3166be" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpTask
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpTask {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jnqpblc/SharpTask"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "13e90a4d-bf7a-4d5a-9979-8b113e3166be" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpTokenFinder
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpTokenFinder {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/HuskyHacks/SharpTokenFinder"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-12-06"
id = "60fd06be-041b-5fa8-8f25-41b26605ea90"
strings:
$typelibguid0 = "572804d3-dbd6-450a-be64-2e3cb54fd173" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpView
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpView {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/tevora-threat/SharpView"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "2ae1bc26-c137-55ce-ae2e-3204ff07f671"
strings:
$typelibguid0lo = "22a156ea-2623-45c7-8e50-e864d9fc44d3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpWMI
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpWMI {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/SharpWMI"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpWMI_1
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpWMI_1 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/QAX-A-Team/sharpwmi"
old_rule_name = "HKTL_NET_GUID_sharpwmi"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "cd5a1c7b-a45a-5541-b1b0-cf19c991ed22"
strings:
$typelibguid0lo = "bb357d38-6dc1-4f20-a54c-d664bd20677e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpWMI_2
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpWMI_2 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/SharpWMI"
old_rule_name = "HKTL_NET_GUID_SharpWMI"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "e6ab2f5e-2a5a-5be9-9b66-96cb745fd199"
strings:
$typelibguid0lo = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpWSUS
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpWSUS {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/nettitude/SharpWSUS"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "f020eea9-4ff4-5242-b9b2-53284505dab4"
strings:
$typelibguid0lo = "42cabb74-1199-40f1-9354-6294bba8d3a4" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpWifiGrabber
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpWifiGrabber {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/r3nhat/SharpWifiGrabber"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-29"
modified = "2025-08-15"
id = "1a457672-743c-56f0-a4d7-6c25f9ce2345"
strings:
$typelibguid0lo = "c0997698-2b73-4982-b25b-d0578d1323c2" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpWifiGrabber
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpWifiGrabber {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/r3nhat/SharpWifiGrabber"
author = "Arnim Rupp"
date = "2020-12-29"
strings:
$typelibguid0 = "c0997698-2b73-4982-b25b-d0578d1323c2" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpWitness
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_SharpWitness {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/SharpWitness"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "5e707da6-b2dd-511e-89ad-d19b93e8fca6"
strings:
$typelibguid0lo = "b9f6ec34-4ccc-4247-bcef-c1daab9b4469" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 851-900 of 18,880