Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_TheHackToolBoxTeek
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TheHackToolBoxTeek {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/teeknofil/TheHackToolBoxTeek"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "2aa8c254-b3b3-469c-b0c9-dcbe1dd101c0" ascii nocase wide
$typelibguid1 = "afeff505-14c1-4ecf-b714-abac4fbd48e7" ascii nocase wide
$typelibguid2 = "4cf42167-a5cf-4b2d-85b4-8e764c08d6b3" ascii nocase wide
$typelibguid3 = "118a90b7-598a-4cfc-859e-8013c8b9339c" ascii nocase wide
$typelibguid4 = "3075dd9a-4283-4d38-a25e-9f9845e5adcb" ascii nocase wide
$typelibguid5 = "295655e8-2348-4700-9ebc-aa57df54887e" ascii nocase wide
$typelibguid6 = "74efe601-9a93-46c3-932e-b80ab6570e42" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_The_Collection
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_The_Collection {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Tlgyt/The-Collection"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "4ae78576-ab75-5679-9a29-4d9a1ff03f15"
strings:
$typelibguid0lo = "579159ff-3a3d-46a7-b069-91204feb21cd" ascii wide
$typelibguid1lo = "5b7dd9be-c8c3-4c4f-a353-fefb89baa7b3" ascii wide
$typelibguid2lo = "43edcb1f-3098-4a23-a7f2-895d927bc661" ascii wide
$typelibguid3lo = "5f19919d-cd51-4e77-973f-875678360a6f" ascii wide
$typelibguid4lo = "17fbc926-e17e-4034-ba1b-fb2eb57f5dd3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_The_Collection
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_The_Collection {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Tlgyt/The-Collection"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "579159ff-3a3d-46a7-b069-91204feb21cd" ascii nocase wide
$typelibguid1 = "5b7dd9be-c8c3-4c4f-a353-fefb89baa7b3" ascii nocase wide
$typelibguid2 = "43edcb1f-3098-4a23-a7f2-895d927bc661" ascii nocase wide
$typelibguid3 = "5f19919d-cd51-4e77-973f-875678360a6f" ascii nocase wide
$typelibguid4 = "17fbc926-e17e-4034-ba1b-fb2eb57f5dd3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TikiTorch
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TikiTorch {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/TikiTorch"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "354ee690-a0d0-5cc5-a73b-53b916ed0169"
strings:
$typelibguid0lo = "806c6c72-4adc-43d9-b028-6872fa48d334" ascii wide
$typelibguid1lo = "2ef9d8f7-6b77-4b75-822b-6a53a922c30f" ascii wide
$typelibguid2lo = "8f5f3a95-f05c-4dce-8bc3-d0a0d4153db6" ascii wide
$typelibguid3lo = "1f707405-9708-4a34-a809-2c62b84d4f0a" ascii wide
$typelibguid4lo = "97421325-b6d8-49e5-adf0-e2126abc17ee" ascii wide
$typelibguid5lo = "06c247da-e2e1-47f3-bc3c-da0838a6df1f" ascii wide
$typelibguid6lo = "fc700ac6-5182-421f-8853-0ad18cdbeb39" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TikiTorch
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TikiTorch {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/TikiTorch"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "806c6c72-4adc-43d9-b028-6872fa48d334" ascii nocase wide
$typelibguid1 = "2ef9d8f7-6b77-4b75-822b-6a53a922c30f" ascii nocase wide
$typelibguid2 = "8f5f3a95-f05c-4dce-8bc3-d0a0d4153db6" ascii nocase wide
$typelibguid3 = "1f707405-9708-4a34-a809-2c62b84d4f0a" ascii nocase wide
$typelibguid4 = "97421325-b6d8-49e5-adf0-e2126abc17ee" ascii nocase wide
$typelibguid5 = "06c247da-e2e1-47f3-bc3c-da0838a6df1f" ascii nocase wide
$typelibguid6 = "fc700ac6-5182-421f-8853-0ad18cdbeb39" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TokenStomp
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TokenStomp {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/MartinIngesen/TokenStomp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2022-11-21"
modified = "2025-08-15"
id = "e4266969-ab03-50dc-b5b1-f4bb1c9846f4"
strings:
$typelibguid0lo = "8aac271f-9b0b-4dc3-8aa6-812bb7a57e7b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Tokenvator
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Tokenvator {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/Tokenvator"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "84ebb6b3-cf11-5172-95d4-d114bfeb0bc7"
strings:
$typelibguid0lo = "4b2b3bd4-d28f-44cc-96b3-4a2f64213109" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Tokenvator
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Tokenvator {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/Tokenvator"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "4b2b3bd4-d28f-44cc-96b3-4a2f64213109" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ToxicEye
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ToxicEye {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/LimerBoy/ToxicEye"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0b7b62ce-9c24-5d81-8d87-22f6e461a62b"
strings:
$typelibguid0lo = "1bcfe538-14f4-4beb-9a3f-3f9472794902" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ToxicEye
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ToxicEye {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/LimerBoy/ToxicEye"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "1bcfe538-14f4-4beb-9a3f-3f9472794902" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TruffleSnout
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TruffleSnout {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/dsnezhkov/TruffleSnout"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "8135d39e-6a9e-567d-840f-8d8c6338cce1"
strings:
$typelibguid0lo = "33842d77-bce3-4ee8-9ee2-9769898bb429" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_TruffleSnout
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_TruffleSnout {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/dsnezhkov/TruffleSnout"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "33842d77-bce3-4ee8-9ee2-9769898bb429" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UAC_Escaper
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UAC_Escaper {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/UAC-Escaper"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "ea95ff3c-0cbb-5230-b5e4-bd8b2ff975eb"
strings:
$typelibguid0lo = "95359279-5cfa-46f6-b400-e80542a7336a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UAC_Escaper
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UAC_Escaper {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/NYAN-x-CAT/UAC-Escaper"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "95359279-5cfa-46f6-b400-e80542a7336a" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UAC_SilentClean
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UAC_SilentClean {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/EncodeGroup/UAC-SilentClean"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "2dde9632-10c5-5c91-8bd9-2fb80d6f0c49"
strings:
$typelibguid0lo = "948152a4-a4a1-4260-a224-204255bfee72" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UAC_SilentClean
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UAC_SilentClean {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/EncodeGroup/UAC-SilentClean"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "948152a4-a4a1-4260-a224-204255bfee72" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_USBTrojan
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_USBTrojan {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mashed-potatoes/USBTrojan"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "d25c9033-13e8-5fc9-8561-f8862cca39b8"
strings:
$typelibguid0lo = "4eee900e-adc5-46a7-8d7d-873fd6aea83e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_USBTrojan
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_USBTrojan {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mashed-potatoes/USBTrojan"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "4eee900e-adc5-46a7-8d7d-873fd6aea83e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UglyEXe
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UglyEXe {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/fashionproof/UglyEXe"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "5833e6c5-f078-5eb5-9519-76710d7da0e1"
strings:
$typelibguid0lo = "233de44b-4ec1-475d-a7d6-16da48d6fc8d" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UglyEXe
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UglyEXe {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/fashionproof/UglyEXe"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "233de44b-4ec1-475d-a7d6-16da48d6fc8d" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UnmanagedPowerShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UnmanagedPowerShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/leechristensen/UnmanagedPowerShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "49ff1362-0ac5-580d-97f3-516f2a10072b"
strings:
$typelibguid0lo = "dfc4eebb-7384-4db5-9bad-257203029bd9" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UnmanagedPowerShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UnmanagedPowerShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/leechristensen/UnmanagedPowerShell"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "dfc4eebb-7384-4db5-9bad-257203029bd9" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UnstoppableService
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UnstoppableService {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malcomvetter/UnstoppableService"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "8c65fbee-d779-57a8-851b-7583be66c67a"
strings:
$typelibguid0lo = "0c117ee5-2a21-dead-beef-8cc7f0caaa86" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UnstoppableService
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UnstoppableService {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/malcomvetter/UnstoppableService"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "0c117ee5-2a21-dead-beef-8cc7f0caaa86" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UrbanBishopLocal
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UrbanBishopLocal {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/slyd0g/UrbanBishopLocal"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "53b690ec-7d20-5e46-b368-b458ce56073d"
strings:
$typelibguid0lo = "88b8515e-a0e8-4208-a9a0-34b01d7ba533" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_UrbanBishopLocal
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_UrbanBishopLocal {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/slyd0g/UrbanBishopLocal"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "88b8515e-a0e8-4208-a9a0-34b01d7ba533" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_VanillaRAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_VanillaRAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/DannyTheSloth/VanillaRAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "9448e8d0-5bfc-5683-b633-284e43d24642"
strings:
$typelibguid0lo = "d0f2ee67-0a50-423d-bfe6-845da892a2db" ascii wide
$typelibguid1lo = "a593fcd2-c8ab-45f6-9aeb-8ab5e20ab402" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_VanillaRAT
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_VanillaRAT {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/DannyTheSloth/VanillaRAT"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "d0f2ee67-0a50-423d-bfe6-845da892a2db" ascii nocase wide
$typelibguid1 = "a593fcd2-c8ab-45f6-9aeb-8ab5e20ab402" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Watson
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Watson {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/Watson"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-21"
modified = "2025-08-15"
id = "6dc7bb08-0b34-50a0-8ae8-02d96d66a334"
strings:
$typelibguid0lo = "49ad5f38-9e37-4967-9e84-fe19c7434ed7" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Watson
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Watson {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/rasta-mouse/Watson"
author = "Arnim Rupp"
date = "2020-12-21"
strings:
$typelibguid0 = "49ad5f38-9e37-4967-9e84-fe19c7434ed7" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WheresMyImplant
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WheresMyImplant {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/WheresMyImplant"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "c99523ce-e2c0-5a21-89d1-70c0dd970731"
strings:
$typelibguid0lo = "cca59e4e-ce4d-40fc-965f-34560330c7e6" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WheresMyImplant
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WheresMyImplant {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/WheresMyImplant"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "cca59e4e-ce4d-40fc-965f-34560330c7e6" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Whisker
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Whisker {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/eladshamir/Whisker"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "ecb0c59f-2111-58d9-8dc9-dfe005cad3be"
strings:
$typelibguid0lo = "42750ac0-1bff-4f25-8c9d-9af144403bad" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WhiteListEvasion
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WhiteListEvasion {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/khr0x40sh/WhiteListEvasion"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "cd2740d0-0315-5a32-b34a-1998024fcc06"
strings:
$typelibguid0lo = "858386df-4656-4a1e-94b7-47f6aa555658" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WhiteListEvasion
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WhiteListEvasion {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/khr0x40sh/WhiteListEvasion"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "858386df-4656-4a1e-94b7-47f6aa555658" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WindowsDefender_Payload_Downloader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WindowsDefender_Payload_Downloader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/notkohlrexo/WindowsDefender-Payload-Downloader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "6e494a91-c05e-5a2e-8aa9-77600f3bdd47"
strings:
$typelibguid0lo = "2f8b4d26-7620-4e11-b296-bc46eba3adfc" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WindowsDefender_Payload_Downloader
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WindowsDefender_Payload_Downloader {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/notkohlrexo/WindowsDefender-Payload-Downloader"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "2f8b4d26-7620-4e11-b296-bc46eba3adfc" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WindowsPlague
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WindowsPlague {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/RITRedteam/WindowsPlague"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "89729c43-ae01-5c1f-af04-06d7a6c4e7fc"
strings:
$typelibguid0lo = "cdf8b024-70c9-413a-ade3-846a43845e99" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WindowsPlague
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WindowsPlague {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/RITRedteam/WindowsPlague"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "cdf8b024-70c9-413a-ade3-846a43845e99" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WindowsRpcClients
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WindowsRpcClients {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tyranid/WindowsRpcClients"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "70fd7431-8c32-52a4-be9f-2a19ef77f2cc"
strings:
$typelibguid0lo = "843d8862-42eb-49ee-94e6-bca798dd33ea" ascii wide
$typelibguid1lo = "632e4c3b-3013-46fc-bc6e-22828bf629e3" ascii wide
$typelibguid2lo = "a2091d2f-6f7e-4118-a203-4cea4bea6bfa" ascii wide
$typelibguid3lo = "950ef8ce-ec92-4e02-b122-0d41d83065b8" ascii wide
$typelibguid4lo = "d51301bc-31aa-4475-8944-882ecf80e10d" ascii wide
$typelibguid5lo = "823ff111-4de2-4637-af01-4bdc3ca4cf15" ascii wide
$typelibguid6lo = "5d28f15e-3bb8-4088-abe0-b517b31d4595" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WindowsRpcClients
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WindowsRpcClients {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/tyranid/WindowsRpcClients"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "843d8862-42eb-49ee-94e6-bca798dd33ea" ascii nocase wide
$typelibguid1 = "632e4c3b-3013-46fc-bc6e-22828bf629e3" ascii nocase wide
$typelibguid2 = "a2091d2f-6f7e-4118-a203-4cea4bea6bfa" ascii nocase wide
$typelibguid3 = "950ef8ce-ec92-4e02-b122-0d41d83065b8" ascii nocase wide
$typelibguid4 = "d51301bc-31aa-4475-8944-882ecf80e10d" ascii nocase wide
$typelibguid5 = "823ff111-4de2-4637-af01-4bdc3ca4cf15" ascii nocase wide
$typelibguid6 = "5d28f15e-3bb8-4088-abe0-b517b31d4595" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_WireTap
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_WireTap {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/djhohnstein/WireTap"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-22"
modified = "2025-08-15"
id = "5513a295-8907-5a9c-adca-760b33004229"
strings:
$typelibguid0lo = "b5067468-f656-450a-b29c-1c84cfe8dde5" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_XORedReflectiveDLL
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_XORedReflectiveDLL {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/r3nhat/XORedReflectiveDLL"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "9b584bfb-98ef-50ee-b546-780c4b210a1b"
strings:
$typelibguid0lo = "c0e49392-04e3-4abb-b931-5202e0eb4c73" ascii wide
$typelibguid1lo = "30eef7d6-cee8-490b-829f-082041bc3141" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_XORedReflectiveDLL
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_XORedReflectiveDLL {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/r3nhat/XORedReflectiveDLL"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "c0e49392-04e3-4abb-b931-5202e0eb4c73" ascii nocase wide
$typelibguid1 = "30eef7d6-cee8-490b-829f-082041bc3141" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Xploit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Xploit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/shargon/Xploit"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-21"
modified = "2025-08-15"
id = "11ba6c14-06b6-5d9f-ac69-08ae506877e7"
strings:
$typelibguid0lo = "4545cfde-9ee5-4f1b-b966-d128af0b9a6e" ascii wide
$typelibguid1lo = "33849d2b-3be8-41e8-a1e2-614c94c4533c" ascii wide
$typelibguid2lo = "c2dc73cc-a959-4965-8499-a9e1720e594b" ascii wide
$typelibguid3lo = "77059fa1-4b7d-4406-bc1a-cb261086f915" ascii wide
$typelibguid4lo = "a4a04c4d-5490-4309-9c90-351e5e5fd6d1" ascii wide
$typelibguid5lo = "ca64f918-3296-4b7d-9ce6-b98389896765" ascii wide
$typelibguid6lo = "10fe32a0-d791-47b2-8530-0b19d91434f7" ascii wide
$typelibguid7lo = "679bba57-3063-4f17-b491-4f0a730d6b02" ascii wide
$typelibguid8lo = "0981e164-5930-4ba0-983c-1cf679e5033f" ascii wide
$typelibguid9lo = "2a844ca2-5d6c-45b5-963b-7dca1140e16f" ascii wide
$typelibguid10lo = "7d75ca11-8745-4382-b3eb-c41416dbc48c" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Xploit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_Xploit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/shargon/Xploit"
author = "Arnim Rupp"
date = "2020-12-21"
strings:
$typelibguid0 = "4545cfde-9ee5-4f1b-b966-d128af0b9a6e" ascii nocase wide
$typelibguid1 = "33849d2b-3be8-41e8-a1e2-614c94c4533c" ascii nocase wide
$typelibguid2 = "c2dc73cc-a959-4965-8499-a9e1720e594b" ascii nocase wide
$typelibguid3 = "77059fa1-4b7d-4406-bc1a-cb261086f915" ascii nocase wide
$typelibguid4 = "a4a04c4d-5490-4309-9c90-351e5e5fd6d1" ascii nocase wide
$typelibguid5 = "ca64f918-3296-4b7d-9ce6-b98389896765" ascii nocase wide
$typelibguid6 = "10fe32a0-d791-47b2-8530-0b19d91434f7" ascii nocase wide
$typelibguid7 = "679bba57-3063-4f17-b491-4f0a730d6b02" ascii nocase wide
$typelibguid8 = "0981e164-5930-4ba0-983c-1cf679e5033f" ascii nocase wide
$typelibguid9 = "2a844ca2-5d6c-45b5-963b-7dca1140e16f" ascii nocase wide
$typelibguid10 = "7d75ca11-8745-4382-b3eb-c41416dbc48c" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_aresskit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_aresskit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/BlackVikingPro/aresskit"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "8265cd84-c8e7-5654-9d3a-774dab52d938"
strings:
$typelibguid0lo = "8dca0e42-f767-411d-9704-ae0ba4a44ae8" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_aresskit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_aresskit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/BlackVikingPro/aresskit"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "8dca0e42-f767-411d-9704-ae0ba4a44ae8" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_azure_password_harvesting
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_azure_password_harvesting {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/guardicore/azure_password_harvesting"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-21"
modified = "2025-08-15"
id = "681cf9da-d664-5402-b7ac-eb2cfad85da9"
strings:
$typelibguid0lo = "7ad1ff2d-32ac-4c54-b615-9bb164160dac" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_azure_password_harvesting
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_azure_password_harvesting {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/guardicore/azure_password_harvesting"
author = "Arnim Rupp"
date = "2020-12-21"
strings:
$typelibguid0 = "7ad1ff2d-32ac-4c54-b615-9bb164160dac" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 951-1000 of 18,880