Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_GUID_bantam
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_bantam {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/gellin/bantam"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0ed3f5e5-d954-51e2-b7fb-4c25ca3d9f10"
strings:
$typelibguid0lo = "14c79bda-2ce6-424d-bd49-4f8d68630b7b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_bantam
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_bantam {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/gellin/bantam"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "14c79bda-2ce6-424d-bd49-4f8d68630b7b" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_clr_meterpreter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_clr_meterpreter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/OJ/clr-meterpreter"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "1d8a9717-4d80-5fb1-9c57-9b5f6c5a18b0"
strings:
$typelibguid0lo = "6840b249-1a0e-433b-be79-a927696ea4b3" ascii wide
$typelibguid1lo = "67c09d37-ac18-4f15-8dd6-b5da721c0df6" ascii wide
$typelibguid2lo = "e05d0deb-d724-4448-8c4c-53d6a8e670f3" ascii wide
$typelibguid3lo = "c3cc72bf-62a2-4034-af66-e66da73e425d" ascii wide
$typelibguid4lo = "7ace3762-d8e1-4969-a5a0-dcaf7b18164e" ascii wide
$typelibguid5lo = "3296e4a3-94b5-4232-b423-44f4c7421cb3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_clr_meterpreter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_clr_meterpreter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/OJ/clr-meterpreter"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "6840b249-1a0e-433b-be79-a927696ea4b3" ascii nocase wide
$typelibguid1 = "67c09d37-ac18-4f15-8dd6-b5da721c0df6" ascii nocase wide
$typelibguid2 = "e05d0deb-d724-4448-8c4c-53d6a8e670f3" ascii nocase wide
$typelibguid3 = "c3cc72bf-62a2-4034-af66-e66da73e425d" ascii nocase wide
$typelibguid4 = "7ace3762-d8e1-4969-a5a0-dcaf7b18164e" ascii nocase wide
$typelibguid5 = "3296e4a3-94b5-4232-b423-44f4c7421cb3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_donut
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_donut {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TheWover/donut"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "564dfd0a-af9b-505f-a6f0-de2a5c5c63f3"
strings:
$typelibguid0lo = "98ca74c7-a074-434d-9772-75896e73ceaa" ascii wide
$typelibguid1lo = "3c9a6b88-bed2-4ba8-964c-77ec29bf1846" ascii wide
$typelibguid2lo = "4fcdf3a3-aeef-43ea-9297-0d3bde3bdad2" ascii wide
$typelibguid3lo = "361c69f5-7885-4931-949a-b91eeab170e3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_donut
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_donut {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/TheWover/donut"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "98ca74c7-a074-434d-9772-75896e73ceaa" ascii nocase wide
$typelibguid1 = "3c9a6b88-bed2-4ba8-964c-77ec29bf1846" ascii nocase wide
$typelibguid2 = "4fcdf3a3-aeef-43ea-9297-0d3bde3bdad2" ascii nocase wide
$typelibguid3 = "361c69f5-7885-4931-949a-b91eeab170e3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_dotnet_gargoyle
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_dotnet_gargoyle {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/countercept/dotnet-gargoyle"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "5efd0c83-cb65-5bda-b55e-4a89db5f337c"
strings:
$typelibguid0lo = "76435f79-f8af-4d74-8df5-d598a551b895" ascii wide
$typelibguid1lo = "5a3fc840-5432-4925-b5bc-abc536429cb5" ascii wide
$typelibguid2lo = "6f0bbb2a-e200-4d76-b8fa-f93c801ac220" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_dotnet_gargoyle
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_dotnet_gargoyle {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/countercept/dotnet-gargoyle"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "76435f79-f8af-4d74-8df5-d598a551b895" ascii nocase wide
$typelibguid1 = "5a3fc840-5432-4925-b5bc-abc536429cb5" ascii nocase wide
$typelibguid2 = "6f0bbb2a-e200-4d76-b8fa-f93c801ac220" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_fakelogonscreen
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_fakelogonscreen {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/bitsadmin/fakelogonscreen"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "cc20290c-3f34-5e81-9337-c582f1ee7ade"
strings:
$typelibguid0lo = "d35a55bd-3189-498b-b72f-dc798172e505" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_fakelogonscreen
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_fakelogonscreen {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/bitsadmin/fakelogonscreen"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "d35a55bd-3189-498b-b72f-dc798172e505" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_gray_keylogger_2
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_gray_keylogger_2 {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/graysuit/gray-keylogger-2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-30"
modified = "2025-08-15"
id = "40ab8103-9151-5a5c-8b70-ab3bfd3896f9"
strings:
$typelibguid0lo = "e94ca3ff-c0e5-4d1a-ad5e-f6ebbe365067" ascii wide
$typelibguid1lo = "1ed07564-b411-4626-88e5-e1cd8ecd860a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_gray_keylogger_2
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_gray_keylogger_2 {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/graysuit/gray-keylogger-2"
author = "Arnim Rupp"
date = "2020-12-30"
strings:
$typelibguid0 = "e94ca3ff-c0e5-4d1a-ad5e-f6ebbe365067" ascii nocase wide
$typelibguid1 = "1ed07564-b411-4626-88e5-e1cd8ecd860a" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_hanzoInjection
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_hanzoInjection {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/P0cL4bs/hanzoInjection"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "c432bf68-49bf-57c7-bbfa-7bd2f3506c52"
strings:
$typelibguid0lo = "32e22e25-b033-4d98-a0b3-3d2c3850f06c" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_hanzoInjection
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_hanzoInjection {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/P0cL4bs/hanzoInjection"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "32e22e25-b033-4d98-a0b3-3d2c3850f06c" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_iSpyKeylogger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_iSpyKeylogger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mwsrc/iSpyKeylogger"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "8607de67-b472-5afc-b2b9-cc758b5ec474"
strings:
$typelibguid0lo = "ccc0a386-c4ce-42ef-aaea-b2af7eff4ad8" ascii wide
$typelibguid1lo = "816b8b90-2975-46d3-aac9-3c45b26437fa" ascii wide
$typelibguid2lo = "279b5533-d3ac-438f-ba89-3fe9de2da263" ascii wide
$typelibguid3lo = "88d3dc02-2853-4bf0-b6dc-ad31f5135d26" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_iSpyKeylogger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_iSpyKeylogger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mwsrc/iSpyKeylogger"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "ccc0a386-c4ce-42ef-aaea-b2af7eff4ad8" ascii nocase wide
$typelibguid1 = "816b8b90-2975-46d3-aac9-3c45b26437fa" ascii nocase wide
$typelibguid2 = "279b5533-d3ac-438f-ba89-3fe9de2da263" ascii nocase wide
$typelibguid3 = "88d3dc02-2853-4bf0-b6dc-ad31f5135d26" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_k8fly
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_k8fly {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/zzwlpx/k8fly"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-29"
modified = "2025-08-15"
id = "3421e6fb-df65-5e2e-ae46-37f9c763c6a1"
strings:
$typelibguid0lo = "13b6c843-f3d4-4585-b4f3-e2672a47931e" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_k8fly
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_k8fly {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/zzwlpx/k8fly"
author = "Arnim Rupp"
date = "2020-12-29"
strings:
$typelibguid0 = "13b6c843-f3d4-4585-b4f3-e2672a47931e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_logger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_logger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/xxczaki/logger"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "82937fef-8280-5bc6-af4a-55c5cb3a7553"
strings:
$typelibguid0lo = "9e92a883-3c8b-4572-a73e-bb3e61cfdc16" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_logger
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_logger {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/xxczaki/logger"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "9e92a883-3c8b-4572-a73e-bb3e61cfdc16" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_memscan
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_memscan {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nccgroup/memscan"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "35175fe1-a583-50d1-8b0c-71f19b898817"
strings:
$typelibguid0lo = "79462f87-8418-4834-9356-8c11e44ce189" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_memscan
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_memscan {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/nccgroup/memscan"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "79462f87-8418-4834-9356-8c11e44ce189" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_neo_ConfuserEx
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_neo_ConfuserEx {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/XenocodeRCE/neo-ConfuserEx"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "d73117a6-4512-5545-a4f4-72d8cf708340"
strings:
$typelibguid0lo = "e98490bb-63e5-492d-b14e-304de928f81a" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_neo_ConfuserEx
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_neo_ConfuserEx {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/XenocodeRCE/neo-ConfuserEx"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "e98490bb-63e5-492d-b14e-304de928f81a" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_njCrypter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_njCrypter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xPh0enix/njCrypter"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "c30c8323-9418-521a-a4fc-6be0113b99b5"
strings:
$typelibguid0lo = "8a87b003-4b43-467b-a509-0c8be05bf5a5" ascii wide
$typelibguid1lo = "80b13bff-24a5-4193-8e51-c62a414060ec" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_njCrypter
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_njCrypter {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xPh0enix/njCrypter"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "8a87b003-4b43-467b-a509-0c8be05bf5a5" ascii nocase wide
$typelibguid1 = "80b13bff-24a5-4193-8e51-c62a414060ec" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_njRAT
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_njRAT {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/mwsrc/njRAT"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-30"
modified = "2025-08-15"
id = "2140d69e-fb15-50a2-ba85-b7c8293003fb"
strings:
$typelibguid0lo = "5a542c1b-2d36-4c31-b039-26a88d3967da" ascii wide
$typelibguid1lo = "6b07082a-9256-42c3-999a-665e9de49f33" ascii wide
$typelibguid2lo = "c0a9a70f-63e8-42ca-965d-73a1bc903e62" ascii wide
$typelibguid3lo = "70bd11de-7da1-4a89-b459-8daacc930c20" ascii wide
$typelibguid4lo = "fc790ee5-163a-40f9-a1e2-9863c290ff8b" ascii wide
$typelibguid5lo = "cb3c28b2-2a4f-4114-941c-ce929fec94d3" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_njRAT
Detects VB.NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_njRAT {
meta:
description = "Detects VB.NET red/black-team tools via typelibguid"
reference = "https://github.com/mwsrc/njRAT"
author = "Arnim Rupp"
date = "2020-12-30"
strings:
$typelibguid0 = "5a542c1b-2d36-4c31-b039-26a88d3967da" ascii nocase wide
$typelibguid1 = "6b07082a-9256-42c3-999a-665e9de49f33" ascii nocase wide
$typelibguid2 = "c0a9a70f-63e8-42ca-965d-73a1bc903e62" ascii nocase wide
$typelibguid3 = "70bd11de-7da1-4a89-b459-8daacc930c20" ascii nocase wide
$typelibguid4 = "fc790ee5-163a-40f9-a1e2-9863c290ff8b" ascii nocase wide
$typelibguid5 = "cb3c28b2-2a4f-4114-941c-ce929fec94d3" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_nopowershell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_nopowershell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/bitsadmin/nopowershell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "0fd7496b-e34f-51f7-9270-ad424ed6a7a8"
strings:
$typelibguid0lo = "555ad0ac-1fdb-4016-8257-170a74cb2f55" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_nopowershell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_nopowershell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/bitsadmin/nopowershell"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "555ad0ac-1fdb-4016-8257-170a74cb2f55" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_p0wnedShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_p0wnedShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Cn33liz/p0wnedShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "390b94d1-dda9-5a85-80ae-c79a3f7b0b9d"
strings:
$typelibguid0lo = "2e9b1462-f47c-48ca-9d85-004493892381" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_p0wnedShell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_p0wnedShell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/Cn33liz/p0wnedShell"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "2e9b1462-f47c-48ca-9d85-004493892381" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_p2p
Detects .NET red/black-team tools via typelibguid (p2p Remote Desktop is dual use but 100% flagged as malicious on VT)
view YARA rule
rule HKTL_NET_GUID_p2p {
meta:
description = "Detects .NET red/black-team tools via typelibguid (p2p Remote Desktop is dual use but 100% flagged as malicious on VT)"
reference = "https://github.com/miroslavpejic85/p2p"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-03-19"
modified = "2025-08-15"
id = "e7b2b4bd-f1e1-5062-9b36-5df44ae374ea"
strings:
$typelibguid0lo = "33456e72-f8e8-4384-88c4-700867df12e2" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_physmem2profit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_physmem2profit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FSecureLABS/physmem2profit"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "75a27970-c469-53da-b0c3-b3d0faea0b6f"
strings:
$typelibguid0lo = "814708c9-2320-42d2-a45f-31e42da06a94" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_physmem2profit
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_physmem2profit {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/FSecureLABS/physmem2profit"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "814708c9-2320-42d2-a45f-31e42da06a94" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_privilege_escalation_awesome_scripts_suite
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_privilege_escalation_awesome_scripts_suite {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2021-01-21"
modified = "2025-08-15"
id = "fa218dfa-4b56-5a62-b149-63394bd0b604"
strings:
$typelibguid0lo = "1928358e-a64b-493f-a741-ae8e3d029374" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_privilege_escalation_awesome_scripts_suite
Detects .NET red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_privilege_escalation_awesome_scripts_suite {
meta:
description = "Detects .NET red/black-team tools via typelibguid"
reference = "https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite"
author = "Arnim Rupp"
date = "2021-01-21"
strings:
$typelibguid0 = "1928358e-a64b-493f-a741-ae8e3d029374" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_rat_shell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_rat_shell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/stphivos/rat-shell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "8f206175-f7e4-5543-8059-24f102fcd4b9"
strings:
$typelibguid0lo = "7a15f8f6-6ce2-4ca4-919d-2056b70cc76a" ascii wide
$typelibguid1lo = "1659d65d-93a8-4bae-97d5-66d738fc6f6c" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_rat_shell
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_rat_shell {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/stphivos/rat-shell"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "7a15f8f6-6ce2-4ca4-919d-2056b70cc76a" ascii nocase wide
$typelibguid1 = "1659d65d-93a8-4bae-97d5-66d738fc6f6c" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_rundotnetdll32
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_rundotnetdll32 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/rundotnetdll32"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "266c8add-d2ca-5e46-8594-5d190447d133"
strings:
$typelibguid0lo = "a766db28-94b6-4ed1-aef9-5200bbdd8ca7" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_rundotnetdll32
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_rundotnetdll32 {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/0xbadjuju/rundotnetdll32"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "a766db28-94b6-4ed1-aef9-5200bbdd8ca7" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_scout
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_scout {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jaredhaight/scout"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "cd24cca7-3bc0-5e7a-9817-dc3b26ec8358"
strings:
$typelibguid0lo = "d9c76e82-b848-47d4-8f22-99bf22a8ee11" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_scout
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_scout {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/jaredhaight/scout"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "d9c76e82-b848-47d4-8f22-99bf22a8ee11" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_sharpwmi
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_sharpwmi {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/QAX-A-Team/sharpwmi"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "bb357d38-6dc1-4f20-a54c-d664bd20677e" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_sitrep
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_sitrep {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mdsecactivebreach/sitrep"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "5f2ac63e-4be1-520c-82b1-1957027a63e2"
strings:
$typelibguid0lo = "12963497-988f-46c0-9212-28b4b2b1831b" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_sitrep
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_sitrep {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/mdsecactivebreach/sitrep"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "12963497-988f-46c0-9212-28b4b2b1831b" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_wsManager
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_wsManager {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/guillaC/wsManager"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "b8c330dc-74aa-5a33-8af6-17c9beb8be81"
strings:
$typelibguid0lo = "9480809e-5472-44f3-b076-dcdf7379e766" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_wsManager
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_wsManager {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/guillaC/wsManager"
author = "Arnim Rupp"
date = "2020-12-13"
strings:
$typelibguid0 = "9480809e-5472-44f3-b076-dcdf7379e766" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ysoserial_net
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ysoserial_net {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/pwntester/ysoserial.net"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-28"
modified = "2025-08-15"
id = "80483cd4-76e6-5629-bed7-4ae2e455222c"
strings:
$typelibguid0lo = "e1e8c029-f7cd-4bd1-952e-e819b41520f0" ascii wide
$typelibguid1lo = "6b40fde7-14ea-4f57-8b7b-cc2eb4a25e6c" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ysoserial_net
Detects c# red/black-team tools via typelibguid
view YARA rule
rule HKTL_NET_GUID_ysoserial_net {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/pwntester/ysoserial.net"
author = "Arnim Rupp"
date = "2020-12-28"
strings:
$typelibguid0 = "e1e8c029-f7cd-4bd1-952e-e819b41520f0" ascii nocase wide
$typelibguid1 = "6b40fde7-14ea-4f57-8b7b-cc2eb4a25e6c" ascii nocase wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 1001-1050 of 18,880