Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_NAME_ADCollector
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_ADCollector {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/dev-2null/ADCollector"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
hash = "5391239f479c26e699b6f3a1d6a0a8aa1a0cf9a8"
hash = "9dd0f322dd57b906da1e543c44e764954704abae"
author = "Arnim Rupp"
date = "2021-01-22"
modified = "2022-09-15"
strings:
$s_name = "ADCollector" ascii wide
$s_compile = "AssemblyTitle" ascii wide
$fp1 = "Symantec Threat Defense" wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($s*)
and not 1 of ($fp*)
}
HKTL_NET_NAME_ADCollector
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_ADCollector {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/dev-2null/ADCollector"
hash = "5391239f479c26e699b6f3a1d6a0a8aa1a0cf9a8"
hash = "9dd0f322dd57b906da1e543c44e764954704abae"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "ADCollector" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_ATPMiniDump
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_ATPMiniDump {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/b4rtik/ATPMiniDump"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "97981569-fe94-5600-8319-946edb4265e7"
strings:
$name = "ATPMiniDump" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_ATPMiniDump
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_ATPMiniDump {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/b4rtik/ATPMiniDump"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "ATPMiniDump" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_AggressiveProxy
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_AggressiveProxy {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/EncodeGroup/AggressiveProxy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "e2d3c4e2-404b-59f8-b3d0-a7cef4dfd0ff"
strings:
$name = "AggressiveProxy" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_AggressiveProxy
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_AggressiveProxy {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/EncodeGroup/AggressiveProxy"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "AggressiveProxy" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_Aggressor
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_Aggressor {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/k8gege/Aggressor"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "Aggressor" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_AmsiBypass
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_AmsiBypass {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/0xB455/AmsiBypass"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
hash = "8fa4ba512b34a898c4564a8eac254b6a786d195b"
author = "Arnim Rupp"
date = "2021-01-22"
modified = "2024-12-10"
id = "26db14d8-1034-5bd1-a719-4756c832901d"
strings:
$s_name = "AmsiBypass" ascii wide
$s_compile = "AssemblyTitle" ascii wide
$fp1 = "Adaptive Threat Protection" wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($s*)
and not 1 of ($fp*)
}
HKTL_NET_NAME_AmsiBypass
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_AmsiBypass {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/0xB455/AmsiBypass"
hash = "8fa4ba512b34a898c4564a8eac254b6a786d195b"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "AmsiBypass" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_AsStrongAsFuck
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_AsStrongAsFuck {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Charterino/AsStrongAsFuck"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "4c63c8a2-5889-5177-9f66-8e5f755025a3"
strings:
$name = "AsStrongAsFuck" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_AsStrongAsFuck
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_AsStrongAsFuck {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Charterino/AsStrongAsFuck"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "AsStrongAsFuck" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_C2Bridge
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_C2Bridge {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/cobbr/C2Bridge"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "357051aa-61ea-5454-a996-b4e3a45ac865"
strings:
$name = "C2Bridge" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_C2Bridge
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_C2Bridge {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/cobbr/C2Bridge"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "C2Bridge" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_CACTUSTORCH
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_CACTUSTORCH {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/mdsecactivebreach/CACTUSTORCH"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "7b1e3015-fada-592c-b120-20aa12247d32"
strings:
$name = "CACTUSTORCH" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_CACTUSTORCH
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_CACTUSTORCH {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/mdsecactivebreach/CACTUSTORCH"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "CACTUSTORCH" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_ConfuserEx
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_ConfuserEx {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/yck1509/ConfuserEx"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "ConfuserEx" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_DotNetAVBypass
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_DotNetAVBypass {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/mandreko/DotNetAVBypass"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "918eba2b-150d-5e69-bed0-0979ae889165"
strings:
$name = "DotNetAVBypass" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_DotNetAVBypass
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_DotNetAVBypass {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/mandreko/DotNetAVBypass"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "DotNetAVBypass" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_DotNetInject
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_DotNetInject {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/dtrizna/DotNetInject"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
modified = "2022-06-28"
id = "468f89c4-5b94-53be-b9e6-ad21de7d98ba"
strings:
$name = "DotNetInject" ascii wide
$compile = "AssemblyTitle" ascii wide
$fp1 = "GetDotNetInjector" ascii /* MS Txt2AI 489044cadaa0175e36d286fcbe5720fd56b6a0c063beac452b2316c2714332b0 */
$fp2 = "JetBrains.TeamCity.Injector." wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)
and filesize < 20MB
and $name and $compile
and not 1 of ($fp*)
}
HKTL_NET_NAME_DotNetInject
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_DotNetInject {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/dtrizna/DotNetInject"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "DotNetInject" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_FakeFileMaker
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_FakeFileMaker {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/FakeFileMaker"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "2c87114f-5295-583f-b567-623d478ce0eb"
strings:
$name = "FakeFileMaker" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_FakeFileMaker
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_FakeFileMaker {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/FakeFileMaker"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "FakeFileMaker" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_FudgeC2
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_FudgeC2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Ziconius/FudgeC2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "a8e70bce-76dd-53dc-9a19-1cc6795fdef3"
strings:
$name = "FudgeC2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_FudgeC2
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_FudgeC2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Ziconius/FudgeC2"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "FudgeC2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_GhostLoader
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_GhostLoader {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/TheWover/GhostLoader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "d8d88f3f-f250-55ff-88a6-4623e12ef89d"
strings:
$name = "GhostLoader" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_GhostLoader
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_GhostLoader {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/TheWover/GhostLoader"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "GhostLoader" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_Ghostpack_CompiledBinaries
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_Ghostpack_CompiledBinaries {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/r3motecontrol/Ghostpack-CompiledBinaries"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "7cc81894-8c01-5a17-a7ed-1cb4cf1e2d53"
strings:
$name = "Ghostpack-CompiledBinaries" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_Ghostpack_CompiledBinaries
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_Ghostpack_CompiledBinaries {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/r3motecontrol/Ghostpack-CompiledBinaries"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "Ghostpack-CompiledBinaries" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_GrayKeylogger
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_GrayKeylogger {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DarkSecDevelopers/GrayKeylogger"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "c63875b6-1701-5594-927e-833c25dc5d98"
strings:
$name = "GrayKeylogger" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_GrayKeylogger
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_GrayKeylogger {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DarkSecDevelopers/GrayKeylogger"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "GrayKeylogger" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_HTTPSBeaconShell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_HTTPSBeaconShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/limbenjamin/HTTPSBeaconShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "3bd7234b-a23e-5818-aed1-52d42023943b"
strings:
$name = "HTTPSBeaconShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_HTTPSBeaconShell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_HTTPSBeaconShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/limbenjamin/HTTPSBeaconShell"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "HTTPSBeaconShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_HexyRunner
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_HexyRunner {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/bao7uo/HexyRunner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "67741b4d-7336-5c88-8f2c-e48c10b187b9"
strings:
$name = "HexyRunner" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_HexyRunner
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_HexyRunner {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/bao7uo/HexyRunner"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "HexyRunner" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_Infrastructure_Assessment
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_Infrastructure_Assessment {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/NyaMeeEain/Infrastructure-Assessment"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "efacc12b-92b3-5b22-b5bb-cd5a7d7eea0e"
strings:
$name = "Infrastructure-Assessment" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_Infrastructure_Assessment
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_Infrastructure_Assessment {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/NyaMeeEain/Infrastructure-Assessment"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "Infrastructure-Assessment" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_K8tools
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_K8tools {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/k8gege/K8tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "b30fc856-073d-542f-b222-a957322732c2"
strings:
$name = "K8tools" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_K8tools
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_K8tools {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/k8gege/K8tools"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "K8tools" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_MSBuildAPICaller
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_MSBuildAPICaller {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/rvrsh3ll/MSBuildAPICaller"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "143da57f-b01f-5688-b741-1bc4d06cd7d1"
strings:
$name = "MSBuildAPICaller" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_MSBuildAPICaller
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_MSBuildAPICaller {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/rvrsh3ll/MSBuildAPICaller"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "MSBuildAPICaller" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_MagentoScanner
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_MagentoScanner {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/soufianetahiri/MagentoScanner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "db3912bd-574c-57e2-a9b6-4b440d144471"
strings:
$name = "MagentoScanner" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_MagentoScanner
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_MagentoScanner {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/soufianetahiri/MagentoScanner"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "MagentoScanner" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_MaliciousClickOnceGenerator
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_MaliciousClickOnceGenerator {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Mr-Un1k0d3r/MaliciousClickOnceGenerator"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "683af3b4-4c91-5ff3-96bf-d5c1d9c19cc2"
strings:
$name = "MaliciousClickOnceGenerator" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_MaliciousClickOnceGenerator
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_MaliciousClickOnceGenerator {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Mr-Un1k0d3r/MaliciousClickOnceGenerator"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "MaliciousClickOnceGenerator" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_NativePayload_ARP
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_ARP {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_ARP"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "9fac11f8-4e40-5cbc-a990-2ae48df20828"
strings:
$name = "NativePayload_ARP" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_NativePayload_ARP
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_ARP {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_ARP"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "NativePayload_ARP" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_NativePayload_DNS2
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_DNS2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_DNS2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "0fa01355-de57-573e-9056-0b7a5d24572d"
strings:
$name = "NativePayload_DNS2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_NativePayload_DNS2
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_DNS2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_DNS2"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "NativePayload_DNS2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_NativePayload_IP6DNS
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_IP6DNS {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_IP6DNS"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "3b32b408-e71a-5f2a-ae6f-72a3d6572b71"
strings:
$name = "NativePayload_IP6DNS" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_NativePayload_IP6DNS
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_IP6DNS {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_IP6DNS"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "NativePayload_IP6DNS" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
Showing 1051-1100 of 18,880