Malware / file
YARA rules
18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.
◈
Rules
50 shown of 18,880HKTL_NET_NAME_NativePayload_ReverseShell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_ReverseShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_ReverseShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "eec77c09-02db-5d74-8526-e201d2fe6fc8"
strings:
$name = "NativePayload_ReverseShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_NativePayload_ReverseShell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_ReverseShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_ReverseShell"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "NativePayload_ReverseShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_NativePayload_Reverse_tcp
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_Reverse_tcp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "a6b935cc-adb6-5ff4-a832-1043e77292f7"
strings:
$name = "NativePayload_Reverse_tcp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_NativePayload_Reverse_tcp
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_NativePayload_Reverse_tcp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "NativePayload_Reverse_tcp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_PandaSniper
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_PandaSniper {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/QAX-A-Team/PandaSniper"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "006400fb-7e6d-563b-ba78-17937983c9ba"
strings:
$name = "PandaSniper" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_PandaSniper
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_PandaSniper {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/QAX-A-Team/PandaSniper"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "PandaSniper" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/AliBawazeEer/RAT-NjRat-0.7d-modded-source-code"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "2b7d1f75-0164-561e-8199-32c601cbca98"
strings:
$name = "RAT-NjRat-0.7d-modded-source-code" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/AliBawazeEer/RAT-NjRat-0.7d-modded-source-code"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "RAT-NjRat-0.7d-modded-source-code" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RdpThief
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RdpThief {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/0x09AL/RdpThief"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "5ad4feec-50db-5ebb-a609-9196e72a24aa"
strings:
$name = "RdpThief" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RdpThief
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RdpThief {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/0x09AL/RdpThief"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "RdpThief" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_Recon_AD
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_Recon_AD {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/outflanknl/Recon-AD"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "097de5cd-0cd4-59cc-a7b7-54cad8e6d230"
strings:
$name = "Recon-AD" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_Recon_AD
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_Recon_AD {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/outflanknl/Recon-AD"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "Recon-AD" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RemoteProcessInjection
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RemoteProcessInjection {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Mr-Un1k0d3r/RemoteProcessInjection"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "f1698cf2-211a-551a-8bc4-4faefcc6106f"
strings:
$name = "RemoteProcessInjection" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RemoteProcessInjection
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RemoteProcessInjection {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Mr-Un1k0d3r/RemoteProcessInjection"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "RemoteProcessInjection" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RevengeRAT_Stub_CSsharp
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RevengeRAT_Stub_CSsharp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/NYAN-x-CAT/RevengeRAT-Stub-CSsharp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "06dce4f9-4d7a-5976-a87a-07c539e5dbe8"
strings:
$name = "RevengeRAT-Stub-CSsharp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RevengeRAT_Stub_CSsharp
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RevengeRAT_Stub_CSsharp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/NYAN-x-CAT/RevengeRAT-Stub-CSsharp"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "RevengeRAT-Stub-CSsharp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RunasCs
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RunasCs {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/antonioCoco/RunasCs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "c5fc5b01-1d30-5af5-be99-e629cb23295b"
strings:
$name = "RunasCs" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_RunasCs
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_RunasCs {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/antonioCoco/RunasCs"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "RunasCs" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharPyShell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharPyShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/antonioCoco/SharPyShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "3069c5eb-446e-5bfa-9df0-2e03f229d4d1"
strings:
$name = "SharPyShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharPyShell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharPyShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/antonioCoco/SharPyShell"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "SharPyShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpBuster
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpBuster {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/passthehashbrowns/SharpBuster"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "d30c8ee5-88b9-53b5-b209-51f6f3b988cf"
strings:
$name = "SharpBuster" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpBuster
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpBuster {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/passthehashbrowns/SharpBuster"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "SharpBuster" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpCat
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpCat {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Cn33liz/SharpCat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "a46be8d3-bf7b-5d86-b88b-33e6c8c152d8"
strings:
$name = "SharpCat" ascii wide fullword
$compile = "AssemblyTitle" ascii wide fullword
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpCat
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpCat {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Cn33liz/SharpCat"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "SharpCat" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpHose
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpHose {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/ustayready/SharpHose"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "89b00eb0-f1a2-5c77-a5b0-2329b08aadb7"
strings:
$name = "SharpHose" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpHose
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpHose {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/ustayready/SharpHose"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "SharpHose" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpOffensiveShell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpOffensiveShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/darkr4y/SharpOffensiveShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "f223fb95-9f16-5504-a6ce-de9d75b38eaa"
strings:
$name = "SharpOffensiveShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpOffensiveShell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpOffensiveShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/darkr4y/SharpOffensiveShell"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "SharpOffensiveShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpWatchdogs
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpWatchdogs {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/RITRedteam/SharpWatchdogs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "5343be58-879a-5fe7-9036-ee6a22d85f22"
strings:
$name = "SharpWatchdogs" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_SharpWatchdogs
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_SharpWatchdogs {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/RITRedteam/SharpWatchdogs"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "SharpWatchdogs" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_StageStrike
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_StageStrike {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/RedXRanger/StageStrike"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "e3f9de04-87f6-5b07-b5b0-a26167937fcc"
strings:
$name = "StageStrike" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_StageStrike
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_StageStrike {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/RedXRanger/StageStrike"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "StageStrike" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_WMIPersistence
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_WMIPersistence {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/mdsecactivebreach/WMIPersistence"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "7a674596-c697-569d-a16c-3cefe4ff752a"
strings:
$name = "WMIPersistence" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_WMIPersistence
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_WMIPersistence {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/mdsecactivebreach/WMIPersistence"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "WMIPersistence" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_aspnetcore_bypassing_authentication
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_aspnetcore_bypassing_authentication {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/jackowild/aspnetcore-bypassing-authentication"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "aspnetcore-bypassing-authentication" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_cve_2017_7269_tool
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_cve_2017_7269_tool {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/zcgonvh/cve-2017-7269-tool"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "cve-2017-7269-tool" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_directInjectorPOC
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_directInjectorPOC {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/badBounty/directInjectorPOC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "d9a430d7-b062-554b-aff4-cfd98d91e9fe"
strings:
$name = "directInjectorPOC" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_directInjectorPOC
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_directInjectorPOC {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/badBounty/directInjectorPOC"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "directInjectorPOC" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_gray_hat_csharp_code
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_gray_hat_csharp_code {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/brandonprry/gray_hat_csharp_code"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "0a94cadc-cc7b-5817-8788-bb1e53937fad"
strings:
$name = "gray_hat_csharp_code" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_gray_hat_csharp_code
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_gray_hat_csharp_code {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/brandonprry/gray_hat_csharp_code"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "gray_hat_csharp_code" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_ibombshell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_ibombshell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Telefonica/ibombshell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "02f3272f-8e75-5df4-9052-a315ae202050"
strings:
$name = "ibombshell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_ibombshell
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_ibombshell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Telefonica/ibombshell"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "ibombshell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_metasploit_sharp
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_metasploit_sharp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/VolatileMindsLLC/metasploit-sharp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "b425f241-4887-5368-b42b-3fbbd3b769c6"
strings:
$name = "metasploit-sharp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_metasploit_sharp
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_metasploit_sharp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/VolatileMindsLLC/metasploit-sharp"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "metasploit-sharp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_njRAT_0_7d_Stub_CSharp
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_njRAT_0_7d_Stub_CSharp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/NYAN-x-CAT/njRAT-0.7d-Stub-CSharp"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "njRAT-0.7d-Stub-CSharp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_pentestscripts
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_pentestscripts {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/c4bbage/pentestscripts"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "pentestscripts" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_petaqc2
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_petaqc2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/fozavci/petaqc2"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "petaqc2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_reconness
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_reconness {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/reconness/reconness"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "a30188e4-d96a-59d0-9f51-d7a7e07b14ba"
strings:
$name = "reconness" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_reconness
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_reconness {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/reconness/reconness"
author = "Arnim Rupp"
date = "2021-01-22"
strings:
$name = "reconness" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
HKTL_NET_NAME_shellcodeTester
Detects .NET red/black-team tools via name
view YARA rule
rule HKTL_NET_NAME_shellcodeTester {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/tophertimzen/shellcodeTester"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "964093a4-e6d7-51b7-928a-b1cd40dc11cc"
strings:
$name = "shellcodeTester" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
Showing 1101-1150 of 18,880