Home/Detection rules/YARA
Malware / file

YARA rules

18,880 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.
Source yara-rules 12,928signature-base 5,952 all sources
Using these YARA rules
Deploy. Load them into any YARA-capable scanner: your EDR if it supports YARA, the yara CLI against files or a memory image, VirusTotal Retrohunt, or a host scanner like Loki or THOR.
Adapt. Tighten or loosen the string and condition matches for your false-positive tolerance; a rule written for one campaign can over-match on benign files in a different environment.
Scope. These are for hunting known malware families in files and memory and for triaging samples - not for network traffic or log-based detection, which the IDS and Sigma rules cover.

Rules

50 shown of 18,880
CN_Honker_Webshell_PHP_php1
Webshell from CN Honker Pentest Toolset - file php1.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_PHP_php1 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file php1.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "c2f4b150f53c78777928921b3a985ec678bfae32"
		id = "5fe78cc6-8be3-595f-a082-e361259938e5"
	strings:
		$s7 = "$sendbuf = \"site exec \".$_POST[\"SUCommand\"].\"\\r\\n\";" fullword ascii /* PEStudio Blacklist: strings */
		$s8 = "elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_c" ascii /* PEStudio Blacklist: strings */
		$s18 = "echo Exec_Run($perlpath.' /tmp/spider_bc '.$_POST['yourip'].' '.$_POST['yourport" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 621KB and all of them
}
CN_Honker_Webshell_PHP_php10
Webshell from CN Honker Pentest Toolset - file php10.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_PHP_php10 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file php10.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "3698c566a0ae07234c8957112cdb34b79362b494"
		id = "5fe78cc6-8be3-595f-a082-e361259938e5"
	strings:
		$s1 = "dumpTable($N,$M,$Hc=false){if($_POST[\"format\"]!=\"sql\"){echo\"\\xef\\xbb\\xbf" ascii /* PEStudio Blacklist: strings */
		$s2 = "';if(DB==\"\"||!$od){echo\"<a href='\".h(ME).\"sql='\".bold(isset($_GET[\"sql\"]" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 600KB and all of them
}
CN_Honker_Webshell_PHP_php2
Webshell from CN Honker Pentest Toolset - file php2.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_PHP_php2 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file php2.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "bf12e1d741075cd1bd324a143ec26c732a241dea"
		id = "377ff89d-a9ba-526c-97a1-388f9ccb48ba"
	strings:
		$s1 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii /* PEStudio Blacklist: strings */
		$s2 = "<?php // Black" fullword ascii
	condition:
		filesize < 12KB and all of them
}
CN_Honker_Webshell_PHP_php3
Webshell from CN Honker Pentest Toolset - file php3.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_PHP_php3 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file php3.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "e2924cb0537f4cdfd6f1bd44caaaf68a73419b9d"
		id = "3000ac40-35de-5d24-85fb-4d105b07c2e7"
	strings:
		$s1 = "} elseif(@is_resource($f = @popen($cfe,\"r\"))) {" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "cf('/tmp/.bc',$back_connect);" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 8KB and all of them
}
CN_Honker_Webshell_PHP_php4
Webshell from CN Honker Pentest Toolset - file php4.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_PHP_php4 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file php4.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "179975f632baff6ee4d674fe3fabc324724fee9e"
		id = "82446dff-dd1e-54a8-bb70-570bedc805b5"
	strings:
		$s0 = "nc -l -vv -p port(" ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x4850 and filesize < 1KB and all of them
}
CN_Honker_Webshell_PHP_php5
Webshell from CN Honker Pentest Toolset - file php5.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_PHP_php5 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file php5.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "0fd91b6ad400a857a6a65c8132c39e6a16712f19"
		id = "ee063c4c-af06-520f-acfe-fba758b84d3c"
	strings:
		$s0 = "else if(isset($_POST['reverse'])) { if(@ftp_login($connection,$user,strrev($user" ascii /* PEStudio Blacklist: strings */
		$s20 = "echo sr(35,in('hidden','dir',0,$dir).in('hidden','cmd',0,'mysql_dump').\"<b>\".$" ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x3f3c and filesize < 300KB and all of them
}
CN_Honker_Webshell_PHP_php7
Webshell from CN Honker Pentest Toolset - file php7.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_PHP_php7 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file php7.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "05a3f93dbb6c3705fd5151b6ffb64b53bc555575"
		id = "f21bb0db-d18a-58c0-a227-5baf5536c57b"
	strings:
		$s0 = "---> '.$ports[$i].'<br>'; ob_flush(); flush(); } } echo '</div>'; return true; }" ascii /* PEStudio Blacklist: strings */
		$s1 = "$getfile = isset($_POST['downfile']) ? $_POST['downfile'] : ''; $getaction = iss" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 300KB and all of them
}
CN_Honker_Webshell_PHP_php8
Webshell from CN Honker Pentest Toolset - file php8.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_PHP_php8 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file php8.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "b7b49f1d6645865691eccd025e140c521ff01cce"
		id = "8b25b7f3-b94e-5887-b102-b52d340a4316"
	strings:
		$s0 = "<a href=\"http://hi.baidu.com/ca3tie1/home\" target=\"_blank\">Ca3tie1's Blog</a" ascii /* PEStudio Blacklist: strings */
		$s1 = "function startfile($path = 'dodo.zip')" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "<form name=\"myform\" method=\"post\" action=\"\">" fullword ascii /* PEStudio Blacklist: strings */
		$s5 = "$_REQUEST[zipname] = \"dodozip.zip\"; " fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 25KB and 2 of them
}
CN_Honker_Webshell_PHP_php9
Webshell from CN Honker Pentest Toolset - file php9.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_PHP_php9 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file php9.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "cd3962b1dba9f1b389212e38857568b69ca76725"
		id = "c8cbee10-78ea-5a6f-9c80-7e51a9c38440"
	strings:
		$s1 = "Str[17] = \"select shell('c:\\windows\\system32\\cmd.exe /c net user b4che10r ab" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 1087KB and all of them
}
CN_Honker_Webshell_Serv_U_2_admin_by_lake2
Webshell from CN Honker Pentest Toolset - file Serv-U 2 admin by lake2.asp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_Serv_U_2_admin_by_lake2 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file Serv-U 2 admin by lake2.asp"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "cb8039f213e611ab2687edd23e63956c55f30578"
		id = "8fce8835-a4ed-58df-a725-0c1fc04becaa"
	strings:
		$s1 = "xPost3.Open \"POST\", \"http://127.0.0.1:\"& port &\"/lake2\", True" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "response.write \"FTP user lake  pass admin123 :)<br><BR>\"" fullword ascii /* PEStudio Blacklist: strings */
		$s8 = "<p>Serv-U Local Get SYSTEM Shell with ASP" fullword ascii /* PEStudio Blacklist: strings */
		$s9 = "\"-HomeDir=c:\\\\\" & vbcrlf & \"-LoginMesFile=\" & vbcrlf & \"-Disable=0\" & vb" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 17KB and 2 of them
}
CN_Honker_Webshell_Serv_U_asp
Webshell from CN Honker Pentest Toolset - file Serv-U asp.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_Serv_U_asp {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file Serv-U asp.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "cee91cd462a459d31a95ac08fe80c70d2f9c1611"
		id = "06a58a05-92bd-5124-a172-2bfd9491c2fc"
	strings:
		$s1 = "newuser = \"-SETUSERSETUP\" & vbCrLf & \"-IP=0.0.0.0\" & vbCrLf & \"-PortNo=\" &" ascii /* PEStudio Blacklist: strings */
		$s2 = "<td><input name=\"c\" type=\"text\" id=\"c\" value=\"cmd /c net user goldsun lov" ascii /* PEStudio Blacklist: strings */
		$s3 = "deldomain = \"-DELETEDOMAIN\" & vbCrLf & \"-IP=0.0.0.0\" & vbCrLf & \" PortNo=\"" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 30KB and 2 of them
}
CN_Honker_Webshell_Serv_U_by_Goldsun
Webshell from CN Honker Pentest Toolset - file Serv-U_by_Goldsun.asp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_Serv_U_by_Goldsun {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file Serv-U_by_Goldsun.asp"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "d4d7a632af65a961a1dbd0cff80d5a5c2b397e8c"
		id = "d8b85c33-b05d-531a-9c0a-a1dddcae0da4"
	strings:
		$s1 = "b.open \"GET\", \"http://127.0.0.1:\" & ftpport & \"/goldsun/upadmin/s2\", True," ascii /* PEStudio Blacklist: strings */
		$s2 = "newuser = \"-SETUSERSETUP\" & vbCrLf & \"-IP=0.0.0.0\" & vbCrLf & \"-PortNo=\" &" ascii /* PEStudio Blacklist: strings */
		$s3 = "127.0.0.1:<%=port%>," fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "GName=\"http://\" & request.servervariables(\"server_name\")&\":\"&request.serve" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 30KB and 2 of them
}
CN_Honker_Webshell_Serv_U_serv_u
Webshell from CN Honker Pentest Toolset - file serv-u.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_Serv_U_serv_u {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file serv-u.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		modified = "2023-01-27"
		score = 70
		hash = "1c6415a247c08a63e3359b06575b36017befc0c0"
		id = "dd37b2c3-e06d-5245-97d7-40e5eeadb76f"
	strings:
		$s1 = "@readfile(\"c:\\\\winnt\\\\system32\\" ascii /* PEStudio Blacklist: strings */
		$s2 = "$sendbuf = \"PASS \".$_POST[\"password\"].\"\\r\\n\";" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "$cmd=\"cmd /c rundll32.exe $path,install $openPort $activeStr\";" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 435KB and all of them
}
CN_Honker_Webshell_Serv_U_servu
Webshell from CN Honker Pentest Toolset - file servu.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_Serv_U_servu {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file servu.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "7de701b86820096e486e64ca34f1fa9f2fbba641"
		id = "3e50d991-7297-5766-b68a-e74aa34ce042"
	strings:
		$s0 = "fputs ($conn_id, \"SITE EXEC \".$dir.\"cmd.exe /c \".$cmd.\"\\r\\n\");" fullword ascii /* PEStudio Blacklist: strings */
		$s1 = "function ftpcmd($ftpport,$user,$password,$dir,$cmd){" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 41KB and all of them
}
CN_Honker_Webshell_T00ls_Lpk_Sethc_v4_mail
Webshell from CN Honker Pentest Toolset - file mail.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_T00ls_Lpk_Sethc_v4_mail {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file mail.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "0a9b7b438591ee78ee573028cbb805a9dbb9da96"
		id = "2f7d8a4d-9d94-5f23-9768-cc3712678d93"
	strings:
		$s1 = "if (!$this->smtp_putcmd(\"AUTH LOGIN\", base64_encode($this->user)))" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "$this->smtp_debug(\"> \".$cmd.\"\\n\");" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 39KB and all of them
}
CN_Honker_Webshell_Tuoku_script_mssql_2
Webshell from CN Honker Pentest Toolset - file mssql.asp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_Tuoku_script_mssql_2 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file mssql.asp"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "ad55512afa109b205e4b1b7968a89df0cf781dc9"
		id = "3f9706d6-7f6e-5120-945a-d5d928d79507"
	strings:
		$s1 = "sqlpass=request(\"sqlpass\")" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "set file=fso.createtextfile(server.mappath(request(\"filename\")),8,true)" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "<blockquote> ServerIP:&nbsp;&nbsp;&nbsp;" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 3KB and all of them
}
CN_Honker_Webshell_Tuoku_script_mysql
Webshell from CN Honker Pentest Toolset - file mysql.aspx
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_Tuoku_script_mysql {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file mysql.aspx"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "8e242c40aabba48687cfb135b51848af4f2d389d"
		id = "fa0627fb-a40c-5856-ae78-17d33910878f"
	strings:
		$s1 = "txtpassword.Attributes.Add(\"onkeydown\", \"SubmitKeyClick('btnLogin');\");" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "connString = string.Format(\"Host = {0}; UserName = {1}; Password = {2}; Databas" ascii /* PEStudio Blacklist: strings */condition:
		filesize < 202KB and all of them
}
CN_Honker_Webshell_Tuoku_script_oracle
Webshell from CN Honker Pentest Toolset - file oracle.jsp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_Tuoku_script_oracle {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file oracle.jsp"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "fc7043aaac0ee2d860d11f18ddfffbede9d07957"
		id = "adc8dea6-8031-580b-b19a-e5520d41528f"
	strings:
		$s1 = "String url=\"jdbc:oracle:thin:@localhost:1521:orcl\";" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "String user=\"oracle_admin\";" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "String sql=\"SELECT 1,2,3,4,5,6,7,8,9,10 from user_info\";" fullword ascii
	condition:
		filesize < 7KB and all of them
}
CN_Honker_Webshell_Tuoku_script_xx
Webshell from CN Honker Pentest Toolset - file xx.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_Tuoku_script_xx {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file xx.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "2f39f1d9846ae72fc673f9166536dc21d8f396aa"
		id = "72a04950-b82d-516f-a376-5253b7de1158"
	strings:
		$s0 = "$mysql.=\"insert into `$table`($keys) values($vals);\\r\\n\";" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "$mysql_link=@mysql_connect($mysql_servername , $mysql_username , $mysql_password" ascii /* PEStudio Blacklist: strings */
		$s16 = "mysql_query(\"SET NAMES gbk\");" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 2KB and all of them
}
CN_Honker_Webshell_WebShell
Webshell from CN Honker Pentest Toolset - file WebShell.cgi
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_WebShell {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file WebShell.cgi"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "7ef773df7a2f221468cc8f7683e1ace6b1e8139a"
		id = "9fe4c8fd-3955-5405-add2-835e6f64e8f2"
	strings:
		$s1 = "$login = crypt($WebShell::Configuration::password, $salt);" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "my $error = \"This command is not available in the restricted mode.\\n\";" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "warn \"command: '$command'\\n\";" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 30KB and 2 of them
}
CN_Honker_Webshell__Injection_jmCook_jmPost_ManualInjection
Webshell from CN Honker Pentest Toolset - from files Injection.exe, jmCook.asp, jmPost.asp, ManualInjection.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell__Injection_jmCook_jmPost_ManualInjection {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - from files Injection.exe, jmCook.asp, jmPost.asp, ManualInjection.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "3484ed16e6f9e0d603cbc5cb44e46b8b7e775d35"
		hash1 = "5e1851c77ce922e682333a3cb83b8506e1d7395d"
		hash2 = "f80ec26bbdc803786925e8e0450ad7146b2478ff"
		hash3 = "e83d427f44783088a84e9c231c6816c214434526"
		id = "e154ecb5-9d56-520a-b76a-635a8864f0a8"
	strings:
		$s1 = "response.write  PostData(JMUrl,JmStr,JmCok,JmRef)" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "strReturn=Replace(strReturn,chr(43),\"%2B\")  'JMDCW" fullword ascii
	condition:
		filesize < 7342KB and all of them
}
CN_Honker_Webshell__Serv_U_by_Goldsun_asp3_Serv_U_asp
Webshell from CN Honker Pentest Toolset - from files Serv-U_by_Goldsun.asp, asp3.txt, Serv-U asp.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell__Serv_U_by_Goldsun_asp3_Serv_U_asp {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - from files Serv-U_by_Goldsun.asp, asp3.txt, Serv-U asp.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "d4d7a632af65a961a1dbd0cff80d5a5c2b397e8c"
		hash1 = "87c5a76989bf08da5562e0b75c196dcb3087a27b"
		hash2 = "cee91cd462a459d31a95ac08fe80c70d2f9c1611"
		id = "e91e05e8-0f6d-57a7-a649-a834733f17c8"
	strings:
		$s1 = "c.send loginuser & loginpass & mt & deldomain & quit" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "loginpass = \"Pass \" & pass & vbCrLf" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "b.send \"User go\" & vbCrLf & \"pass od\" & vbCrLf & \"site exec \" & cmd & vbCr" ascii
	condition:
		filesize < 444KB and all of them
}
CN_Honker_Webshell__asp4_asp4_MSSQL__MSSQL_
Webshell from CN Honker Pentest Toolset - from files asp4.txt, asp4.txt, MSSQL_.asp, MSSQL_.asp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell__asp4_asp4_MSSQL__MSSQL_ {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - from files asp4.txt, asp4.txt, MSSQL_.asp, MSSQL_.asp"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "4005b83ced1c032dc657283341617c410bc007b8"
		hash1 = "4005b83ced1c032dc657283341617c410bc007b8"
		hash2 = "7097c21f92306983add3b5b29a517204cd6cd819"
		hash3 = "7097c21f92306983add3b5b29a517204cd6cd819"
		id = "e0070f0d-35d0-5024-88e7-e0e04b29f485"
	strings:
		$s0 = "\"<form name=\"\"searchfileform\"\" action=\"\"?action=searchfile\"\" method=\"" ascii /* PEStudio Blacklist: strings */
		$s1 = "\"<TD ALIGN=\"\"Left\"\" colspan=\"\"5\"\">[\"& DbName & \"]" fullword ascii
		$s2 = "Set Conn = Nothing " fullword ascii
	condition:
		filesize < 341KB and all of them
}
CN_Honker_Webshell__php1_php7_php9
Webshell from CN Honker Pentest Toolset - from files php1.txt, php7.txt, php9.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell__php1_php7_php9 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - from files php1.txt, php7.txt, php9.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "c2f4b150f53c78777928921b3a985ec678bfae32"
		hash1 = "05a3f93dbb6c3705fd5151b6ffb64b53bc555575"
		hash2 = "cd3962b1dba9f1b389212e38857568b69ca76725"
		id = "cfc2f624-976f-5ff6-bd07-10948b9290bc"
	strings:
		$s1 = "<a href=\"?s=h&o=wscript\">[WScript.shell]</a> " fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "document.getElementById('cmd').value = Str[i];" fullword ascii
		$s3 = "Str[7] = \"copy c:\\\\\\\\1.php d:\\\\\\\\2.php\";" fullword ascii
	condition:
		filesize < 300KB and all of them
}
CN_Honker_Webshell_assembly
Webshell from CN Honker Pentest Toolset - file assembly.asp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_assembly {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file assembly.asp"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "2bcb4d22758b20df6b9135d3fb3c8f35a9d9028e"
		id = "7639e81d-fe21-5a12-9a20-fe894eefef73"
	strings:
		$s0 = "response.write oScriptlhn.exec(\"cmd.exe /c\" & request(\"c\")).stdout.readall" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 1KB and all of them
}
CN_Honker_Webshell_cfmShell
Webshell from CN Honker Pentest Toolset - file cfmShell.cfm
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_cfmShell {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file cfmShell.cfm"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "740796909b5d011128b6c54954788d14faea9117"
		id = "40d50ddb-2963-5d8e-b93a-bb44a8944229"
	strings:
		$s0 = "<cfexecute name=\"C:\\Winnt\\System32\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "<cfif FileExists(\"#GetTempDirectory()#foobar.txt\") is \"Yes\">" fullword ascii
	condition:
		filesize < 4KB and all of them
}
CN_Honker_Webshell_cfm_list
Webshell from CN Honker Pentest Toolset - file list.cfm
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_cfm_list {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file list.cfm"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "85d445b13d2aef1df3b264c9b66d73f0ff345cec"
		id = "98302eef-d1e8-5524-a57e-d49c0e92c7e0"
	strings:
		$s1 = "<TD><a href=\"javascript:ShowFile('#mydirectory.name#')\">#mydirectory.name#</a>" ascii /* PEStudio Blacklist: strings */
		$s2 = "<TD>#mydirectory.size#</TD>" fullword ascii
	condition:
		filesize < 10KB and all of them
}
CN_Honker_Webshell_cfm_xl
Webshell from CN Honker Pentest Toolset - file xl.cfm
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_cfm_xl {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file xl.cfm"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "49c3d16ee970945367a7d6ae86b7ade7cb3b5447"
		id = "5c8d1301-fe20-50e0-86ac-99a220cd4be1"
	strings:
		$s0 = "<input name=\"DESTINATION\" value=\"" ascii /* PEStudio Blacklist: strings */
		$s1 = "<CFFILE ACTION=\"Write\" FILE=\"#Form.path#\" OUTPUT=\"#Form.cmd#\">" fullword ascii
	condition:
		uint16(0) == 0x433c and filesize < 13KB and all of them
}
CN_Honker_Webshell_cmfshell
Webshell from CN Honker Pentest Toolset - file cmfshell.cmf
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_cmfshell {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file cmfshell.cmf"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "b9b2107c946431e4ad1a8f5e53ac05e132935c0e"
		id = "c5670deb-952c-5ba4-949a-097cc09bb108"
	strings:
		$s1 = "<cfexecute name=\"C:\\Winnt\\System32\\cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "<form action=\"<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>\" method=\"post\">" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 4KB and all of them
}
CN_Honker_Webshell_dz_phpcms_phpbb
Webshell from CN Honker Pentest Toolset - file dz_phpcms_phpbb.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_dz_phpcms_phpbb {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file dz_phpcms_phpbb.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "33f23c41df452f8ca2768545ac6e740f30c44d1f"
		id = "f7e5413f-a7c9-51d4-8422-30c3e2462be2"
	strings:
		$s1 = "if($pwd == md5(md5($password).$salt))" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "function test_1($password)" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = ":\".$pwd.\"\\n---------------------------------\\n\";exit;" fullword ascii
		$s4 = ":user=\".$user.\"\\n\";echo \"pwd=\".$pwd.\"\\n\";echo \"salt=\".$salt.\"\\n\";" fullword ascii
	condition:
		filesize < 22KB and all of them
}
CN_Honker_Webshell_jspshell
Webshell from CN Honker Pentest Toolset - file jspshell.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_jspshell {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file jspshell.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "d16af622f7688d4e0856a2678c4064d3d120e14b"
		id = "ff72f94b-1c0a-5615-b35f-35f69c920292"
	strings:
		$s1 = "else if(Z.equals(\"M\")){String[] c={z1.substring(2),z1.substring(0,2),z2};Proce" ascii /* PEStudio Blacklist: strings */
		$s2 = "String Z=EC(request.getParameter(Pwd)+\"\",cs);String z1=EC(request.getParameter" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 30KB and all of them
}
CN_Honker_Webshell_jspshell2
Webshell from CN Honker Pentest Toolset - file jspshell2.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_jspshell2 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file jspshell2.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "cc7bc1460416663012fc93d52e2078c0a277ff79"
		id = "ff72f94b-1c0a-5615-b35f-35f69c920292"
	strings:
		$s10 = "if (cmd == null) cmd = \"cmd.exe /c set\";" fullword ascii /* PEStudio Blacklist: strings */
		$s11 = "if (program == null) program = \"cmd.exe /c net start > \"+SHELL_DIR+\"/Log.txt" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 424KB and all of them
}
CN_Honker_Webshell_mycode12
Webshell from CN Honker Pentest Toolset - file mycode12.cfm
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_mycode12 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file mycode12.cfm"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "64be8760be5ab5c2dcf829e3f87d3e50b1922f17"
		id = "2ce7368c-7565-5b32-94d1-c87023404c5b"
	strings:
		$s1 = "<cfexecute name=\"cmd.exe\"" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "<cfoutput>#cmd#</cfoutput>" fullword ascii
	condition:
		filesize < 4KB and all of them
}
CN_Honker_Webshell_nc_1
Webshell from CN Honker Pentest Toolset - file 1.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_nc_1 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file 1.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "51d83961171db000fe4476f36d703ef3de409676"
		id = "fe83df79-f7cb-50b8-bb34-9bfc5fbe3de2"
	strings:
		$s1 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 " ascii /* PEStudio Blacklist: agent */
		$s2 = "<%if session(\"pw\")<>\"go\" then %>" fullword ascii
	condition:
		filesize < 11KB and all of them
}
CN_Honker_Webshell_offlibrary
Webshell from CN Honker Pentest Toolset - file offlibrary.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_offlibrary {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file offlibrary.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "eb5275f99211106ae10a23b7e565d208a94c402b"
		id = "c01f7c8b-a6bd-5094-9574-8cc853698607"
	strings:
		$s0 = "';$i=$g->query(\"SELECT SUBSTRING_INDEX(CURRENT_USER, '@', 1) AS User, SUBSTRING" ascii /* PEStudio Blacklist: strings */
		$s12 = "if(jushRoot){var script=document.createElement('script');script.src=jushRoot+'ju" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 1005KB and all of them
}
CN_Honker_Webshell_phpwebbackup
Webshell from CN Honker Pentest Toolset - file phpwebbackup.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_phpwebbackup {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file phpwebbackup.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "c788cb280b7ad0429313837082fe84e9a49efab6"
		id = "eb737ea6-231c-5e8d-b976-75f1044f9f54"
	strings:
		$s0 = "<?php // Code By isosky www.nbst.org" fullword ascii
		$s2 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x3f3c and filesize < 67KB and all of them
}
CN_Honker_Webshell_picloaked_1
Webshell from CN Honker Pentest Toolset - file 1.gif
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_picloaked_1 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file 1.gif"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "3eab1798cbc9ab3b2c67d3da7b418d07e775db70"
		id = "2ff44c4a-ed97-5635-9926-8d54a8364fab"
	strings:
		$s0 = "<?php eval($_POST[" ascii /* PEStudio Blacklist: strings */
		$s1 = ";<%execute(request(" ascii /* PEStudio Blacklist: strings */
		$s3 = "GIF89a" fullword ascii /* Goodware String - occured 318 times */
	condition:
		filesize < 6KB and 2 of them
}
CN_Honker_Webshell_portRecall_jsp
Webshell from CN Honker Pentest Toolset - file jsp.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_portRecall_jsp {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file jsp.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "65e8e4d13ad257c820cad12eef853c6d0134fce8"
		id = "cd34cb47-c5e0-5094-a501-6a8a00d94018"
	strings:
		$s0 = "lcx.jsp?localIP=202.91.246.59&localPort=88&remoteIP=218.232.111.187&remotePort=2" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 1KB and all of them
}
CN_Honker_Webshell_portRecall_jsp2
Webshell from CN Honker Pentest Toolset - file jsp2.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_portRecall_jsp2 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file jsp2.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "412ed15eb0d24298ba41731502018800ffc24bfc"
		id = "cd34cb47-c5e0-5094-a501-6a8a00d94018"
	strings:
		$s0 = "final String remoteIP =request.getParameter(\"remoteIP\");" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "final String localIP = request.getParameter(\"localIP\");" fullword ascii /* PEStudio Blacklist: strings */
		$s20 = "final String localPort = \"3390\";//request.getParameter(\"localPort\");" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 23KB and all of them
}
CN_Honker_Webshell_su7_x_9_x
Webshell from CN Honker Pentest Toolset - file su7.x-9.x.asp
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_su7_x_9_x {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file su7.x-9.x.asp"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "808396b51023cc8356f8049cfe279b349ca08f1a"
		id = "5d546ce8-6f8f-5b0b-9472-23f283ef9f80"
	strings:
		$s0 = "returns=httpopen(\"LoginID=\"&user&\"&FullName=&Password=\"&pass&\"&ComboPasswor" ascii /* PEStudio Blacklist: strings */
		$s1 = "returns=httpopen(\"\",\"POST\",\"http://127.0.0.1:\"&port&\"/Admin/XML/User.xml?" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 59KB and all of them
}
CN_Honker_Webshell_test3693
Webshell from CN Honker Pentest Toolset - file test3693.war
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_test3693 {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file test3693.war"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "246d629ae3ad980b5bfe7e941fe90b855155dbfc"
		id = "58fe4445-b2e1-5d5f-8c46-39c6ae78f845"
	strings:
		$s0 = "Process p=Runtime.getRuntime().exec(\"cmd /c \"+strCmd);" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "http://www.topronet.com </font>\",\" <font color=red> Thanks for your support - " ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x4b50 and filesize < 50KB and all of them
}
CN_Honker_Webshell_udf_udf
Webshell from CN Honker Pentest Toolset - file udf.php
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_udf_udf {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file udf.php"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "df63372ccab190f2f1d852f709f6b97a8d9d22b9"
		id = "07252f2d-1a99-5f21-940d-899a4821b511"
	strings:
		$s1 = "<?php // Source  My : Meiam  " fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "$OOO0O0O00=__FILE__;$OOO000000=urldecode('" ascii /* PEStudio Blacklist: strings */
	condition:
		filesize < 430KB and all of them
}
CN_Honker_Webshell_wshell_asp
Webshell from CN Honker Pentest Toolset - file wshell-asp.txt
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Webshell_wshell_asp {
	meta:
		description = "Webshell from CN Honker Pentest Toolset - file wshell-asp.txt"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "4a0afdf5a45a759c14e99eb5315964368ca53e9c"
		id = "294f0d00-7102-553d-92e2-c0a0e017385c"
	strings:
		$s1 = "file1.Write(\"<%response.clear:execute request(\\\"root\\\"):response.End%>\");" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "hello word !  " fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "root.asp " fullword ascii
	condition:
		filesize < 5KB and all of them
}
CN_Honker_Without_a_trace_Wywz
Sample from CN Honker Pentest Toolset - file Wywz.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Without_a_trace_Wywz {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Wywz.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "f443c43fde643228ee95def5c8ed3171f16daad8"
		id = "1093c0c3-499f-5aec-ad4a-878d377296d5"
	strings:
		$s1 = "\\Symantec\\Norton Personal Firewall\\Log\\Content.log" ascii /* PEStudio Blacklist: strings */
		$s2 = "UpdateFile=d:\\tool\\config.ini,Option\\\\proxyIp=127.0.0.1\\r\\nproxyPort=808" ascii /* PEStudio Blacklist: strings */
		$s3 = "%s\\subinacl.exe /subkeyreg \"%s\" /Grant=%s=f /Grant=everyone=f" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 1800KB and all of them
}
CN_Honker_WordpressScanner
Sample from CN Honker Pentest Toolset - file WordpressScanner.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_WordpressScanner {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file WordpressScanner.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "0b3c5015ba3616cbc616fc9ba805fea73e98bc83"
		id = "79195823-f88b-5c28-8b99-a43a9d6c94af"
	strings:
		$s0 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" fullword ascii /* PEStudio Blacklist: agent */
		$s1 = "(http://www.eyuyan.com)" fullword wide
		$s2 = "GetConnectString" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_CHS)" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 1000KB and all of them
}
CN_Honker_Xiaokui_conversion_tool
Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker_Xiaokui_conversion_tool {
	meta:
		description = "Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		hash = "dccd163e94a774b01f90c1e79f186894e2f27de3"
		id = "26e30df6-b1d9-5d82-b368-a4a904939aa3"
	strings:
		$s1 = "update [dv_user] set usergroupid=1 where userid=2;--" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "To.exe" fullword wide
		$s3 = "by zj1244" ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 240KB and 2 of them
}
CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32
Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32 {
	meta:
		description = "Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
		hash1 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
		hash2 = "3a000b976c79585f62f40f7999ef9bdd326a9513"
		id = "79e9cd97-c070-5109-a0a0-bc88eea0dc37"
	strings:
		$s1 = "upfile.asp " fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "[wscript.shell]" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "XP_CMDSHELL" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "[XP_CMDSHELL]" fullword ascii /* PEStudio Blacklist: strings */
		$s5 = "http://d99net.3322.org" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 10000KB and 4 of them
}
CN_Honker__LPK_LPK_LPK
Sample from CN Honker Pentest Toolset - from files LPK.DAT, LPK.DAT, LPK.DAT
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__LPK_LPK_LPK {
	meta:
		description = "Sample from CN Honker Pentest Toolset - from files LPK.DAT, LPK.DAT, LPK.DAT"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "5a1226e73daba516c889328f295e728f07fdf1c3"
		hash1 = "2b2ab50753006f62965bba83460e3960ca7e1926"
		hash2 = "cf2549bbbbdb7aaf232d9783873667e35c8d96c1"
		id = "e1beb88b-d3e8-5868-affb-e59c26e4dc2e"
	strings:
		$s1 = "C:\\WINDOWS\\system32\\cmd.exe" fullword wide /* PEStudio Blacklist: strings */
		$s2 = "Password error!" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "\\sathc.exe" ascii
		$s4 = "\\sothc.exe" ascii
		$s5 = "\\lpksethc.bat" ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 1057KB and all of them
}
CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked
Sample from CN Honker Pentest Toolset
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked {
	meta:
		description = "Sample from CN Honker Pentest Toolset"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "1ecfaa91aae579cfccb8b7a8607176c82ec726f4"
		hash1 = "a1f066789f48a76023598c5777752c15f91b76b0"
		hash2 = "0264f4efdba09eaf1e681220ba96de8498ab3580"
		hash3 = "af3c41756ec8768483a4cf59b2e639994426e2c2"
		id = "0272776c-8dbe-5345-92c8-57593686a84c"
	strings:
		$s1 = "[email protected]" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "Mozilla/3.0 (compatible; Indy Library)" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "ProxyParams.ProxyPort" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and all of them
}
CN_Honker__builder_shift_SkinH
Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe
source signature-base author Florian Roth (Nextron Systems)
view YARA rule 
rule CN_Honker__builder_shift_SkinH {
	meta:
		description = "Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "Disclosed CN Honker Pentest Toolset"
		date = "2015-06-23"
		score = 70
		super_rule = 1
		hash0 = "6b5a84cdc3d27c435d49de3f68872d015a5aadfc"
		hash1 = "ee127c1ea1e3b5bf3d2f8754fabf9d1101ed0ee0"
		hash2 = "d593f03ae06e54b653c7850c872c0eed459b301f"
		id = "cb18aa4a-6eba-58ca-a6fc-e4160b90f4d7"
	strings:
		$s1 = "lipboard" fullword ascii
		$s2 = "uxthem" fullword ascii
		$s3 = "ENIGMA" fullword ascii
		$s4 = "UtilW0ndow" fullword ascii
		$s5 = "prog3am" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 6075KB and all of them
}
Showing 251-300 of 18,880
Prev 6 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh