Home/Net Crawler/YARA rules
YARA

YARA rules for Net Crawler

4 rules · scoped to tool · back to Net Crawler
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

4 of 4
direct OPCLEAVER
OPCLEAVER_NetC
Net Crawler used by attackers in Operation Cleaver
author Cylance Inc. license see source repo
view YARA rule 
rule OPCLEAVER_NetC
{
	meta:
		description = "Net Crawler used by attackers in Operation Cleaver"
		reference = "http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
		date = "2014/12/02"
		author = "Cylance Inc."
		score = 70
		id = "68f32662-0d7d-5dfa-8bfd-ca41d383e19c"
	strings:
		$s1 = "NetC.exe" wide
		$s2 = "Net Service"
	condition:
		all of them
}
direct Powershell
Powershell_Netcat
Detects a Powershell version of the Netcat network hacking tool
author Florian Roth (Nextron Systems) license see source repo
view YARA rule 
rule Powershell_Netcat {
   meta:
      description = "Detects a Powershell version of the Netcat network hacking tool"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      score = 60
      date = "10.10.2014"
      id = "e4b018c0-3214-5102-93b1-6a048324f9dd"
   strings:
      $s0 = "[ValidateRange(1, 65535)]" fullword
      $s1 = "$Client = New-Object -TypeName System.Net.Sockets.TcpClient" fullword
      $s2 = "$Buffer = New-Object -TypeName System.Byte[] -ArgumentList $Client.ReceiveBufferSize" fullword
   condition:
      all of them
}
direct shellpop
HKTL_shellpop_Netcat_UDP
Detects suspicious netcat popshell
author Tobias Michalski license see source repo
view YARA rule 
rule HKTL_shellpop_Netcat_UDP {
   meta:
      description = "Detects suspicious netcat popshell"
      author = "Tobias Michalski"
      reference = "https://github.com/0x00-0x00/ShellPop"
      date = "2018-05-18"
      hash1 = "d823ad91b315c25893ce8627af285bcf4e161f9bbf7c070ee2565545084e88be"
      id = "67aa53b6-00bc-5d2e-b6f3-37e9121cdd01"
   strings:
      $s1 = "mkfifo fifo ; nc.traditional -u" ascii
      $s2 = "< fifo | { bash -i; } > fifo" fullword ascii
   condition:
      filesize < 1KB and 1 of them
}
direct shellpop
HKTL_shellpop_netcat
Detects suspcious netcat shellpop
author Tobias Michalski license see source repo
view YARA rule 
rule HKTL_shellpop_netcat {
   meta:
      description = "Detects suspcious netcat shellpop"
      author = "Tobias Michalski"
      reference = "https://github.com/0x00-0x00/ShellPop"
      date = "2018-05-18"
      hash1 = "98e3324f4c096bb1e5533114249a9e5c43c7913afa3070488b16d5b209e015ee"
      id = "cd55e912-b57b-5fce-98eb-5a0cd27a6e4d"
   strings:
      $s1 = "if [ -e /tmp/f ]; then rm /tmp/f;" ascii
      $s2 = "fi;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc" ascii
      $s4 = "mknod /tmp/f p && nc" ascii
      $s5 = "</tmp/f|/bin/bash 1>/tmp/f" ascii
   condition:
      filesize < 2KB and 1 of them
}
Showing 1-4 of 4
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin