Home/Winexe/YARA rules
YARA

YARA rules for Winexe

1 rules · scoped to tool · back to Winexe
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

1 of 1
direct Winexe
Winexe_RemoteExec
Winexe tool for remote execution (also used by Sofacy group)
author Florian Roth (Nextron Systems), Robert Simmons license see source repo
view YARA rule 
rule Winexe_RemoteExec {
   meta:
      description = "Winexe tool for remote execution (also used by Sofacy group)"
      author = "Florian Roth (Nextron Systems), Robert Simmons"
      reference = "http://dokumente.linksfraktion.de/inhalt/report-orig.pdf"
      date = "2015-06-19"
      modified = "2021-02-11"
      hash1 = "5130f600cd9a9cdc82d4bad938b20cbd2f699aadb76e7f3f1a93602330d9997d"
      hash2 = "d19dfdbe747e090c5aa2a70cc10d081ac1aa88f360c3f378288a3651632c4429"
      score = 70
      id = "5079557a-0461-5b04-b0f2-4265bf7ec041"
   strings:
      $s1 = "error Cannot LogonUser(%s,%s,%s) %d" ascii fullword
      $s2 = "error Cannot ImpersonateNamedPipeClient %d" ascii fullword
      $s3 = "\\\\.\\pipe\\ahexec" fullword ascii
      $s4 = "\\\\.\\pipe\\wmcex" fullword ascii
      $s5 = "implevel" fullword ascii
   condition:
   uint16(0) == 0x5a4d and filesize < 115KB and (
      3 of them or
      pe.imphash() == "2f8a475933ac82b8e09eaf26b396b54d"
   )
}
Showing 1-1 of 1
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin