YARA rules for Rubeus
2 rules · scoped to tool · back to Rubeus
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule HKTL_NET_GUID_Rubeus {
meta:
description = "Detects c# red/black-team tools via typelibguid"
reference = "https://github.com/GhostPack/Rubeus"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2020-12-13"
modified = "2025-08-15"
id = "54638fe4-84b5-51a8-8c88-9c50ab09ff49"
strings:
$typelibguid0lo = "658c8b7f-3664-4a95-9572-a3e5871dfc06" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
rule HackTool_MSIL_Rubeus_1
{
meta:
description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project."
md5 = "66e0681a500c726ed52e5ea9423d2654"
reference = "https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html"
author = "FireEye"
id = "0ca140ea-2b9f-5904-a4c0-8615229626f0"
strings:
$typelibguid = "658C8B7F-3664-4A95-9572-A3E5871DFC06" ascii nocase wide
condition:
uint16(0) == 0x5A4D and $typelibguid
}