Home/YARA rules
YARA

YARA rules

5,941 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.

Rules

50 shown of 5,941
HKTL_NET_GUID_EvilWMIProvider
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_EvilWMIProvider {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/sunnyc7/EvilWMIProvider"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "3a6cf00e-28c4-5e6f-a28d-b3f28fca6eed"
    strings:
        $typelibguid0lo = "a4020626-f1ec-4012-8b17-a2c8a0204a4b" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ExploitRemotingService
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_ExploitRemotingService {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/tyranid/ExploitRemotingService"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-21"
        modified = "2025-08-15"
        id = "2f0b9635-2b2e-5825-baeb-69d7ae3791b1"
    strings:
        $typelibguid0lo = "fd17ae38-2fd3-405f-b85b-e9d14e8e8261" ascii wide
        $typelibguid1lo = "1850b9bb-4a23-4d74-96b8-58f274674566" ascii wide
        $typelibguid2lo = "297cbca1-efa3-4f2a-8d5f-e1faf02ba587" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ExternalC2
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_ExternalC2 {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/ryhanson/ExternalC2"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "1bbdfbb9-a3e8-5ffe-9db9-b50937e6a14d"
    strings:
        $typelibguid0lo = "7266acbb-b10d-4873-9b99-12d2043b1d4e" ascii wide
        $typelibguid1lo = "5d9515d0-df67-40ed-a6b2-6619620ef0ef" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Farmer
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Farmer {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/mdsecactivebreach/Farmer"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "f69745b9-4ebd-547a-9af3-bc340b076e5d"
    strings:
        $typelibguid0lo = "37da2573-d9b5-4fc2-ae11-ccb6130cea9f" ascii wide
        $typelibguid1lo = "49acf861-1c10-49a1-bf26-139a3b3a9227" ascii wide
        $typelibguid2lo = "9a6c028f-423f-4c2c-8db3-b3499139b822" ascii wide
        $typelibguid3lo = "1c896837-e729-46a9-92b9-3bbe7ac2c90d" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Fenrir
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Fenrir {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/nccgroup/Fenrir"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "cfc6312d-5997-5261-b771-c7f3f30bf86c"
    strings:
        $typelibguid0lo = "aecec195-f143-4d02-b946-df0e1433bd2e" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_FileSearcher
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_FileSearcher {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/NVISO-BE/FileSearcher"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "1b5f1f68-f87b-5e60-94a4-e2556b4e6c5d"
    strings:
        $typelibguid0lo = "2c879479-5027-4ce9-aaac-084db0e6d630" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ForgeCert
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_ForgeCert {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/GhostPack/ForgeCert"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-18"
        modified = "2025-08-15"
        id = "06b3ffbb-5a76-50a0-86dc-b9658bf2d7ec"
    strings:
        $typelibguid0lo = "bd346689-8ee6-40b3-858b-4ed94f08d40a" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_GMSAPasswordReader
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_GMSAPasswordReader {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/rvazarkar/GMSAPasswordReader"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-12-06"
        id = "dc74bfce-90a1-53bd-bfe4-cb7c9c75da53"
    strings:
        $typelibguid0 = "c8112750-972d-4efa-a75b-da9b8a4533c7" ascii nocase wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_GRAT2
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_GRAT2 {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/r3nhat/GRAT2"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "e731d563-0d16-5f84-8127-624a71f8b646"
    strings:
        $typelibguid0lo = "5e7fce78-1977-444f-a18e-987d708a2cff" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_GadgetToJScript
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_GadgetToJScript {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/med0x2e/GadgetToJScript"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "e296795f-d006-52a9-92c4-fb60c930564b"
    strings:
        $typelibguid0lo = "af9c62a1-f8d2-4be0-b019-0a7873e81ea9" ascii wide
        $typelibguid1lo = "b2b3adb0-1669-4b94-86cb-6dd682ddbea3" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Get_RBCD_Threaded
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Get_RBCD_Threaded {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/FatRodzianko/Get-RBCD-Threaded"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "fdef6dc3-da1a-5a98-a822-94e443981fdd"
    strings:
        $typelibguid0lo = "e20dc2ed-6455-4101-9d78-fccac1cb7a18" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Gopher
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Gopher {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/EncodeGroup/Gopher"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "e3015719-9085-584d-8237-f377ec995149"
    strings:
        $typelibguid0lo = "b5152683-2514-49ce-9aca-1bc43df1e234" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Group3r
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Group3r {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/Group3r/Group3r.git"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2022-11-21"
        modified = "2025-08-15"
        id = "0571d71e-50ca-5c1b-b750-34acc2d06687"
    strings:
        $typelibguid0lo = "868a6c76-c903-4a94-96fd-a2c6ba75691c" ascii wide
        $typelibguid1lo = "caa7ab97-f83b-432c-8f9c-c5f1530f59f7" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Grouper2
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Grouper2 {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/l0ss/Grouper2/"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "a9cd9a16-b2a5-5d15-af89-7a8d0f1835bb"
    strings:
        $typelibguid0lo = "5decaea3-2610-4065-99dc-65b9b4ba6ccd" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HTTPSBeaconShell
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_HTTPSBeaconShell {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/limbenjamin/HTTPSBeaconShell"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "d66e3566-6082-570a-a168-f44c9d8c7619"
    strings:
        $typelibguid0lo = "aca853dc-9e74-4175-8170-e85372d5f2a9" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HWIDbypass
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_HWIDbypass {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/yunseok/HWIDbypass"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "62b0541b-6eec-546e-8445-85d25bb0d784"
    strings:
        $typelibguid0lo = "47e08791-d124-4746-bc50-24bd1ee719a6" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HastySeries
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_HastySeries {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/obscuritylabs/HastySeries"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "0d35acf4-c763-593c-94e2-c499d3826375"
    strings:
        $typelibguid0lo = "8435531d-675c-4270-85bf-60db7653bcf6" ascii wide
        $typelibguid1lo = "47db989f-7e33-4e6b-a4a5-c392b429264b" ascii wide
        $typelibguid2lo = "300c7489-a05f-4035-8826-261fa449dd96" ascii wide
        $typelibguid3lo = "41bf8781-ae04-4d80-b38d-707584bf796b" ascii wide
        $typelibguid4lo = "620ed459-18de-4359-bfb0-6d0c4841b6f6" ascii wide
        $typelibguid5lo = "91e7cdfe-0945-45a7-9eaa-0933afe381f2" ascii wide
        $typelibguid6lo = "c28e121a-60ca-4c21-af4b-93eb237b882f" ascii wide
        $typelibguid7lo = "698fac7a-bff1-4c24-b2c3-173a6aae15bf" ascii wide
        $typelibguid8lo = "63a40d94-5318-42ad-a573-e3a1c1284c57" ascii wide
        $typelibguid9lo = "56b8311b-04b8-4e57-bb58-d62adc0d2e68" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HideFromAMSI
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_HideFromAMSI {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/0r13lc0ch4v1/HideFromAMSI"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "0fa1ce82-b662-5e18-a5da-8359c96cd6e9"
    strings:
        $typelibguid0lo = "b91d2d44-794c-49b8-8a75-2fbec3fe3fe3" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_HiveJack
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_HiveJack {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/Viralmaniar/HiveJack"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "10567ef4-780f-5e93-9061-3214116d6bbb"
    strings:
        $typelibguid0lo = "e12e62fe-bea3-4989-bf04-6f76028623e3" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_IIS_backdoor
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_IIS_backdoor {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/WBGlIl/IIS_backdoor"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "44264dd9-f8e9-5a60-847f-94378e07a327"
    strings:
        $typelibguid0lo = "3fda4aa9-6fc1-473f-9048-7edc058c4f65" ascii wide
        $typelibguid1lo = "73ca4159-5d13-4a27-8965-d50c41ab203c" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Inception
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Inception {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/two06/Inception"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "8d18f1d5-9c9a-5258-9f96-fa24b702c6ad"
    strings:
        $typelibguid0lo = "03d96b8c-efd1-44a9-8db2-0b74db5d247a" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Inferno
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Inferno {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/LimerBoy/Inferno"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "af2d9832-c7f9-5879-a19b-a3c4d91b8b3f"
    strings:
        $typelibguid0lo = "26d498f7-37ae-476c-97b0-3761e3a919f0" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Internal_Monologue
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Internal_Monologue {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/eladshamir/Internal-Monologue"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "ce2773a2-b0b7-560e-ba21-3f018ddcacb3"
    strings:
        $typelibguid0lo = "0c0333db-8f00-4b68-b1db-18a9cacc1486" ascii wide
        $typelibguid1lo = "84701ace-c584-4886-a3cf-76c57f6e801a" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_IronKit
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_IronKit {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/nshalabi/IronKit"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        score = 50
        date = "2020-12-13"
        modified = "2025-08-15"
    strings:
        $typelibguid0lo = "68e40495-c34a-4539-b43e-9e4e6f11a9fb" ascii wide
        $typelibguid1lo = "641cd52d-3886-4a74-b590-2a05621502a4" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KeeThief
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_KeeThief {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/GhostPack/KeeThief"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "71fef0e9-223a-5834-9d1c-f3fb8b66a809"
    strings:
        $typelibguid1lo = "39aa6f93-a1c9-497f-bad2-cc42a61d5710" ascii wide
        $typelibguid3lo = "3fca8012-3bad-41e4-91f4-534aa9a44f96" ascii wide
        $typelibguid4lo = "ea92f1e6-3f34-48f8-8b0a-f2bbc19220ef" ascii wide
        $typelibguid5lo = "c23b51c4-2475-4fc6-9b3a-27d0a2b99b0f" ascii wide
        /* $typelibguid6 = "94432a8e-3e06-4776-b9b2-3684a62bb96a" ascii nocase wide FIX FPS with Microsoft files */ 
        $typelibguid7lo = "80ba63a4-7d41-40e9-a722-6dd58b28bf7e" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Keylogger
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Keylogger {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/BlackVikingPro/Keylogger"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "0576756e-26d5-5165-b621-917126a75a38"
    strings:
        $typelibguid0lo = "7afbc9bf-32d9-460f-8a30-35e30aa15879" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KeystrokeAPI
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_KeystrokeAPI {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/fabriciorissetto/KeystrokeAPI"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "e715bce8-531b-5e2a-bd02-b2fc4990c499"
    strings:
        $typelibguid0lo = "f6fec17e-e22d-4149-a8a8-9f64c3c905d3" ascii wide
        $typelibguid1lo = "b7aa4e23-39a4-49d5-859a-083c789bfea2" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KittyLitter
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_KittyLitter {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/djhohnstein/KittyLitter"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "f457b91f-4adb-5be6-b9c2-f6cc39d4bdaf"
    strings:
        $typelibguid0lo = "449cf269-4798-4268-9a0d-9a17a08869ba" ascii wide
        $typelibguid1lo = "e7a509a4-2d44-4e10-95bf-b86cb7767c2c" ascii wide
        $typelibguid2lo = "b2b8dd4f-eba6-42a1-a53d-9a00fe785d66" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Koh
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Koh {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/GhostPack/Koh"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-18"
        modified = "2025-08-15"
        id = "9702526c-b10d-553d-a803-47e352533858"
    strings:
        $typelibguid0lo = "4d5350c8-7f8c-47cf-8cde-c752018af17e" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_KrbRelay
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_KrbRelay {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/cube0x0/KrbRelay"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2022-11-21"
        modified = "2025-08-15"
        id = "3f59986c-8bd8-5e70-b3eb-038247d1ccd7"
    strings:
        $typelibguid0lo = "ed839154-90d8-49db-8cdd-972d1a6b2cfd" ascii wide
        $typelibguid1lo = "3b47eebc-0d33-4e0b-bab5-782d2d3680af" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LOLBITS
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_LOLBITS {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/Kudaes/LOLBITS"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "66454ac0-742b-51a3-ac45-1ac9606e8b89"
    strings:
        $typelibguid0lo = "29d09aa4-ea0c-47c2-973c-1d768087d527" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Ladon
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Ladon {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/k8gege/Ladon"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "57e3d2fa-d430-561b-9d42-cf58cda5ed7a"
    strings:
        $typelibguid0lo = "c335405f-5df2-4c7d-9b53-d65adfbed412" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LdapSignCheck
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_LdapSignCheck {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/cube0x0/LdapSignCheck"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-15"
        modified = "2025-08-15"
        id = "a8b902f0-61a5-509e-8307-79bf557e5f61"
    strings:
        $typelibguid0lo = "21f398a9-bc35-4bd2-b906-866f21409744" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LethalHTA
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_LethalHTA {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/codewhitesec/LethalHTA"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "e8e1ad03-a5f0-5508-b78d-0de7bdaf4704"
    strings:
        $typelibguid0lo = "784cde17-ff0f-4e43-911a-19119e89c43f" ascii wide
        $typelibguid1lo = "7e2de2c0-61dc-43ab-a0ec-c27ee2172ea6" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LimeLogger
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_LimeLogger {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/NYAN-x-CAT/LimeLogger"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "0798f01b-76b7-5c4d-9ddb-5e377b86f8b9"
    strings:
        $typelibguid0lo = "068d14ef-f0a1-4f9d-8e27-58b4317830c6" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LimeUSB_Csharp
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_LimeUSB_Csharp {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/NYAN-x-CAT/LimeUSB-Csharp"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "dfa96b36-e84c-510b-b16b-bd686777b83d"
    strings:
        $typelibguid0lo = "94ea43ab-7878-4048-a64e-2b21b3b4366d" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_Crypter
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Lime_Crypter {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/NYAN-x-CAT/Lime-Crypter"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "484c7a15-7ab2-57d3-848c-0fddff753d52"
    strings:
        $typelibguid0lo = "f93c99ed-28c9-48c5-bb90-dd98f18285a6" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_Downloader
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Lime_Downloader {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/NYAN-x-CAT/Lime-Downloader"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "bfb0f97c-6d95-5e11-ad11-5297bcf7c3df"
    strings:
        $typelibguid0lo = "ec7afd4c-fbc4-47c1-99aa-6ebb05094173" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_Miner
Detects VB.NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Lime_Miner {
    meta:
        description = "Detects VB.NET red/black-team tools via typelibguid"
        reference = "https://github.com/NYAN-x-CAT/Lime-Miner"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-30"
        modified = "2025-08-15"
        id = "d0631817-10a2-55bf-a41d-226fa0dcb9f9"
    strings:
        $typelibguid0lo = "13958fb9-dfc1-4e2c-8a8d-a5e68abdbc66" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Lime_RAT
Detects VB.NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Lime_RAT {
    meta:
        description = "Detects VB.NET red/black-team tools via typelibguid"
        reference = "https://github.com/NYAN-x-CAT/Lime-RAT"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-30"
        modified = "2025-08-15"
        id = "31a0e9ca-9da1-557a-bcc5-1351fa90a0e1"
    strings:
        $typelibguid0lo = "e58ac447-ab07-402a-9c96-95e284a76a8d" ascii wide
        $typelibguid1lo = "8fb35dab-73cd-4163-8868-c4dbcbdf0c17" ascii wide
        $typelibguid2lo = "37845f5b-35fe-4dce-bbec-2d07c7904fb0" ascii wide
        $typelibguid3lo = "83c453cf-0d29-4690-b9dc-567f20e63894" ascii wide
        $typelibguid4lo = "8b1f0a69-a930-42e3-9c13-7de0d04a4add" ascii wide
        $typelibguid5lo = "eaaeccf6-75d2-4616-b045-36eea09c8b28" ascii wide
        $typelibguid6lo = "5b2ec674-0aa4-4209-94df-b6c995ad59c4" ascii wide
        $typelibguid7lo = "e2cc7158-aee6-4463-95bf-fb5295e9e37a" ascii wide
        $typelibguid8lo = "d04ecf62-6da9-4308-804a-e789baa5cc38" ascii wide
        $typelibguid9lo = "8026261f-ac68-4ccf-97b2-3b55b7d6684d" ascii wide
        $typelibguid10lo = "212cdfac-51f1-4045-a5c0-6e638f89fce0" ascii wide
        $typelibguid11lo = "c1b608bb-7aed-488d-aa3b-0c96625d26c0" ascii wide
        $typelibguid12lo = "4c84e7ec-f197-4321-8862-d5d18783e2fe" ascii wide
        $typelibguid13lo = "3fc17adb-67d4-4a8d-8770-ecfd815f73ee" ascii wide
        $typelibguid14lo = "f1ab854b-6282-4bdf-8b8b-f2911a008948" ascii wide
        $typelibguid15lo = "aef6547e-3822-4f96-9708-bcf008129b2b" ascii wide
        $typelibguid16lo = "a336f517-bca9-465f-8ff8-2756cfd0cad9" ascii wide
        $typelibguid17lo = "5de018bd-941d-4a5d-bed5-fbdd111aba76" ascii wide
        $typelibguid18lo = "bbfac1f9-cd4f-4c44-af94-1130168494d0" ascii wide
        $typelibguid19lo = "1c79cea1-ebf3-494c-90a8-51691df41b86" ascii wide
        $typelibguid20lo = "927104e1-aa17-4167-817c-7673fe26d46e" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_LockLess
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_LockLess {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/GhostPack/LockLess"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "f9b31f57-d721-5b6c-be63-b8309cba788a"
    strings:
        $typelibguid0lo = "a91421cb-7909-4383-ba43-c2992bbbac22" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MalSCCM
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_MalSCCM {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/nettitude/MalSCCM"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "4a88532b-e2bc-5ce9-828d-6ef62d91f6b9"
    strings:
        $typelibguid0lo = "5439cecd-3bb3-4807-b33f-e4c299b71ca2" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ManagedInjection
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_ManagedInjection {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/malcomvetter/ManagedInjection"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "c66e7666-b54f-532d-90e1-870292047aec"
    strings:
        $typelibguid0lo = "e5182bff-9562-40ff-b864-5a6b30c3b13b" ascii wide
        $typelibguid1lo = "fdedde0d-e095-41c9-93fb-c2219ada55b1" ascii wide
        $typelibguid2lo = "0dd00561-affc-4066-8c48-ce950788c3c8" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Manager
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Manager {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/TheWover/Manager"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "eef65d2c-ddbc-50c3-a6a0-e7032a55e92d"
    strings:
        $typelibguid0lo = "dda73ee9-0f41-4c09-9cad-8215abd60b33" ascii wide
        $typelibguid1lo = "6a0f2422-d4d1-4b7e-84ad-56dc0fd2dfc5" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Marauder
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Marauder {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/maraudershell/Marauder"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "f2783477-2853-5dcd-95f5-9f1e07a4a6e8"
    strings:
        $typelibguid0lo = "fff0a9a3-dfd4-402b-a251-6046d765ad78" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Mass_RAT
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Mass_RAT {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/NYAN-x-CAT/Mass-RAT"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "90b742da-6fd7-5c72-96cf-7a37a3e5d808"
    strings:
        $typelibguid0lo = "6c43a753-9565-48b2-a372-4210bb1e0d75" ascii wide
        $typelibguid1lo = "92ba2a7e-c198-4d43-929e-1cfe54b64d95" ascii wide
        $typelibguid2lo = "4cb9bbee-fb92-44fa-a427-b7245befc2f3" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MemeVM
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_MemeVM {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/TobitoFatitoRE/MemeVM"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "c98d84d5-4b0a-53df-b8d4-0b360930eb0c"
    strings:
        $typelibguid0lo = "ef18f7f2-1f03-481c-98f9-4a18a2f12c11" ascii wide
        $typelibguid1lo = "77b2c83b-ca34-4738-9384-c52f0121647c" ascii wide
        $typelibguid2lo = "14d5d12e-9a32-4516-904e-df3393626317" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MemoryMapper
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_MemoryMapper {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/jasondrawdy/MemoryMapper"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "c978be10-315c-54e7-afea-f97e9a5f2d18"
    strings:
        $typelibguid0lo = "b9fbf3ac-05d8-4cd5-9694-b224d4e6c0ea" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MinerDropper
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_MinerDropper {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/DylanAlloy/MinerDropper"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "607f72df-b0c1-53df-bf2c-592f55cbfcb7"
    strings:
        $typelibguid0lo = "46a7af83-1da7-40b2-9d86-6fd6223f6791" ascii wide
        $typelibguid1lo = "8433a693-f39d-451b-955b-31c3e7fa6825" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Minidump
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Minidump {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/3xpl01tc0d3r/Minidump"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "51f64c64-f3fa-5543-83fc-5f0bf881ef03"
    strings:
        $typelibguid0lo = "15c241aa-e73c-4b38-9489-9a344ac268a3" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 451-500 of 5,941
Prev 10 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin