Home/YARA rules
YARA

YARA rules

5,941 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.

Rules

50 shown of 5,941
HKTL_NET_GUID_MiscTools
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_MiscTools {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/rasta-mouse/MiscTools"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "ce49cc7b-a5a5-52b7-a7bf-bbb0c5b29b8a"
    strings:
        $typelibguid0lo = "384e9647-28a9-4835-8fa7-2472b1acedc0" ascii wide
        $typelibguid1lo = "d7ec0ef5-157c-4533-bbcd-0fe070fbf8d9" ascii wide
        $typelibguid2lo = "10085d98-48b9-42a8-b15b-cb27a243761b" ascii wide
        $typelibguid3lo = "6aacd159-f4e7-4632-bad1-2ae8526a9633" ascii wide
        $typelibguid4lo = "49a6719e-11a8-46e6-ad7a-1db1be9fea37" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Misc_CSharp
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Misc_CSharp {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/jnqpblc/Misc-CSharp"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "d25fa706-2254-5a82-a961-f57a0daa447c"
    strings:
        $typelibguid0lo = "d1421ba3-c60b-42a0-98f9-92ba4e653f3d" ascii wide
        $typelibguid1lo = "2afac0dd-f46f-4f95-8a93-dc17b4f9a3a1" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_MultiOS_ReverseShell
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_MultiOS_ReverseShell {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/belane/MultiOS_ReverseShell"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "f54bcb1a-b0cd-5988-bf1d-4fa6c012d6b9"
    strings:
        $typelibguid0lo = "df0dd7a1-9f6b-4b0f-801e-e17e73b0801d" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Mythic
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Mythic {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/its-a-feature/Mythic"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-29"
        modified = "2025-08-15"
        id = "44237fac-1526-5587-83a1-61d7a54f7da9"
    strings:
        $typelibguid0lo = "91f7a9da-f045-4239-a1e9-487ffdd65986" ascii wide
        $typelibguid1lo = "0405205c-c2a0-4f9a-a221-48b5c70df3b6" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Naga
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Naga {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/byt3bl33d3r/Naga"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "3a9d3154-a8f1-57a4-8b61-498e2ebdfa42"
    strings:
        $typelibguid0lo = "99428732-4979-47b6-a323-0bb7d6d07c95" ascii wide
        $typelibguid1lo = "a2c9488f-6067-4b17-8c6f-2d464e65c535" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_NashaVM
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_NashaVM {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/Mrakovic-ORG/NashaVM"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "3abbf636-01f4-547a-98c0-d7bfec07e31a"
    strings:
        $typelibguid0lo = "f9e63498-6e92-4afd-8c13-4f63a3d964c3" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Net_GPPPassword
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Net_GPPPassword {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/outflanknl/Net-GPPPassword"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "a718f9fc-acf5-536e-81d6-d393cebe8f77"
    strings:
        $typelibguid0lo = "00fcf72c-d148-4dd0-9ca4-0181c4bd55c3" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_NoAmci
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_NoAmci {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/med0x2e/NoAmci"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "5fab1551-9d35-53cf-a04f-c14370119553"
    strings:
        $typelibguid0lo = "352e80ec-72a5-4aa6-aabe-4f9a20393e8e" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_NoMSBuild
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_NoMSBuild {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/rvrsh3ll/NoMSBuild"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "9bc0661d-c60f-582b-8f88-87e3dfa13ddd"
    strings:
        $typelibguid0lo = "034a7b9f-18df-45da-b870-0e1cef500215" ascii wide
        $typelibguid1lo = "59b449d7-c1e8-4f47-80b8-7375178961db" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Nuages
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Nuages {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/p3nt4/Nuages"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-29"
        modified = "2025-08-15"
        id = "5ad947e2-bd71-50d4-9bbf-4d018c7ff36a"
    strings:
        $typelibguid0lo = "e9e80ac7-4c13-45bd-9bde-ca89aadf1294" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_OSSFileTool
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_OSSFileTool {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/B1eed/OSSFileTool"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "fa9aeae1-2aa5-51af-81e2-22a1b6fcda81"
    strings:
        $typelibguid0lo = "207aca5d-dcd6-41fb-8465-58b39efcde8b" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Obfuscator
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Obfuscator {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/3xpl01tc0d3r/Obfuscator"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "d9988b00-1f10-5421-8ffe-49849a5d5902"
    strings:
        $typelibguid0lo = "8fe5b811-a2cb-417f-af93-6a3cf6650af1" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_OffensiveCSharp
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_OffensiveCSharp {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/diljith369/OffensiveCSharp"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "339f6858-6076-5320-ba5f-2903e642ea42"
    strings:
        $typelibguid0lo = "6c3fbc65-b673-40f0-b1ac-20636df01a85" ascii wide
        $typelibguid1lo = "2bad9d69-ada9-4f1e-b838-9567e1503e93" ascii wide
        $typelibguid2lo = "512015de-a70f-4887-8eae-e500fd2898ab" ascii wide
        $typelibguid3lo = "1ee4188c-24ac-4478-b892-36b1029a13b3" ascii wide
        $typelibguid4lo = "5c6b7361-f9ab-41dc-bfa0-ed5d4b0032a8" ascii wide
        $typelibguid5lo = "048a6559-d4d3-4ad8-af0f-b7f72b212e90" ascii wide
        $typelibguid6lo = "3412fbe9-19d3-41d8-9ad2-6461fcb394dc" ascii wide
        $typelibguid7lo = "9ea4e0dc-9723-4d93-85bb-a4fcab0ad210" ascii wide
        $typelibguid8lo = "6d2b239c-ba1e-43ec-8334-d67d52b77181" ascii wide
        $typelibguid9lo = "42e8b9e1-0cf4-46ae-b573-9d0563e41238" ascii wide
        $typelibguid10lo = "0d15e0e3-bcfd-4a85-adcd-0e751dab4dd6" ascii wide
        $typelibguid11lo = "644dfd1a-fda5-4948-83c2-8d3b5eda143a" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_OffensivePowerShellTasking
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_OffensivePowerShellTasking {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/leechristensen/OffensivePowerShellTasking"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "d221e24d-a2ef-51e2-95bf-4b91b438d9cf"
    strings:
        $typelibguid0lo = "d432c332-3b48-4d06-bedb-462e264e6688" ascii wide
        $typelibguid1lo = "5796276f-1c7a-4d7b-a089-550a8c19d0e8" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Offensive__NET
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Offensive__NET {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/mrjamiebowman/Offensive-.NET"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "b98495fb-0338-5042-a7ce-d117204eb91e"
    strings:
        $typelibguid0lo = "11fe5fae-b7c1-484a-b162-d5578a802c9c" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_POSTDump
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_POSTDump {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/YOLOP0wn/POSTDump"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-12-19"
        id = "7f33e76c-0227-5c23-b821-c5c9753e2384"
    strings:
        $typelibguid0 = "e54195f0-060c-4b24-98f2-ad9fb5351045" ascii nocase wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_PSByPassCLM
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_PSByPassCLM {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/padovah4ck/PSByPassCLM"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "dad6729f-3d96-5d2d-b72c-a96d1a3eae74"
    strings:
        $typelibguid0lo = "46034038-0113-4d75-81fd-eb3b483f2662" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Pen_Test_Tools
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Pen_Test_Tools {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/awillard1/Pen-Test-Tools"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "00fb98a9-e615-5fb6-a555-4326b93e2c24"
    strings:
        $typelibguid0lo = "922e7fdc-33bf-48de-bc26-a81f85462115" ascii wide
        $typelibguid1lo = "ad5205dd-174d-4332-96d9-98b076d6fd82" ascii wide
        $typelibguid2lo = "b67e7550-f00e-48b3-ab9b-4332b1254a86" ascii wide
        $typelibguid3lo = "5e95120e-b002-4495-90a1-cd3aab2a24dd" ascii wide
        $typelibguid4lo = "295017f2-dc31-4a87-863d-0b9956c2b55a" ascii wide
        $typelibguid5lo = "abbaa2f7-1452-43a6-b98e-10b2c8c2ba46" ascii wide
        $typelibguid6lo = "a4043d4c-167b-4326-8be4-018089650382" ascii wide
        $typelibguid7lo = "51abfd75-b179-496e-86db-62ee2a8de90d" ascii wide
        $typelibguid8lo = "a06da7f8-f87e-4065-81d8-abc33cb547f8" ascii wide
        $typelibguid9lo = "ee510712-0413-49a1-b08b-1f0b0b33d6ef" ascii wide
        $typelibguid10lo = "9780da65-7e25-412e-9aa1-f77d828819d6" ascii wide
        $typelibguid11lo = "7913fe95-3ad5-41f5-bf7f-e28f080724fe" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_PlasmaRAT
Detects VB.NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_PlasmaRAT {
    meta:
        description = "Detects VB.NET red/black-team tools via typelibguid"
        reference = "https://github.com/mwsrc/PlasmaRAT"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-30"
        modified = "2025-08-15"
        id = "13362cba-f9b2-50c8-95cc-504e585bdd42"
    strings:
        $typelibguid0lo = "b8a2147c-074c-46e1-bb99-c8431a6546ce" ascii wide
        $typelibguid1lo = "0fcfde33-213f-4fb6-ac15-efb20393d4f3" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_PoC
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_PoC {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/thezdi/PoC"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-21"
        modified = "2025-08-15"
        id = "5669bc1a-b32e-5ae7-bf94-8ed2a124c765"
    strings:
        $typelibguid0lo = "89f9d411-e273-41bb-8711-209fd251ca88" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_PortTran
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_PortTran {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/k8gege/PortTran"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-29"
        modified = "2025-08-15"
        id = "844e58a2-54f5-51e8-8176-6a478a136603"
    strings:
        $typelibguid0lo = "3a074374-77e8-4312-8746-37f3cb00e82c" ascii wide
        $typelibguid1lo = "67a73bac-f59d-4227-9220-e20a2ef42782" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_PoshC2_Misc
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_PoshC2_Misc {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/nettitude/PoshC2_Misc"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "245803cb-63d8-5c75-b672-912091cf4a80"
    strings:
        $typelibguid0lo = "85773eb7-b159-45fe-96cd-11bad51da6de" ascii wide
        $typelibguid1lo = "9d32ad59-4093-420d-b45c-5fff391e990d" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_PoshSecFramework
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_PoshSecFramework {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/PoshSec/PoshSecFramework"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "a91620f3-3f21-525a-bc87-94d21cd126be"
    strings:
        $typelibguid0lo = "b1ac6aa0-2f1a-4696-bf4b-0e41cf2f4b6b" ascii wide
        $typelibguid1lo = "78bfcfc2-ef1c-4514-bce6-934b251666d2" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Povlsomware
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Povlsomware {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/povlteksttv/Povlsomware"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "0eba43d2-b415-5e72-9677-4a3238ff7c34"
    strings:
        $typelibguid0lo = "fe0d5aa7-538f-42f6-9ece-b141560f7781" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_PowerOPS
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_PowerOPS {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/fdiskyou/PowerOPS"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-21"
        modified = "2025-08-15"
        id = "3ef9f099-13c9-5b6f-8615-232240530078"
    strings:
        $typelibguid0lo = "2a3c5921-7442-42c3-8cb9-24f21d0b2414" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_PowerShdll
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_PowerShdll {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/p3nt4/PowerShdll"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "3f582a47-078e-525f-9d02-4ee7a455a3b2"
    strings:
        $typelibguid0lo = "36ebf9aa-2f37-4f1d-a2f1-f2a45deeaf21" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Privilege_Escalation
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Privilege_Escalation {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/Mrakovic-ORG/Privilege_Escalation"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "28615807-6637-57fc-ba56-efc64b041b80"
    strings:
        $typelibguid0lo = "ed54b904-5645-4830-8e68-52fd9ecbb2eb" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Quasar
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Quasar {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/quasar/Quasar"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "b938cf7d-27fd-5fa2-b0e5-d4da5670f3ef"
    strings:
        $typelibguid0lo = "cfda6d2e-8ab3-4349-b89a-33e1f0dab32b" ascii wide
        $typelibguid1lo = "c7c363ba-e5b6-4e18-9224-39bc8da73172" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RAT_TelegramSpyBot
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_RAT_TelegramSpyBot {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/SebastianEPH/RAT.TelegramSpyBot"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "57d22201-a051-5040-927c-30da3fc684fd"
    strings:
        $typelibguid0lo = "8653fa88-9655-440e-b534-26c3c760a0d3" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Random_CSharpTools
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Random_CSharpTools {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/xorrior/Random-CSharpTools"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-21"
        modified = "2025-08-15"
        id = "ad8b5573-ad20-50cd-927b-a6401b10e653"
    strings:
        $typelibguid0lo = "f7fc19da-67a3-437d-b3b0-2a257f77a00b" ascii wide
        $typelibguid1lo = "47e85bb6-9138-4374-8092-0aeb301fe64b" ascii wide
        $typelibguid2lo = "c7d854d8-4e3a-43a6-872f-e0710e5943f7" ascii wide
        $typelibguid3lo = "d6685430-8d8d-4e2e-b202-de14efa25211" ascii wide
        $typelibguid4lo = "1df925fc-9a89-4170-b763-1c735430b7d0" ascii wide
        $typelibguid5lo = "817cc61b-8471-4c1e-b5d6-c754fc550a03" ascii wide
        $typelibguid6lo = "60116613-c74e-41b9-b80e-35e02f25891e" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RedSharp
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_RedSharp {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/padovah4ck/RedSharp"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "2aa62d61-075c-5664-a7fc-2b9d84b954ed"
    strings:
        $typelibguid0lo = "30b2e0cf-34dd-4614-a5ca-6578fb684aea" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RegistryStrikesBack
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_RegistryStrikesBack {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/mdsecactivebreach/RegistryStrikesBack"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "1577ed24-0e17-54f9-bc29-bb209acf9645"
    strings:
        $typelibguid0lo = "90ebd469-d780-4431-9bd8-014b00057665" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RestrictedAdmin
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_RestrictedAdmin {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/GhostPack/RestrictedAdmin"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-18"
        modified = "2025-08-15"
        id = "1b3572a5-bb21-58bb-91f9-963a0a17d699"
    strings:
        $typelibguid0lo = "79f11fc0-abff-4e1f-b07c-5d65653d8952" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ReverseShell
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_ReverseShell {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/chango77747/ReverseShell"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "876932d5-a65d-5230-9cb8-24038ad8af0d"
    strings:
        $typelibguid0lo = "980109e4-c988-47f9-b2b3-88d63fababdc" ascii wide
        $typelibguid1lo = "8abe8da1-457e-4933-a40d-0958c8925985" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RexCrypter
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_RexCrypter {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/syrex1013/RexCrypter"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "5ebbeab3-3e93-5544-8f74-3d1b47335d8b"
    strings:
        $typelibguid0lo = "10cd7c1c-e56d-4b1b-80dc-e4c496c5fec5" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Rubeus
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Rubeus {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/GhostPack/Rubeus"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "54638fe4-84b5-51a8-8c88-9c50ab09ff49"
    strings:
        $typelibguid0lo = "658c8b7f-3664-4a95-9572-a3e5871dfc06" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RunAsUser
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_RunAsUser {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/atthacks/RunAsUser"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "ead7819a-1397-5953-888f-2176e4041375"
    strings:
        $typelibguid0lo = "9dff282c-93b9-4063-bf8a-b6798371d35a" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RunShellcode
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_RunShellcode {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/zerosum0x0/RunShellcode"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "249da967-68b0-59b1-b414-4eb4fe67b8f3"
    strings:
        $typelibguid0lo = "a3ec18a3-674c-4131-a7f5-acbed034b819" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_RuralBishop
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_RuralBishop {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/rasta-mouse/RuralBishop"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "8fd89465-1ecc-5eda-b2ab-273172ad945d"
    strings:
        $typelibguid0lo = "fe4414d9-1d7e-4eeb-b781-d278fe7a5619" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SHAPESHIFTER
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SHAPESHIFTER {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/matterpreter/SHAPESHIFTER"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "8903c65a-624f-5e8d-a3f6-4572b56bd2f7"
    strings:
        $typelibguid0lo = "a3ddfcaa-66e7-44fd-ad48-9d80d1651228" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SQLRecon
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SQLRecon {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/skahwah/SQLRecon"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-01-20"
        modified = "2025-08-15"
        id = "f9ea5283-0a5c-5bde-966c-80869ee25888"
    strings:
        $typelibguid0lo = "612c7c82-d501-417a-b8db-73204fdfda06" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SafetyKatz
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SafetyKatz {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/GhostPack/SafetyKatz"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "5f6d7432-0bb5-5782-98ec-2c2168f2fc1f"
    strings:
        $typelibguid0lo = "8347e81b-89fc-42a9-b22c-f59a6a572dec" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_Salsa_tools
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_Salsa_tools {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/Hackplayers/Salsa-tools"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "50db578e-6ddb-54d1-a978-e3630a3548c3"
    strings:
        $typelibguid0lo = "276004bb-5200-4381-843c-934e4c385b66" ascii wide
        $typelibguid1lo = "cfcbf7b6-1c69-4b1f-8651-6bdb4b55f6b9" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SauronEye
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SauronEye {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/vivami/SauronEye"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "3b624dde-a63e-58ac-a4db-af931f1d8553"
    strings:
        $typelibguid0lo = "0f43043d-8957-4ade-a0f4-25c1122e8118" ascii wide
        $typelibguid1lo = "086bf0ca-f1e4-4e8f-9040-a8c37a49fa26" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_ShadowSpray
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_ShadowSpray {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/Dec0ne/ShadowSpray"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "91dd52ef-07a1-5ffd-b5c3-59bca18d4c7c"
    strings:
        $typelibguid0lo = "7e47d586-ddc6-4382-848c-5cf0798084e1" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharPermission
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharPermission {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/mitchmoser/SharPermission"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "d5027f51-f3ca-53cd-96d7-c355b5c2e6fa"
    strings:
        $typelibguid0lo = "84d2b661-3267-49c8-9f51-8f72f21aea47" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharPersist
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharPersist {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/fireeye/SharPersist"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "0c181186-7bb4-502b-8937-60cfd88ce689"
    strings:
        $typelibguid0lo = "9d1b853e-58f1-4ba5-aefc-5c221ca30e48" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpAdidnsdump
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpAdidnsdump {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/b4rtik/SharpAdidnsdump"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "51d50b22-4e73-5378-9e0d-ad7730987293"
    strings:
        $typelibguid0lo = "cdb02bc2-5f62-4c8a-af69-acc3ab82e741" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpAllowedToAct
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpAllowedToAct {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/pkb1s/SharpAllowedToAct"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "13b7f5e0-4d34-533d-a182-b3fe7c93ca43"
    strings:
        $typelibguid0lo = "dac5448a-4ad1-490a-846a-18e4e3e0cf9a" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpAttack
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpAttack {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/jaredhaight/SharpAttack"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "1eb911ab-3fb9-54b7-8afb-66328f30d563"
    strings:
        $typelibguid0lo = "5f0ceca3-5997-406c-adf5-6c7fbb6cba17" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 501-550 of 5,941
Prev 11 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin