Home/YARA rules
YARA

YARA rules

5,941 rules indexed · pattern-based malware identification
YARA rules identify and classify malware families through binary patterns, strings, and metadata. Rules below come from multiple open repositories. Expand any rule to see its raw signature.

Rules

50 shown of 5,941
HKTL_NET_GUID_SharpBlock
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpBlock {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/CCob/SharpBlock"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "b84538da-1b0e-50c7-abfa-e93d6de5a49b"
    strings:
        $typelibguid0lo = "3cf25e04-27e4-4d19-945e-dadc37c81152" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpBox
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpBox {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/P1CKLES/SharpBox"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "fda1a67f-d746-5ddb-a33f-97d608b13bc9"
    strings:
        $typelibguid0lo = "616c1afb-2944-42ed-9951-bf435cadb600" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpByeBear
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpByeBear {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/S3cur3Th1sSh1t/SharpByeBear"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "4a7f2514-2519-5fd5-9d17-110a67f829e7"
    strings:
        $typelibguid0lo = "a6b84e35-2112-4df2-a31b-50fde4458c5e" ascii wide
        $typelibguid1lo = "3e82f538-6336-4fff-aeec-e774676205da" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpBypassUAC
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpBypassUAC {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/FatRodzianko/SharpBypassUAC"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "474d40aa-4bcc-58b5-a129-40bbd3a89e99"
    strings:
        $typelibguid0lo = "0d588c86-c680-4b0d-9aed-418f1bb94255" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpC2
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpC2 {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/SharpC2/SharpC2"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "2ed6d74e-2b95-5c70-807a-4da5e62f5853"
    strings:
        $typelibguid0lo = "62b9ee4f-1436-4098-9bc1-dd61b42d8b81" ascii wide
        $typelibguid1lo = "d2f17a91-eb2d-4373-90bf-a26e46c68f76" ascii wide
        $typelibguid2lo = "a9db9fcc-7502-42cd-81ec-3cd66f511346" ascii wide
        $typelibguid3lo = "ca6cc2ee-75fd-4f00-b687-917fa55a4fae" ascii wide
        $typelibguid4lo = "a1167b68-446b-4c0c-a8b8-2a7278b67511" ascii wide
        $typelibguid5lo = "4d8c2a88-1da5-4abe-8995-6606473d7cf1" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCOM
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpCOM {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/rvrsh3ll/SharpCOM"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "94da3da4-a8aa-5735-9a04-1f2447a330aa"
    strings:
        $typelibguid0lo = "51960f7d-76fe-499f-afbd-acabd7ba50d1" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCall
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpCall {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/jhalon/SharpCall"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "172415b6-0383-5da4-a88f-8ebe5daf9294"
    strings:
        $typelibguid0lo = "c1b0a923-0f17-4bc8-ba0f-c87aff43e799" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpChisel
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpChisel {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/shantanu561993/SharpChisel"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "3b7e6703-ebe8-5a98-839f-7d0349ab483f"
    strings:
        $typelibguid0lo = "f5f21e2d-eb7e-4146-a7e1-371fd08d6762" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpChromium
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpChromium {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/djhohnstein/SharpChromium"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "5364956a-e199-556a-8055-0e7b9a7b14c8"
    strings:
        $typelibguid0lo = "2133c634-4139-466e-8983-9a23ec99e01b" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpClipHistory
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpClipHistory {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/FSecureLABS/SharpClipHistory"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-21"
        modified = "2025-08-15"
        id = "89ca4717-a4ec-5371-8dc3-bdb9933384af"
    strings:
        $typelibguid0lo = "1126d5b4-efc7-4b33-a594-b963f107fe82" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpClipboard
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpClipboard {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/slyd0g/SharpClipboard"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "fd1b7786-8853-5858-ab03-da350e44f738"
    strings:
        $typelibguid0lo = "97484211-4726-4129-86aa-ae01d17690be" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCloud
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpCloud {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/chrismaddalena/SharpCloud"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "048b0239-ea13-58ff-af35-fd505b4c977a"
    strings:
        $typelibguid0lo = "ca4e257e-69c1-45c5-9375-ba7874371892" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCompile
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpCompile {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/SpiderLabs/SharpCompile"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "c5e053c4-1c90-581a-a6c3-087b252254b2"
    strings:
        $typelibguid0lo = "63f81b73-ff18-4a36-b095-fdcb4776da4c" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCookieMonster
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpCookieMonster {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/m0rv4i/SharpCookieMonster"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "87be6949-f4f5-5a5a-b804-c627ed0f4355"
    strings:
        $typelibguid0lo = "566c5556-1204-4db9-9dc8-a24091baaa8e" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCradle
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpCradle {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/anthemtotheego/SharpCradle"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "e2123a73-2609-559d-a122-923ebf8fd668"
    strings:
        $typelibguid0lo = "f70d2b71-4aae-4b24-9dae-55bc819c78bb" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpCrashEventLog
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpCrashEventLog {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/slyd0g/SharpCrashEventLog"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "85d31989-ad96-5005-a747-8a19a67fdd80"
    strings:
        $typelibguid0lo = "98cb495f-4d47-4722-b08f-cefab2282b18" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDPAPI
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpDPAPI {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/GhostPack/SharpDPAPI"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "1394323f-b336-548f-925c-c276d439e9eb"
    strings:
        $typelibguid0lo = "5f026c27-f8e6-4052-b231-8451c6a73838" ascii wide
        $typelibguid1lo = "2f00a05b-263d-4fcc-846b-da82bd684603" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDir
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpDir {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/jnqpblc/SharpDir"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "f64ed564-d198-59e8-9abe-b2814b95c85f"
    strings:
        $typelibguid0lo = "c7a07532-12a3-4f6a-a342-161bb060b789" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDomainSpray
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpDomainSpray {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/HunnicCyber/SharpDomainSpray"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "cffd3350-4a86-5035-ab15-adbc3ac2a0e9"
    strings:
        $typelibguid0lo = "76ffa92b-429b-4865-970d-4e7678ac34ea" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpDump
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpDump {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/GhostPack/SharpDump"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "b613092f-9006-5405-b07e-59737410ac1e"
    strings:
        $typelibguid0lo = "79c9bba3-a0ea-431c-866c-77004802d8a0" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpEDRChecker
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpEDRChecker {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/PwnDexter/SharpEDRChecker"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-18"
        modified = "2025-08-15"
        id = "f7ff344e-f8ee-5c3a-bdd1-de3cae8e7dfb"
    strings:
        $typelibguid0lo = "bdfee233-3fed-42e5-aa64-492eb2ac7047" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpExcel4_DCOM
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpExcel4_DCOM {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/rvrsh3ll/SharpExcel4-DCOM"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "12d3f26b-40ca-5034-a7c2-9be9c8a7599b"
    strings:
        $typelibguid0lo = "68b83ce5-bbd9-4ee3-b1cc-5e9223fab52b" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpExec
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpExec {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/anthemtotheego/SharpExec"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "5faff0aa-9ffe-5ac0-b9e0-ca9f79350036"
    strings:
        $typelibguid0lo = "7fbad126-e21c-4c4e-a9f0-613fcf585a71" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpFruit
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpFruit {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/rvrsh3ll/SharpFruit"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "bf318530-b17d-5275-84b2-c284528bdae6"
    strings:
        $typelibguid0lo = "3da2f6de-75be-4c9d-8070-08da45e79761" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpGPOAbuse
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpGPOAbuse {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/FSecureLABS/SharpGPOAbuse"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-21"
        modified = "2025-08-15"
        id = "ea27044f-69be-5db7-8d77-28dafb18c7e5"
    strings:
        $typelibguid0lo = "4f495784-b443-4838-9fa6-9149293af785" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpGPO_RemoteAccessPolicies
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpGPO_RemoteAccessPolicies {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/FSecureLABS/SharpGPO-RemoteAccessPolicies"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-21"
        modified = "2025-08-15"
        id = "642c2672-2327-5a4a-af91-6e0559996908"
    strings:
        $typelibguid0lo = "fbb1abcf-2b06-47a0-9311-17ba3d0f2a50" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpHandler
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpHandler {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/jfmaes/SharpHandler"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "b71198a9-4d00-5d75-bc36-7c40655c84a3"
    strings:
        $typelibguid0lo = "46e39aed-0cff-47c6-8a63-6826f147d7bd" ascii wide
        $typelibguid1lo = "11dc83c6-8186-4887-b228-9dc4fd281a23" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpHide
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpHide {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/outflanknl/SharpHide"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "928e00c1-549a-58f5-9e7e-982a4319691a"
    strings:
        $typelibguid0lo = "443d8cbf-899c-4c22-b4f6-b7ac202d4e37" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpHound3
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpHound3 {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/BloodHoundAD/SharpHound3"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-29"
        modified = "2025-08-15"
        id = "58001912-88a1-527d-9d3e-d7c376a1fce4"
    strings:
        $typelibguid0lo = "a517a8de-5834-411d-abda-2d0e1766539c" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpImpersonation
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpImpersonation {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/S3cur3Th1sSh1t/SharpImpersonation"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "5815c5bd-e3e8-5f2f-b03e-8a05fb4f6e91"
    strings:
        $typelibguid0lo = "27a85262-8c87-4147-a908-46728ab7fc73" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpKatz
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpKatz {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/b4rtik/SharpKatz"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "ff084b4c-4b00-5504-85ee-d6d17b5be504"
    strings:
        $typelibguid0lo = "8568b4c1-2940-4f6c-bf4e-4383ef268be9" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLdapRelayScan
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpLdapRelayScan {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/klezVirus/SharpLdapRelayScan"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-15"
        modified = "2025-08-15"
        id = "554a5487-ac53-512f-8f6f-ad8186144715"
    strings:
        $typelibguid0lo = "a93ee706-a71c-4cc1-bf37-f26c27825b68" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLocker
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpLocker {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/Pickfordmatt/SharpLocker"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "9525422a-d670-5475-abdc-b7ecd1ab9943"
    strings:
        $typelibguid0lo = "a6f8500f-68bc-4efc-962a-6c6e68d893af" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLogger
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpLogger {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/djhohnstein/SharpLogger"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "5cce395b-4f6f-5015-b45e-7eb79853296a"
    strings:
        $typelibguid0lo = "36e00152-e073-4da8-aa0c-375b6dd680c4" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpLoginPrompt
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpLoginPrompt {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/shantanu561993/SharpLoginPrompt"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "e9a493d9-21b6-5ff1-9e5e-e8fbacc34c0c"
    strings:
        $typelibguid0lo = "c12e69cd-78a0-4960-af7e-88cbd794af97" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpMapExec
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpMapExec {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/cube0x0/SharpMapExec"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-29"
        modified = "2025-08-15"
        id = "b4922734-a486-5c4d-9bd7-5146cfecbf01"
    strings:
        $typelibguid0lo = "bd5220f7-e1fb-41d2-91ec-e4c50c6e9b9f" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpMiniDump
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpMiniDump {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/b4rtik/SharpMiniDump"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "e91e6711-d992-5a8a-97e6-1ed7847f38a4"
    strings:
        $typelibguid0lo = "6ffccf81-6c3c-4d3f-b15f-35a86d0b497f" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpMove
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpMove {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/0xthirteen/SharpMove"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "e52392f9-614c-596e-8efd-aa0a2fa44e60"
    strings:
        $typelibguid0lo = "8bf82bbe-909c-4777-a2fc-ea7c070ff43e" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpNamedPipePTH
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpNamedPipePTH {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/S3cur3Th1sSh1t/SharpNamedPipePTH"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-11-30"
        id = "561b95a5-f32b-5fe8-9e67-3f702306be93"
    strings:
        $typelibguid0 = "344ee55a-4e32-46f2-a003-69ad52b55945" ascii nocase wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpOxidResolver
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpOxidResolver {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/S3cur3Th1sSh1t/SharpOxidResolver"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "e8a957bc-3319-51c2-8289-01bd0b8a632a"
    strings:
        $typelibguid0lo = "ce59f8ff-0ecf-41e9-a1fd-1776ca0b703d" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpPack
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpPack {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/Lexus89/SharpPack"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "633d074a-b8c2-5148-ad80-6226b99be818"
    strings:
        $typelibguid1lo = "b59c7741-d522-4a41-bf4d-9badddebb84a" ascii wide
        $typelibguid2lo = "fd6bdf7a-fef4-4b28-9027-5bf750f08048" ascii wide
        $typelibguid3lo = "6dd22880-dac5-4b4d-9c91-8c35cc7b8180" ascii wide
        $typelibguid5lo = "f3037587-1a3b-41f1-aa71-b026efdb2a82" ascii wide
        $typelibguid6lo = "41a90a6a-f9ed-4a2f-8448-d544ec1fd753" ascii wide
        $typelibguid7lo = "3787435b-8352-4bd8-a1c6-e5a1b73921f4" ascii wide
        $typelibguid8lo = "fdd654f5-5c54-4d93-bf8e-faf11b00e3e9" ascii wide
        $typelibguid9lo = "aec32155-d589-4150-8fe7-2900df4554c8" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpPrinter
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpPrinter {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/rvrsh3ll/SharpPrinter"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "10270351-ad80-5330-971b-bc8f635f05f4"
    strings:
        $typelibguid0lo = "41b2d1e5-4c5d-444c-aa47-629955401ed9" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpRDP
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpRDP {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/0xthirteen/SharpRDP"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "d316ec0b-0313-52bb-923d-512fa08112f9"
    strings:
        $typelibguid0lo = "f1df1d0f-ff86-4106-97a8-f95aaf525c54" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpRODC
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpRODC {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/wh0amitz/SharpRODC"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-12-06"
        id = "60779e7a-048f-5095-b853-fd90c4f7449e"
    strings:
        $typelibguid0 = "d305f8a3-019a-4cdf-909c-069d5b483613" ascii nocase wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpReg
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpReg {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/jnqpblc/SharpReg"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "d89b07b0-bb29-5c77-888b-322e439b4c82"
    strings:
        $typelibguid0lo = "8ef25b00-ed6a-4464-bdec-17281a4aa52f" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSCCM
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpSCCM {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/Mayyhem/SharpSCCM"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-15"
        modified = "2025-08-15"
        id = "276269b1-e3b3-5774-a86a-1c3a8bca8209"
    strings:
        $typelibguid0lo = "03652836-898e-4a9f-b781-b7d86e750f60" ascii wide
        $typelibguid1lo = "e4d9ef39-0fce-4573-978b-abf8df6aec23" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSQLPwn
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpSQLPwn {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/lefayjey/SharpSQLPwn.git"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2022-11-21"
        modified = "2025-08-15"
        id = "b533d61a-8693-5c3c-8b31-2117262cad4e"
    strings:
        $typelibguid0lo = "c442ea6a-9aa1-4d9c-9c9d-7560a327089c" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSSDP
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpSSDP {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/rvrsh3ll/SharpSSDP"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "8441e940-ab7c-5467-9db8-35f71bd57580"
    strings:
        $typelibguid0lo = "6e383de4-de89-4247-a41a-79db1dc03aaa" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpScribbles
Detects .NET red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpScribbles {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/V1V1/SharpScribbles"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "47125b76-9388-5372-8810-d198f623367a"
    strings:
        $typelibguid0lo = "aa61a166-31ef-429d-a971-ca654cd18c3b" ascii wide
        $typelibguid1lo = "0dc1b824-c6e7-4881-8788-35aecb34d227" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
HKTL_NET_GUID_SharpSearch
Detects c# red/black-team tools via typelibguid
source signature-base author Arnim Rupp (https://github.com/ruppde)
view YARA rule 
rule HKTL_NET_GUID_SharpSearch {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/djhohnstein/SharpSearch"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "459d8a34-f311-5459-8257-e7aa519174b5"
    strings:
        $typelibguid0lo = "98fee742-8410-4f20-8b2d-d7d789ab003d" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}
Showing 551-600 of 5,941
Prev 12 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin