rule CN_disclosed_20180208_Mal5 {
   meta:
      description = "Detects malware from disclosed CN malware set"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details"
      date = "2018-02-08"
      hash1 = "24c05cd8a1175fbd9aca315ec67fb621448d96bd186e8d5e98cb4f3a19482af4"
      hash2 = "05696db46144dab3355dcefe0408f906a6d43fced04cb68334df31c6dfd12720"
      id = "b1933610-9e6d-5eed-ba30-ccdd0d3a6124"
   strings:
      $s1 = "4System.Web.Services.Protocols.SoapHttpClientProtocol" fullword ascii
      $s2 = "Server.exe" fullword ascii
      $s3 = "System.Windows.Forms.Form" fullword ascii
      $s4 = "Stub.Resources.resources" fullword ascii
      $s5 = "My.Computer" fullword ascii
      $s6 = "MyTemplate" fullword ascii
      $s7 = "Stub.My.Resources" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and all of them
}

rule CN_disclosed_20180208_System3 {
   meta:
      description = "Detects malware from disclosed CN malware set"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/cyberintproject/status/961714165550342146"
      date = "2018-02-08"
      hash1 = "73fa84cff51d384c2d22d9e53fc5d42cb642172447b07e796c81dd403fb010c2"
      id = "097f4506-295d-5066-8895-2148436731c1"
   strings:
      $a1 = "WmiPrvSE.exe" fullword wide

      $s1 = "C:\\Users\\sgl\\AppData\\Local\\" ascii
      $s2 = "Temporary Projects\\WmiPrvSE\\" ascii
      $s3 = "$15a32a5d-4906-458a-8f57-402311afc1c1" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 200KB and $a1 and 1 of ($s*)
}

rule CN_disclosed_20180208_c {
   meta:
      description = "Detects malware from disclosed CN malware set"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/cyberintproject/status/961714165550342146"
      date = "2018-02-08"
      hash1 = "17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7"
      id = "cb0bcdc4-7eca-59b7-a947-85c232d4e599"
   strings:
      $x1 = "cmd.exe /c ping 0 -n 2 & del \"" fullword wide
      $x2 = "schtasks /create /sc minute /mo 1 /tn Server /tr " fullword wide
      $x3 = "www.upload.ee/image/" wide

      $s1 = "winmgmts:\\\\.\\root\\SecurityCenter2" fullword wide
      $s2 = "/Server.exe" fullword wide
      $s3 = "Executed As " fullword wide
      $s4 = "WmiPrvSE.exe" fullword wide
      $s5 = "Stub.exe" fullword ascii
      $s6 = "Download ERROR" fullword wide
      $s7 = "shutdown -r -t 00" fullword wide
      $s8 = "Select * From AntiVirusProduct" fullword wide
   condition:
      uint16(0) == 0x5a4d and filesize < 100KB and (
        1 of ($x*) or
        4 of them
      )
}

rule CN_disclosed_20180208_lsls {
   meta:
      description = "Detects malware from disclosed CN malware set"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://twitter.com/cyberintproject/status/961714165550342146"
      date = "2018-02-08"
      hash1 = "94c6a92984df9ed255f4c644261b01c4e255acbe32ddfd0debe38b558f29a6c9"
      id = "c6c4aa72-1a84-552f-bea0-38b332a74233"
   strings:
      $x1 = "User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" fullword ascii
   condition:
      uint16(0) == 0x457f and filesize < 3000KB and $x1
}

rule DK_Brute {
   meta:
      description = "PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      date = "22.11.14"
      score = 70
      reference = "http://goo.gl/xiIphp"
      hash = "93b7c3a01c41baecfbe42461cb455265f33fbc3d"
      id = "c9ea0dcf-10f3-5161-aebc-2db04c24b0a5"
   strings:
      $s6 = "get_CrackedCredentials" fullword ascii
      $s13 = "Same port used for two different protocols:" fullword wide
      $s18 = "coded by fLaSh" fullword ascii
      $s19 = "get_grbToolsScaningCracking" fullword ascii
   condition:
      all of them
}

rule Dx_php_php {
	meta:
		description = "Semi-Auto-generated  - file Dx.php.php.txt"
		author = "Neo23x0 Yara BRG + customization by Stefan -dfate- Molls"
		hash = "9cfe372d49fe8bf2fac8e1c534153d9b"
		id = "67d0bccb-d39a-5e30-bdc0-801525ebddd7"
	strings:
		$s0 = "print \"\\n\".'Tip: to view the file \"as is\" - open the page in <a href=\"'.Dx"
		$s2 = "$DEF_PORTS=array (1=>'tcpmux (TCP Port Service Multiplexer)',2=>'Management Util"
		$s3 = "$ra44  = rand(1,99999);$sj98 = \"sh-$ra44\";$ml = \"$sd98\";$a5 = $_SERVER['HTTP"
	condition:
		1 of them
}

rule EXPL_SUSP_JS_Exploitation_Payloads_Dec25 {
   meta:
      description = "Detects RCE indicators related to the exploitation attempts of the React Server Remote Code Execution Vulnerability (CVE-2025-55182) as observed in the wild"
      author = "Florian Roth"
      reference = "https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far"
      date = "2025-12-06"
      score = 70
   strings:
      $a1 = "process.mainModule.require('child_process')"

      $x1 = ".execSync('powershell -enc SQBFAFgAIAA"

      $sa1 = ".execSync('powershell"
      $sa2 = ".execSync('curl "
      $sa3 = ".execSync('wget "

      $sb01 = " -e "
      $sb02 = " -ec "
      $sb03 = " -en "
      $sb04 = " -enc "
      $sb05 = " -enco "
      $sb06 = " -encodedcommand "
      $sb07 = " | bash"
      $sb08 = " | sh"
      $sb09 = "|bash"
      $sb10 = "|sh"

      $sc1 = ").DownloadString(" ascii wide base64
      $sc2 = "IEX (New-Object " ascii wide base64
   condition:
      $a1
      and (
         1 of ($x*)
         or (
            1 of ($sa*)
            and 1 of ($sb*)
         )
         or 1 of ($sc*)
      )
}

rule EXPL_SUSP_JS_POC_RSC_Detector_Payloads_Dec25 {
   meta:
      description = "Detects RCE indicators related to the proof-of-concept code for the React Server Remote Code Execution Vulnerability (CVE-2025-55182) as used in the RSC Detector browser extension but could be used in other JavaScript based PoC code as well"
      author = "Florian Roth"
      reference = "https://github.com/mrknow001/RSC_Detector"
      date = "2025-12-06"
      score = 70
   strings:
      $s1 = "process.mainModule.require('child_process').execSync("
      $s2 = ").toString('base64');"

      // harmless test cases - we only want to match real command execution attempts
      $f1 = "echo vulnerability_test"
   condition:
      all of ($s*)
      and not 1 of ($f*)
}

rule FE_APT_Backdoor_Linux32_SLOWPULSE_1 
{ 
    meta: 
        author = "Mandiant" 
        date = "2021-04-16"
        sha256 = "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"        
        id = "dd35257f-5b6f-55a6-a709-873ded1f4b72"
    strings: 
        $sb1 = {FC b9 [4] e8 00 00 00 00 5? 8d b? [4] 8b} 
        $sb2 = {f3 a6 0f 85 [4] b8 03 00 00 00 5? 5? 5?} 
        $sb3 = {9c 60 e8 00 00 00 00 5? 8d [5] 85 ?? 0f 8?} 
        $sb4 = {89 13 8b 51 04 89 53 04 8b 51 08 89 53 08} 
        $sb5 = {8d [5] b9 [4] f3 a6 0f 8?} 
    condition: 
        ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them 
}

rule FE_APT_Backdoor_Linux32_SLOWPULSE_2
{ 
    meta: 
        author = "Strozfriedberg" 
        date = "2021-04-16"
        sha256 = "cd09ec795a8f4b6ced003500a44d810f49943514e2f92c81ab96c33e1c0fbd68"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"        
    strings: 
        $sig = /[\x20-\x7F]{16}([\x20-\x7F\x00]+)\x00.{1,32}\xE9.{3}\xFF\x00+[\x20-\x7F][\x20-\x7F\x00]{16}/ 

        // TOI_MAGIC_STRING 
        $exc1 = /\xED\xC3\x02\xE9\x98\x56\xE5\x0C/ 
    condition:
        uint32(0) == 0x464C457F and (1 of ($sig*)) and (not (1 of ($exc*)))
}

rule FE_APT_Trojan_Linux32_LOCKPICK_1
{
    meta:
        author = "Mandiant"
        date = "2021-04-16"
        hash = "e8bfd3f5a2806104316902bbe1195ee8"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
        id = "00c09378-25a0-55f1-8d93-7b22d98bd8c2"
    strings:
        $sb1 = { 83 ?? 63 0F 84 [4] 8B 45 ?? 83 ?? 01 89 ?? 24 89 44 24 04 E8 [4] 85 C0 }
        $sb2 = { 83 [2] 63 74 ?? 89 ?? 24 04 89 ?? 24 E8 [4] 83 [2] 01 85 C0 0F [5] EB 00 8B ?? 04 83 F8 02 7? ?? 83 E8 01 C1 E0 02 83 C0 00 89 44 24 08 8D 83 [4] 89 44 24 04 8B ?? 89 04 24 E8 }
    condition:
        ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and (@sb1[1] < @sb2[1])
}

rule FE_APT_Trojan_Linux32_PACEMAKER 
{ 
    meta: 
        author = "Mandiant"  
        date = "2021-04-16"   
        hash = "d7881c4de4d57828f7e1cab15687274b"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
        id = "459e26f1-4ea9-56dd-ad71-0ed2c7499aea"
    strings: 
        $s1 = "\x00/proc/%d/mem\x00" 
        $s2 = "\x00/proc/%s/maps\x00" 
        $s3 = "\x00/proc/%s/cmdline\x00" 
        $sb1 = { C7 44 24 08 10 00 00 00 C7 44 24 04 00 00 00 00 8D 45 E0 89 04 24 E8 [4] 8B 45 F4 83 C0 0B C7 44 24 08 10 00 00 00 89 44 24 04 8D 45 E0 89 04 24 E8 [4] 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] 85 C0 74 ?? 8D 45 E0 89 04 24 E8 [4] EB } 
        $sb2 = { 8B 95 [4] B8 [4] 8D 8D [4] 89 4C 24 10 8D 8D [4] 89 4C 24 0C 89 54 24 08 89 44 24 04 8D 85 [4] 89 04 24 E8 [4] C7 44 24 08 02 00 00 00 C7 44 24 04 00 00 00 00 8B 45 ?? 89 04 24 E8 [4] 89 45 ?? 8D 85 [4] 89 04 24 E8 [4] 89 44 24 08 8D 85 [4] 89 44 24 04 8B 45 ?? 89 04 24 E8 [4] 8B 45 ?? 89 45 ?? C7 45 ?? 00 00 00 00 [0-16] 83 45 ?? 01 8B 45 ?? 3B 45 0C } 
    condition: 
        ((uint32(0) == 0x464c457f) and (uint8(4) == 1)) and all of them 
}

rule FE_APT_Trojan_Linux_PACEMAKER 
{ 
    meta: 
        author = "Mandiant"  
        date = "2021-04-16"     
        hash = "d7881c4de4d57828f7e1cab15687274b"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
        id = "5a20260a-5389-57da-956c-97063fed5015"
    strings: 
        $s1 = "\x00Name:%s || Pwd:%s || AuthNum:%s\x0a\x00" 
        $s2 = "\x00/proc/%d/mem\x00" 
        $s3 = "\x00/proc/%s/maps\x00" 
        $s4 = "\x00/proc/%s/cmdline\x00" 
    condition: 
        (uint32(0) == 0x464c457f) and all of them 
}

rule FE_APT_Trojan_PL_PULSEJUMP_1
{
    meta:
        author = "Mandiant"
        date = "2021-04-16"
        hash = "91ee23ee24e100ba4a943bb4c15adb4c"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
        id = "690cc347-e60f-5cac-b65d-367ecee69251"
    strings:
        $s1 = "open("
        $s2 = ">>/tmp/"
        $s3 = "syswrite("
        $s4 = /\}

rule FE_APT_Trojan_PL_RADIALPULSE_1 
{
    meta: 
        author = "Mandiant" 
        date = "2021-04-16"       
        sha256 = "d72daafedf41d484f7f9816f7f076a9249a6808f1899649b7daa22c0447bb37b"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"        
        id = "1fab6d2f-96e8-5def-a93e-2bddd04e7ec8"
    strings: 
        $s1 = "->getRealmInfo()->{name}" 
        $s2 = /open\(\*fd,[\x09\x20]{0,32}[\x22\x27]>>/ 
        $s3 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27]realm=\$/ 
        $s4 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27]username=\$/ 
        $s5 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27]password=\$/ 
    condition: 
        (@s1[1] < @s2[1]) and (@s2[1] < @s3[1]) and $s4 and $s5 
}

rule FE_APT_Trojan_PL_RADIALPULSE_2 
{ 
    meta: 
        author = "Mandiant"  
        date = "2021-04-16"       
        hash = "4a2a7cbc1c8855199a27a7a7b51d0117"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
        id = "dc941935-aec7-54b6-a278-f1453b9785df"
    strings: 
        $s1 = "open(*fd," 
        $s2 = "syswrite(*fd," 
        $s3 = "close(*fd);" 
        $s4 = /open\(\*fd,[\x09\x20]{0,32}[\x22\x27]>>\/tmp\/[\w.]{1,128}[\x22\x27]\);[\x09\x20]{0,32}syswrite\(\*fd,[\x09\x20]{0,32}/ 
        $s5 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27][\w]{1,128}=\$\w{1,128} ?[\x22\x27],[\x09\x20]{0,32}5000\)/ 
    condition: 
        all of them 
}

rule FE_APT_Trojan_PL_RADIALPULSE_3 
{ 
    meta: 
        author = "Mandiant"  
        date = "2021-04-16"  
        hash = "4a2a7cbc1c8855199a27a7a7b51d0117"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
        id = "8a597521-c873-5bcc-85e6-5a0a061fffb7"
    strings: 
        $s1 = "open(*fd," 
        $s2 = "syswrite(*fd," 
        $s3 = "close(*fd);" 
        $s4 = /open\(\*fd,[\x09\x20]{0,32}[\x22\x27]>>\/tmp\/dsstartssh\.statementcounters[\x22\x27]\);[\x09\x20]{0,32}syswrite\(\*fd,[\x09\x20]{0,32}/ 
        $s5 = /syswrite\(\*fd,[\x09\x20]{0,32}[\x22\x27][\w]{1,128}=\$username ?[\x22\x27],[\x09\x20]{0,32}\d{4}\)/ 
    condition: 
        all of them 
}

rule FE_APT_Webshell_PL_PULSECHECK_1 
{ 
    meta: 
        author = "Mandiant" 
        date = "2021-04-16"  
        sha256 = "a1dcdf62aafc36dd8cf64774dea80d79fb4e24ba2a82adf4d944d9186acd1cc1"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
        id = "f375fdd8-567b-569b-85f4-af54a35d2a93"
    strings: 
        $r1 = /while[\x09\x20]{0,32}\(<\w{1,64}>\)[\x09\x20]{0,32}\{\s{1,256}\$\w{1,64}[\x09\x20]{0,32}\.=[\x09\x20]{0,32}\$_;\s{0,256}\}/ 
        $s1 = "use Crypt::RC4;" 
        $s2 = "use MIME::Base64" 
        $s3 = "MIME::Base64::decode(" 
        $s4 = "popen(" 
        $s5 = " .= $_;" 
        $s6 = "print MIME::Base64::encode(RC4(" 
        $s7 = "HTTP_X_" 
    condition: 
        $s1 and $s2 and (@s3[1] < @s4[1]) and (@s4[1] < @s5[1]) and (@s5[1] < @s6[1]) and (#s7 > 2) and $r1 
}

rule FE_APT_Webshell_PL_STEADYPULSE_1
{  
    meta:  
        author = "Mandiant"  
        date = "2021-04-16"      
        sha256 = "168976797d5af7071df257e91fcc31ce1d6e59c72ca9e2f50c8b5b3177ad83cc"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"     
        id = "49457fbb-9288-565f-909d-e8228c21c1e4"
    strings:  
        $s1 = "parse_parameters" 
        $s2 = "s/\\+/ /g"  
        $s3 = "s/%(..)/pack("  
        $s4 = "MIME::Base64::encode($"  
        $s5 = "$|=1;" 
        $s6 = "RC4(" 
        $s7 = "$FORM{'cmd'}" 
    condition:  
        all of them  
}

rule FE_LEGALSTRIKE_MACRO {
   meta:
      version=".1"
      filetype="MACRO"
      author="Ian.Ahl@fireeye.com @TekDefense - modified by Florian Roth"
      date="2017-06-02"
      description="This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7."
      id = "eb15e5aa-16e5-5c07-a293-ad15c0c09d8e"
   strings:
      // OBSFUCATION
      $ob1 = "ChrW(114) & ChrW(101) & ChrW(103) & ChrW(115) & ChrW(118) & ChrW(114) & ChrW(51) & ChrW(50) & ChrW(46) & ChrW(101)" ascii wide
      // wscript
      $wsobj1 = "Set Obj = CreateObject(\"WScript.Shell\")" ascii wide
      $wsobj2 = "Obj.Run " ascii wide
   condition:
      all of them
}

rule FE_LEGALSTRIKE_RTF {
   meta:
      version=".1"
      filetype="MACRO"
      author="joshua.kim@FireEye. - modified by Florian Roth"
      date="2017-06-02"
      description="Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom"
      id = "b62ceffa-445f-517e-b86b-56e47876c6c0"
   strings:
      $lnkinfo = "4c0069006e006b0049006e0066006f"
      $encoded1 = "4f4c45324c696e6b"
      $encoded2 = "52006f006f007400200045006e007400720079"
      $encoded3 = "4f0062006a0049006e0066006f"
      $encoded4 = "4f006c0065"
      $datastore = "\\*\\datastore"
   condition:
      uint32be(0) == 0x7B5C7274 and all of them
}

rule FE_Trojan_SH_ATRIUM_1
{
    meta:
        author = "Mandiant"
        date = "2021-04-16"
        hash = "a631b7a8a11e6df3fccb21f4d34dbd8a"
        description = "Detects samples mentioned in PulseSecure report"
        reference = "https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html"
        id = "c49441f4-a138-534c-a858-a7462ed865c9"
    strings:
        $s1 = "CGI::param("
        $s2 = "Cache-Control: no-cache"
        $s3 = "system("
        $s4 = /sed -i [^\r\n]{1,128}CGI::param\([^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Cache-Control: no-cache[^\r\n]{1,128}print[\x20\x09]{1,32}[^\r\n]{1,128}Content-type: text\/html[^\r\n]{1,128}my [^\r\n]{1,128}=[\x09\x20]{0,32}CGI::param\([^\r\n]{1,128}system\(/
    condition:
        all of them
}

rule HKTL_CN_Dos_GetPass {
	meta:
		description = "Chinese Hacktool Set - file GetPass.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		modified = "2023-01-06"
		old_rule_name = "Dos_GetPass"
		hash = "d18d952b24110b83abd17e042f9deee679de6a1a"
		id = "08635096-474c-5fdf-825e-6c7c8c8d4061"
	strings:
		$s0 = "GetLogonS" ascii
		$s3 = "/showthread.php?t=156643" ascii
		$s8 = "To Run As Administ" ascii
		$s18 = "EnableDebugPrivileg" fullword ascii
		$s19 = "sedebugnameValue" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 890KB and all of them
}

rule HKTL_CN_Dos_sys {
	meta:
		description = "Chinese Hacktool Set - file sys.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		modified = "2023-01-06"
		old_rule_name = "Dos_sys"
		hash = "b5837047443f8bc62284a0045982aaae8bab6f18"
		id = "c4b740f2-f4f8-59ff-ad1f-c06718040b50"
	strings:
		$s0 = "'SeDebugPrivilegeOpen " fullword ascii
		$s6 = "Author: Cyg07*2" fullword ascii
		$s12 = "from golds7n[LAG]'J" fullword ascii
		$s14 = "DAMAGE" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 150KB and all of them
}

rule HKTL_CN_ProcHook_May19_1 {
   meta:
      description = "Detects hacktool used by Chinese threat groups"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/"
      date = "2019-05-31"
      hash1 = "02ebdc1ff6075c15a44711ccd88be9d6d1b47607fea17bef7e5e17f8da35293e"
      id = "ae4e2613-8254-5ea6-af88-2f08ebe4da33"
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and
      pe.imphash() == "343d580dd50ee724746a5c28f752b709"
}

rule HKTL_CN_Project1 {
	meta:
		description = "Chinese Hacktool Set - file Project1.exe"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		modified = "2023-01-06"
		old_rule_name = "Project1"
		hash = "d1a5e3b646a16a7fcccf03759bd0f96480111c96"
		id = "12cc7a82-d7a9-58c6-b283-3bb0df477cd8"
	strings:
		$s1 = "EXEC master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll'" fullword ascii
		$s2 = "Password.txt" fullword ascii
		$s3 = "LoginPrompt" fullword ascii
	condition:
		uint16(0) == 0x5a4d and filesize < 5000KB and all of them
}

rule HKTL_CN_dat_xpf {
	meta:
		description = "Chinese Hacktool Set - file xpf.sys"
		license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
		author = "Florian Roth (Nextron Systems)"
		reference = "http://tools.zjqhr.com/"
		date = "2015-06-13"
		modified = "2023-01-06"
		old_rule_name = "dat_xpf"
		hash = "761125ab594f8dc996da4ce8ce50deba49c81846"
		id = "fe2de535-4f86-5c29-b67e-153423a897f7"
	strings:
		$s1 = "UnHook IoGetDeviceObjectPointer ok!" fullword ascii
		$s2 = "\\Device\\XScanPF" wide
		$s3 = "\\DosDevices\\XScanPF" wide
	condition:
		uint16(0) == 0x5a4d and filesize < 25KB and all of them
}

rule HKTL_CN_update_PcMain {
   meta:
      description = "Chinese Hacktool Set - file PcMain.dll"
      author = "Florian Roth (Nextron Systems)"
      score = 90
      reference = "http://tools.zjqhr.com/"
      date = "2015-06-13"
      modified = "2023-01-06"
		old_rule_name = "update_PcMain"
      hash = "aa68323aaec0269b0f7e697e69cce4d00a949caa"
      id = "24c9ba6f-0772-59c9-8bea-3a8bf7823e4c"
   strings:
      $s0 = "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; .NET CLR 1.1.4322" ascii
      $s1 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" fullword ascii
      $s2 = "SOFTWARE\\Classes\\HTTP\\shell\\open\\command" fullword ascii
      $s3 = "\\svchost.exe -k " ascii
      $s4 = "SYSTEM\\ControlSet001\\Services\\%s" fullword ascii
      $s9 = "Global\\%s-key-event" fullword ascii
      $s10 = "%d%d.exe" fullword ascii
      $s14 = "%d.exe" fullword ascii
      $s15 = "Global\\%s-key-metux" fullword ascii
      $s18 = "GET / HTTP/1.1" fullword ascii
      $s19 = "\\Services\\" ascii
      $s20 = "qy001id=%d;qy001guid=%s" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 500KB and 4 of them
}

rule HKTL_EXPL_WIN_PS1_BadSuccessor_May25 {
   meta:
      description = "Detects PowerShell tool called Get-BadSuccessorOUPermissions.ps1 that helps exploit a vulnerability in Active Directory. Lists every principal that can perform a BadSuccessor attack and the OUs where it holds the required permissions."
      author = "Florian Roth"
      reference = "https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory"
      date = "2025-05-22"
      score = 75
   strings:
      $x1 = "function Get-BadSuccessorOUPermissions" ascii wide
      $x2 = "\"0feb936f-47b3-49f2-9386-1dedc2c23765\"=\"msDS-DelegatedManagedServiceAccount\"" ascii wide
      $x3 = "CreateChild|GenericAll|WriteDACL|WriteOwner" ascii wide
   condition:
      filesize < 20MB and 1 of them
}

rule HKTL_NET_AdCollector_Sep22_1 {
   meta:
      description = "Detects ADCollector Tool - a lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://github.com/dev-2null/ADCollector"
      date = "2022-09-15"
      score = 75
      hash1 = "241390219a0a773463601ca68b77af97453c20af00a66492a7a78c04d481d338"
      hash2 = "cc086eb7316e68661e3d547b414890d5029c5cc460134d8b628f4b0be7f27fb3"
      id = "48b376e4-752b-523e-b34e-65b6944c33fb"
   strings:
      $x1 = "ADCollector.exe --SPNs --Term key --Acls 'CN=Domain Admins,CN=Users,DC=lab,DC=local'" wide fullword
      $s1 = "ADCollector.exe" wide fullword
      $s2 = "ENCRYPTED_TEXT_PASSWORD_ALLOWED" ascii fullword
      $s3 = "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" wide
      $s4 = "[-] Password Does Not Expire Accounts:" wide
      $s5 = "  * runAs:       {0}" wide fullword
   condition:
      uint16(0) == 0x5a4d and
      filesize < 300KB and ( 1 of ($x*) or 3 of them )
}

rule HKTL_NET_Edge_Saved_Passwords_Dumper_May26 {
   meta:
      description = "Detects an .NET based tool used to dump saved passwords from Microsoft Edge browser processes"
      author = "Florian Roth"
      reference = "https://github.com/L1v1ng0ffTh3L4N/Proof-of-Concepts/tree/main/EdgeSavedPasswordsDumper"
      date = "2026-05-05"
      score = 80
   strings:
      $x1 = "SELECT ProcessId, Name, ParentProcessId FROM Win32_Process WHERE Name='msedge.exe'" wide
      $x2 = "Scanning process PID: " wide

      $s1 = "NSC\\t1_" wide
      $s2 = "\\*\\(\\)_\\-\\+=\\{\\}\\[\\]:;<>\\?/~\\s]{6,40})\\x20\\x00" wide
   condition:
      2 of them
}

rule HKTL_NET_GUID_ADFSDump {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/fireeye/ADFSDump"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "8cb2edcd-3696-5857-90ca-e99b1af54320"
    strings:
        $typelibguid0lo = "9ee27d63-6ac9-4037-860b-44e91bae7f0d" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_ADSearch {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/tomcarver16/ADSearch"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "399ea06d-b36a-542b-bccc-8e8f935a35c6"
    strings:
        $typelibguid0lo = "4da5f1b7-8936-4413-91f7-57d6e072b4a7" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AESShellCodeInjector {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/san3ncrypt3d/AESShellCodeInjector"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-22"
        modified = "2025-08-15"
        id = "6253e30b-7c92-5237-a706-e93403a7c0b6"
    strings:
        $typelibguid0lo = "b016da9e-12a1-4f1d-91a1-d681ae54e92c" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AMSI_Handler {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/two06/AMSI_Handler"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "40768acf-fa9e-531a-83fd-187814ddc2d4"
    strings:
        $typelibguid0lo = "d829426c-986c-40a4-8ee2-58d14e090ef2" ascii wide
        $typelibguid1lo = "86652418-5605-43fd-98b5-859828b072be" ascii wide
        $typelibguid2lo = "1043649f-18e1-41c4-ae8d-ac4d9a86c2fc" ascii wide
        $typelibguid3lo = "1d920b03-c537-4659-9a8c-09fb1d615e98" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AVIator {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/Ch0pin/AVIator"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "52acd520-52aa-5bb9-ab3b-66a940aa5f5a"
    strings:
        $typelibguid0lo = "4885a4a3-4dfa-486c-b378-ae94a221661a" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AV_Evasion_Tool {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/1y0n/AV_Evasion_Tool"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "d4257465-38a0-56b9-8402-b92e21b96cb0"
    strings:
        $typelibguid0lo = "1937ee16-57d7-4a5f-88f4-024244f19dc6" ascii wide
        $typelibguid1lo = "7898617d-08d2-4297-adfe-5edd5c1b828b" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_Absinthe {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/cameronhotchkies/Absinthe"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-21"
        modified = "2025-08-15"
        id = "8f25593b-b9d2-5807-b299-b039ecfd43a5"
    strings:
        $typelibguid0lo = "9936ae73-fb4e-4c5e-a5fb-f8aaeb3b9bd6" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_Adamantium_Thief {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/LimerBoy/Adamantium-Thief"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "82225b2e-ab4a-50b8-a3fd-7ad4947d052e"
    strings:
        $typelibguid0lo = "e6104bc9-fea9-4ee9-b919-28156c1f2ede" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AddReferenceDotRedTeam {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/ceramicskate0/AddReferenceDotRedTeam"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "59299a72-9b7a-5108-81c2-d8f6d2e99b20"
    strings:
        $typelibguid0lo = "73c79d7e-17d4-46c9-be5a-ecef65b924e4" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AggressorScripts {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/harleyQu1nn/AggressorScripts"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "d5903db5-010b-5b9d-8a5b-5d61aec52e7a"
    strings:
        $typelibguid0lo = "afd1ff09-2632-4087-a30c-43591f32e4e8" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_Aladdin {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/nettitude/Aladdin"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2023-03-13"
        modified = "2025-08-15"
        id = "3f0a954c-f3b3-5e5d-a71d-11f60b026a48"
    strings:
        $typelibguid0lo = "b2b3adb0-1669-4b94-86cb-6dd682ddbea3" ascii wide
        $typelibguid1lo = "c47e4d64-cc7f-490e-8f09-055e009f33ba" ascii wide
        $typelibguid2lo = "32a91b0f-30cd-4c75-be79-ccbd6345de99" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AllTheThings {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/johnjohnsp1/AllTheThings"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "c35160cb-ad31-5195-a7c6-0af91a58737d"
    strings:
        $typelibguid0lo = "0547ff40-5255-42a2-beb7-2ff0dbf7d3ba" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_Altman {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/keepwn/Altman"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "21acc8af-9497-5842-90a9-7a9300585d5d"
    strings:
        $typelibguid0lo = "64cdcd2b-7356-4079-af78-e22210e66154" ascii wide
        $typelibguid1lo = "f1dee29d-ca98-46ea-9d13-93ae1fda96e1" ascii wide
        $typelibguid2lo = "33568320-56e8-4abb-83f8-548e8d6adac2" ascii wide
        $typelibguid3lo = "470ec930-70a3-4d71-b4ff-860fcb900e85" ascii wide
        $typelibguid4lo = "9514574d-6819-44f2-affa-6158ac1143b3" ascii wide
        $typelibguid5lo = "0f3a9c4f-0b11-4373-a0a6-3a6de814e891" ascii wide
        $typelibguid6lo = "9624b72e-9702-4d78-995b-164254328151" ascii wide
        $typelibguid7lo = "faae59a8-55fc-48b1-a9b5-b1759c9c1010" ascii wide
        $typelibguid8lo = "37af4988-f6f2-4f0c-aa2b-5b24f7ed3bf3" ascii wide
        $typelibguid9lo = "c82aa2fe-3332-441f-965e-6b653e088abf" ascii wide
        $typelibguid10lo = "6e531f6c-2c89-447f-8464-aaa96dbcdfff" ascii wide
        $typelibguid11lo = "231987a1-ea32-4087-8963-2322338f16f6" ascii wide
        $typelibguid12lo = "7da0d93a-a0ae-41a5-9389-42eff85bb064" ascii wide
        $typelibguid13lo = "a729f9cc-edc2-4785-9a7d-7b81bb12484c" ascii wide
        $typelibguid14lo = "55a1fd43-d23e-4d72-aadb-bbd1340a6913" ascii wide
        $typelibguid15lo = "d43f240d-e7f5-43c5-9b51-d156dc7ea221" ascii wide
        $typelibguid16lo = "c2e6c1a0-93b1-4bbc-98e6-8e2b3145db8e" ascii wide
        $typelibguid17lo = "714ae6f3-0d03-4023-b753-fed6a31d95c7" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AmsiScanBufferBypass {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/rasta-mouse/AmsiScanBufferBypass"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "12a15e61-30fb-50a3-a59b-39f9871444f0"
    strings:
        $typelibguid0lo = "431ef2d9-5cca-41d3-87ba-c7f5e4582dd2" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AntiDebug {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/malcomvetter/AntiDebug"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-28"
        modified = "2025-08-15"
        id = "f381081b-d0cb-593d-ad3d-28816f770b67"
    strings:
        $typelibguid0lo = "997265c1-1342-4d44-aded-67964a32f859" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_Anti_Analysis {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/NYAN-x-CAT/Anti-Analysis"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "bd527841-065e-57e9-b70e-c9d232072f1b"
    strings:
        $typelibguid0lo = "3092c8df-e9e4-4b75-b78e-f81a0058a635" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AsyncRAT_C_Sharp {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "858a079d-71e8-516e-a2a9-f0969edc758b"
    strings:
        $typelibguid0lo = "619b7612-dfea-442a-a927-d997f99c497b" ascii wide
        $typelibguid1lo = "424b81be-2fac-419f-b4bc-00ccbe38491f" ascii wide
        $typelibguid2lo = "37e20baf-3577-4cd9-bb39-18675854e255" ascii wide
        $typelibguid3lo = "dafe686a-461b-402b-bbd7-2a2f4c87c773" ascii wide
        $typelibguid4lo = "ee03faa9-c9e8-4766-bd4e-5cd54c7f13d3" ascii wide
        $typelibguid5lo = "8bfc8ed2-71cc-49dc-9020-2c8199bc27b6" ascii wide
        $typelibguid6lo = "d640c36b-2c66-449b-a145-eb98322a67c8" ascii wide
        $typelibguid7lo = "8de42da3-be99-4e7e-a3d2-3f65e7c1abce" ascii wide
        $typelibguid8lo = "bee88186-769a-452c-9dd9-d0e0815d92bf" ascii wide
        $typelibguid9lo = "9042b543-13d1-42b3-a5b6-5cc9ad55e150" ascii wide
        $typelibguid10lo = "6aa4e392-aaaf-4408-b550-85863dd4baaf" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AtYourService {
    meta:
        description = "Detects .NET red/black-team tools via typelibguid"
        reference = "https://github.com/mitchmoser/AtYourService"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2021-01-21"
        modified = "2025-08-15"
        id = "3077dd0c-6936-5340-8da9-e8643de4d864"
    strings:
        $typelibguid0lo = "bc72386f-8b4c-44de-99b7-b06a8de3ce3f" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

rule HKTL_NET_GUID_AzureCLI_Extractor {
    meta:
        description = "Detects c# red/black-team tools via typelibguid"
        reference = "https://github.com/0x09AL/AzureCLI-Extractor"
        license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
        author = "Arnim Rupp (https://github.com/ruppde)"
        date = "2020-12-13"
        modified = "2025-08-15"
        id = "f595545a-a7a6-577c-b3f4-febf7bf1b6c3"
    strings:
        $typelibguid0lo = "a73cad74-f8d6-43e6-9a4c-b87832cdeace" ascii wide
    condition:
        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}