Sneed-Group/Sneed-Reactivity
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Sneed-Reactivity/yara-Neo23x0/gen_github_net_redteam_tools_names.yar

822 lines
32 KiB
Text
Raw Permalink Normal View History

OMG ISTG PLS WORK RED PILL :red_circle: :pill:
2024-07-25 12:43:35 -05:00
// low hanging fruits ;)
rule HKTL_NET_NAME_FakeFileMaker {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/FakeFileMaker"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "2c87114f-5295-583f-b567-623d478ce0eb"
strings:
$name = "FakeFileMaker" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_WMIPersistence {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/mdsecactivebreach/WMIPersistence"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "7a674596-c697-569d-a16c-3cefe4ff752a"
strings:
$name = "WMIPersistence" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
/*
rule HKTL_NET_NAME_ADCollector {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/dev-2null/ADCollector"
license = "https://creativecommons.org/licenses/by-nc/4.0/"
hash = "5391239f479c26e699b6f3a1d6a0a8aa1a0cf9a8"
hash = "9dd0f322dd57b906da1e543c44e764954704abae"
author = "Arnim Rupp"
date = "2021-01-22"
modified = "2022-09-15"
strings:
$s_name = "ADCollector" ascii wide
$s_compile = "AssemblyTitle" ascii wide
$fp1 = "Symantec Threat Defense" wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($s*)
and not 1 of ($fp*)
}
*/
rule HKTL_NET_AdCollector_Sep22_1 {
meta:
description = "Detects ADCollector Tool - a lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/dev-2null/ADCollector"
date = "2022-09-15"
score = 75
hash1 = "241390219a0a773463601ca68b77af97453c20af00a66492a7a78c04d481d338"
hash2 = "cc086eb7316e68661e3d547b414890d5029c5cc460134d8b628f4b0be7f27fb3"
id = "48b376e4-752b-523e-b34e-65b6944c33fb"
strings:
$x1 = "ADCollector.exe --SPNs --Term key --Acls 'CN=Domain Admins,CN=Users,DC=lab,DC=local'" wide fullword
$s1 = "ADCollector.exe" wide fullword
$s2 = "ENCRYPTED_TEXT_PASSWORD_ALLOWED" ascii fullword
$s3 = "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" wide
$s4 = "[-] Password Does Not Expire Accounts:" wide
$s5 = " * runAs: {0}" wide fullword
condition:
uint16(0) == 0x5a4d and
filesize < 300KB and ( 1 of ($x*) or 3 of them )
}
rule HKTL_NET_NAME_MaliciousClickOnceGenerator {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Mr-Un1k0d3r/MaliciousClickOnceGenerator"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "683af3b4-4c91-5ff3-96bf-d5c1d9c19cc2"
strings:
$name = "MaliciousClickOnceGenerator" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_directInjectorPOC {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/badBounty/directInjectorPOC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "d9a430d7-b062-554b-aff4-cfd98d91e9fe"
strings:
$name = "directInjectorPOC" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_AsStrongAsFuck {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Charterino/AsStrongAsFuck"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "4c63c8a2-5889-5177-9f66-8e5f755025a3"
strings:
$name = "AsStrongAsFuck" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_MagentoScanner {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/soufianetahiri/MagentoScanner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "db3912bd-574c-57e2-a9b6-4b440d144471"
strings:
$name = "MagentoScanner" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_RevengeRAT_Stub_CSsharp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/NYAN-x-CAT/RevengeRAT-Stub-CSsharp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "06dce4f9-4d7a-5976-a87a-07c539e5dbe8"
strings:
$name = "RevengeRAT-Stub-CSsharp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_SharPyShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/antonioCoco/SharPyShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "3069c5eb-446e-5bfa-9df0-2e03f229d4d1"
strings:
$name = "SharPyShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_GhostLoader {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/TheWover/GhostLoader"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "d8d88f3f-f250-55ff-88a6-4623e12ef89d"
strings:
$name = "GhostLoader" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_DotNetInject {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/dtrizna/DotNetInject"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
modified = "2022-06-28"
id = "468f89c4-5b94-53be-b9e6-ad21de7d98ba"
strings:
$name = "DotNetInject" ascii wide
$compile = "AssemblyTitle" ascii wide
$fp1 = "GetDotNetInjector" ascii /* MS Txt2AI 489044cadaa0175e36d286fcbe5720fd56b6a0c063beac452b2316c2714332b0 */
$fp2 = "JetBrains.TeamCity.Injector." wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550)
and filesize < 20MB
and $name and $compile
and not 1 of ($fp*)
}
rule HKTL_NET_NAME_ATPMiniDump {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/b4rtik/ATPMiniDump"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "97981569-fe94-5600-8319-946edb4265e7"
strings:
$name = "ATPMiniDump" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule SUSP_NET_NAME_ConfuserEx {
meta:
description = "Detects ConfuserEx packed file"
reference = "https://github.com/yck1509/ConfuserEx"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
score = 40
date = "2021-01-22"
modified = "2021-01-25"
id = "f1bda14e-c9fe-5341-8962-691a66233eb0"
strings:
$name = "ConfuserEx" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_SharpBuster {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/passthehashbrowns/SharpBuster"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "d30c8ee5-88b9-53b5-b209-51f6f3b988cf"
strings:
$name = "SharpBuster" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_AmsiBypass {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/0xB455/AmsiBypass"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
hash = "8fa4ba512b34a898c4564a8eac254b6a786d195b"
author = "Arnim Rupp"
date = "2021-01-22"
id = "26db14d8-1034-5bd1-a719-4756c832901d"
strings:
$name = "AmsiBypass" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_Recon_AD {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/outflanknl/Recon-AD"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "097de5cd-0cd4-59cc-a7b7-54cad8e6d230"
strings:
$name = "Recon-AD" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_SharpWatchdogs {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/RITRedteam/SharpWatchdogs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "5343be58-879a-5fe7-9036-ee6a22d85f22"
strings:
$name = "SharpWatchdogs" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_SharpCat {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Cn33liz/SharpCat"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "a46be8d3-bf7b-5d86-b88b-33e6c8c152d8"
strings:
$name = "SharpCat" ascii wide fullword
$compile = "AssemblyTitle" ascii wide fullword
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_K8tools {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/k8gege/K8tools"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "b30fc856-073d-542f-b222-a957322732c2"
strings:
$name = "K8tools" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_HTTPSBeaconShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/limbenjamin/HTTPSBeaconShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "3bd7234b-a23e-5818-aed1-52d42023943b"
strings:
$name = "HTTPSBeaconShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_Ghostpack_CompiledBinaries {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/r3motecontrol/Ghostpack-CompiledBinaries"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "7cc81894-8c01-5a17-a7ed-1cb4cf1e2d53"
strings:
$name = "Ghostpack-CompiledBinaries" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_metasploit_sharp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/VolatileMindsLLC/metasploit-sharp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "b425f241-4887-5368-b42b-3fbbd3b769c6"
strings:
$name = "metasploit-sharp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_trevorc2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/trustedsec/trevorc2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "d1634a0d-6964-5886-b836-85c3ce6b8a17"
strings:
$name = "trevorc2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_NativePayload_DNS2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_DNS2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "0fa01355-de57-573e-9056-0b7a5d24572d"
strings:
$name = "NativePayload_DNS2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_AggressiveProxy {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/EncodeGroup/AggressiveProxy"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "e2d3c4e2-404b-59f8-b3d0-a7cef4dfd0ff"
strings:
$name = "AggressiveProxy" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_MSBuildAPICaller {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/rvrsh3ll/MSBuildAPICaller"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "143da57f-b01f-5688-b741-1bc4d06cd7d1"
strings:
$name = "MSBuildAPICaller" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_GrayKeylogger {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DarkSecDevelopers/GrayKeylogger"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "c63875b6-1701-5594-927e-833c25dc5d98"
strings:
$name = "GrayKeylogger" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_weevely3 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/epinna/weevely3"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "6bf766b6-d065-5a84-8258-3be448b9cbb8"
strings:
$name = "weevely3" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_FudgeC2 {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Ziconius/FudgeC2"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "a8e70bce-76dd-53dc-9a19-1cc6795fdef3"
strings:
$name = "FudgeC2" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_NativePayload_Reverse_tcp {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "a6b935cc-adb6-5ff4-a832-1043e77292f7"
strings:
$name = "NativePayload_Reverse_tcp" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_SharpHose {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/ustayready/SharpHose"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "89b00eb0-f1a2-5c77-a5b0-2329b08aadb7"
strings:
$name = "SharpHose" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/AliBawazeEer/RAT-NjRat-0.7d-modded-source-code"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "2b7d1f75-0164-561e-8199-32c601cbca98"
strings:
$name = "RAT-NjRat-0.7d-modded-source-code" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_RdpThief {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/0x09AL/RdpThief"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "5ad4feec-50db-5ebb-a609-9196e72a24aa"
strings:
$name = "RdpThief" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_RunasCs {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/antonioCoco/RunasCs"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "c5fc5b01-1d30-5af5-be99-e629cb23295b"
strings:
$name = "RunasCs" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_NativePayload_IP6DNS {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_IP6DNS"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "3b32b408-e71a-5f2a-ae6f-72a3d6572b71"
strings:
$name = "NativePayload_IP6DNS" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_NativePayload_ARP {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_ARP"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "9fac11f8-4e40-5cbc-a990-2ae48df20828"
strings:
$name = "NativePayload_ARP" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_C2Bridge {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/cobbr/C2Bridge"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "357051aa-61ea-5454-a996-b4e3a45ac865"
strings:
$name = "C2Bridge" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_Infrastructure_Assessment {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/NyaMeeEain/Infrastructure-Assessment"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "efacc12b-92b3-5b22-b5bb-cd5a7d7eea0e"
strings:
$name = "Infrastructure-Assessment" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_shellcodeTester {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/tophertimzen/shellcodeTester"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "964093a4-e6d7-51b7-928a-b1cd40dc11cc"
strings:
$name = "shellcodeTester" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_gray_hat_csharp_code {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/brandonprry/gray_hat_csharp_code"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "0a94cadc-cc7b-5817-8788-bb1e53937fad"
strings:
$name = "gray_hat_csharp_code" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_NativePayload_ReverseShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/DamonMohammadbagher/NativePayload_ReverseShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "eec77c09-02db-5d74-8526-e201d2fe6fc8"
strings:
$name = "NativePayload_ReverseShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_DotNetAVBypass {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/mandreko/DotNetAVBypass"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "918eba2b-150d-5e69-bed0-0979ae889165"
strings:
$name = "DotNetAVBypass" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_HexyRunner {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/bao7uo/HexyRunner"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "67741b4d-7336-5c88-8f2c-e48c10b187b9"
strings:
$name = "HexyRunner" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_SharpOffensiveShell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/darkr4y/SharpOffensiveShell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "f223fb95-9f16-5504-a6ce-de9d75b38eaa"
strings:
$name = "SharpOffensiveShell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_reconness {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/reconness/reconness"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "a30188e4-d96a-59d0-9f51-d7a7e07b14ba"
strings:
$name = "reconness" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_tvasion {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/loadenmb/tvasion"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "324cddc6-36d9-5670-827e-24e80dcc66a9"
strings:
$name = "tvasion" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_ibombshell {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Telefonica/ibombshell"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "02f3272f-8e75-5df4-9052-a315ae202050"
strings:
$name = "ibombshell" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_RemoteProcessInjection {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/Mr-Un1k0d3r/RemoteProcessInjection"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "f1698cf2-211a-551a-8bc4-4faefcc6106f"
strings:
$name = "RemoteProcessInjection" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_CACTUSTORCH {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/mdsecactivebreach/CACTUSTORCH"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "7b1e3015-fada-592c-b120-20aa12247d32"
strings:
$name = "CACTUSTORCH" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_PandaSniper {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/QAX-A-Team/PandaSniper"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "006400fb-7e6d-563b-ba78-17937983c9ba"
strings:
$name = "PandaSniper" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_xbapAppWhitelistBypassPOC {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/jpginc/xbapAppWhitelistBypassPOC"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "b05253ce-cba4-531d-8f39-d8fae71b114d"
strings:
$name = "xbapAppWhitelistBypassPOC" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
rule HKTL_NET_NAME_StageStrike {
meta:
description = "Detects .NET red/black-team tools via name"
reference = "https://github.com/RedXRanger/StageStrike"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Arnim Rupp"
date = "2021-01-22"
id = "e3f9de04-87f6-5b07-b5b0-a26167937fcc"
strings:
$name = "StageStrike" ascii wide
$compile = "AssemblyTitle" ascii wide
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them
}
Reference in a new issue Copy permalink