// low hanging fruits ;) rule HKTL_NET_NAME_FakeFileMaker { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/FakeFileMaker" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "2c87114f-5295-583f-b567-623d478ce0eb" strings: $name = "FakeFileMaker" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_WMIPersistence { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/mdsecactivebreach/WMIPersistence" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "7a674596-c697-569d-a16c-3cefe4ff752a" strings: $name = "WMIPersistence" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } /* rule HKTL_NET_NAME_ADCollector { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/dev-2null/ADCollector" license = "https://creativecommons.org/licenses/by-nc/4.0/" hash = "5391239f479c26e699b6f3a1d6a0a8aa1a0cf9a8" hash = "9dd0f322dd57b906da1e543c44e764954704abae" author = "Arnim Rupp" date = "2021-01-22" modified = "2022-09-15" strings: $s_name = "ADCollector" ascii wide $s_compile = "AssemblyTitle" ascii wide $fp1 = "Symantec Threat Defense" wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of ($s*) and not 1 of ($fp*) } */ rule HKTL_NET_AdCollector_Sep22_1 { meta: description = "Detects ADCollector Tool - a lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/dev-2null/ADCollector" date = "2022-09-15" score = 75 hash1 = "241390219a0a773463601ca68b77af97453c20af00a66492a7a78c04d481d338" hash2 = "cc086eb7316e68661e3d547b414890d5029c5cc460134d8b628f4b0be7f27fb3" id = "48b376e4-752b-523e-b34e-65b6944c33fb" strings: $x1 = "ADCollector.exe --SPNs --Term key --Acls 'CN=Domain Admins,CN=Users,DC=lab,DC=local'" wide fullword $s1 = "ADCollector.exe" wide fullword $s2 = "ENCRYPTED_TEXT_PASSWORD_ALLOWED" ascii fullword $s3 = "\\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf" wide $s4 = "[-] Password Does Not Expire Accounts:" wide $s5 = " * runAs: {0}" wide fullword condition: uint16(0) == 0x5a4d and filesize < 300KB and ( 1 of ($x*) or 3 of them ) } rule HKTL_NET_NAME_MaliciousClickOnceGenerator { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Mr-Un1k0d3r/MaliciousClickOnceGenerator" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "683af3b4-4c91-5ff3-96bf-d5c1d9c19cc2" strings: $name = "MaliciousClickOnceGenerator" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_directInjectorPOC { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/badBounty/directInjectorPOC" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "d9a430d7-b062-554b-aff4-cfd98d91e9fe" strings: $name = "directInjectorPOC" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_AsStrongAsFuck { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Charterino/AsStrongAsFuck" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "4c63c8a2-5889-5177-9f66-8e5f755025a3" strings: $name = "AsStrongAsFuck" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_MagentoScanner { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/soufianetahiri/MagentoScanner" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "db3912bd-574c-57e2-a9b6-4b440d144471" strings: $name = "MagentoScanner" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RevengeRAT_Stub_CSsharp { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/NYAN-x-CAT/RevengeRAT-Stub-CSsharp" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "06dce4f9-4d7a-5976-a87a-07c539e5dbe8" strings: $name = "RevengeRAT-Stub-CSsharp" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharPyShell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/antonioCoco/SharPyShell" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "3069c5eb-446e-5bfa-9df0-2e03f229d4d1" strings: $name = "SharPyShell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_GhostLoader { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/TheWover/GhostLoader" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "d8d88f3f-f250-55ff-88a6-4623e12ef89d" strings: $name = "GhostLoader" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_DotNetInject { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/dtrizna/DotNetInject" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" modified = "2022-06-28" id = "468f89c4-5b94-53be-b9e6-ad21de7d98ba" strings: $name = "DotNetInject" ascii wide $compile = "AssemblyTitle" ascii wide $fp1 = "GetDotNetInjector" ascii /* MS Txt2AI 489044cadaa0175e36d286fcbe5720fd56b6a0c063beac452b2316c2714332b0 */ $fp2 = "JetBrains.TeamCity.Injector." wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 20MB and $name and $compile and not 1 of ($fp*) } rule HKTL_NET_NAME_ATPMiniDump { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/b4rtik/ATPMiniDump" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "97981569-fe94-5600-8319-946edb4265e7" strings: $name = "ATPMiniDump" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule SUSP_NET_NAME_ConfuserEx { meta: description = "Detects ConfuserEx packed file" reference = "https://github.com/yck1509/ConfuserEx" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" score = 40 date = "2021-01-22" modified = "2021-01-25" id = "f1bda14e-c9fe-5341-8962-691a66233eb0" strings: $name = "ConfuserEx" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpBuster { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/passthehashbrowns/SharpBuster" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "d30c8ee5-88b9-53b5-b209-51f6f3b988cf" strings: $name = "SharpBuster" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_AmsiBypass { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/0xB455/AmsiBypass" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" hash = "8fa4ba512b34a898c4564a8eac254b6a786d195b" author = "Arnim Rupp" date = "2021-01-22" id = "26db14d8-1034-5bd1-a719-4756c832901d" strings: $name = "AmsiBypass" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_Recon_AD { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/outflanknl/Recon-AD" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "097de5cd-0cd4-59cc-a7b7-54cad8e6d230" strings: $name = "Recon-AD" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpWatchdogs { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/RITRedteam/SharpWatchdogs" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "5343be58-879a-5fe7-9036-ee6a22d85f22" strings: $name = "SharpWatchdogs" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpCat { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Cn33liz/SharpCat" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "a46be8d3-bf7b-5d86-b88b-33e6c8c152d8" strings: $name = "SharpCat" ascii wide fullword $compile = "AssemblyTitle" ascii wide fullword condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_K8tools { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/k8gege/K8tools" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "b30fc856-073d-542f-b222-a957322732c2" strings: $name = "K8tools" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_HTTPSBeaconShell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/limbenjamin/HTTPSBeaconShell" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "3bd7234b-a23e-5818-aed1-52d42023943b" strings: $name = "HTTPSBeaconShell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_Ghostpack_CompiledBinaries { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/r3motecontrol/Ghostpack-CompiledBinaries" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "7cc81894-8c01-5a17-a7ed-1cb4cf1e2d53" strings: $name = "Ghostpack-CompiledBinaries" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_metasploit_sharp { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/VolatileMindsLLC/metasploit-sharp" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "b425f241-4887-5368-b42b-3fbbd3b769c6" strings: $name = "metasploit-sharp" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_trevorc2 { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/trustedsec/trevorc2" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "d1634a0d-6964-5886-b836-85c3ce6b8a17" strings: $name = "trevorc2" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_DNS2 { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_DNS2" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "0fa01355-de57-573e-9056-0b7a5d24572d" strings: $name = "NativePayload_DNS2" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_AggressiveProxy { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/EncodeGroup/AggressiveProxy" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "e2d3c4e2-404b-59f8-b3d0-a7cef4dfd0ff" strings: $name = "AggressiveProxy" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_MSBuildAPICaller { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/rvrsh3ll/MSBuildAPICaller" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "143da57f-b01f-5688-b741-1bc4d06cd7d1" strings: $name = "MSBuildAPICaller" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_GrayKeylogger { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DarkSecDevelopers/GrayKeylogger" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "c63875b6-1701-5594-927e-833c25dc5d98" strings: $name = "GrayKeylogger" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_weevely3 { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/epinna/weevely3" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "6bf766b6-d065-5a84-8258-3be448b9cbb8" strings: $name = "weevely3" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_FudgeC2 { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Ziconius/FudgeC2" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "a8e70bce-76dd-53dc-9a19-1cc6795fdef3" strings: $name = "FudgeC2" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_Reverse_tcp { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_Reverse_tcp" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "a6b935cc-adb6-5ff4-a832-1043e77292f7" strings: $name = "NativePayload_Reverse_tcp" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpHose { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/ustayready/SharpHose" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "89b00eb0-f1a2-5c77-a5b0-2329b08aadb7" strings: $name = "SharpHose" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RAT_NjRat_0_7d_modded_source_code { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/AliBawazeEer/RAT-NjRat-0.7d-modded-source-code" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "2b7d1f75-0164-561e-8199-32c601cbca98" strings: $name = "RAT-NjRat-0.7d-modded-source-code" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RdpThief { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/0x09AL/RdpThief" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "5ad4feec-50db-5ebb-a609-9196e72a24aa" strings: $name = "RdpThief" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RunasCs { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/antonioCoco/RunasCs" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "c5fc5b01-1d30-5af5-be99-e629cb23295b" strings: $name = "RunasCs" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_IP6DNS { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_IP6DNS" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "3b32b408-e71a-5f2a-ae6f-72a3d6572b71" strings: $name = "NativePayload_IP6DNS" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_ARP { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_ARP" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "9fac11f8-4e40-5cbc-a990-2ae48df20828" strings: $name = "NativePayload_ARP" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_C2Bridge { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/cobbr/C2Bridge" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "357051aa-61ea-5454-a996-b4e3a45ac865" strings: $name = "C2Bridge" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_Infrastructure_Assessment { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/NyaMeeEain/Infrastructure-Assessment" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "efacc12b-92b3-5b22-b5bb-cd5a7d7eea0e" strings: $name = "Infrastructure-Assessment" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_shellcodeTester { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/tophertimzen/shellcodeTester" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "964093a4-e6d7-51b7-928a-b1cd40dc11cc" strings: $name = "shellcodeTester" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_gray_hat_csharp_code { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/brandonprry/gray_hat_csharp_code" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "0a94cadc-cc7b-5817-8788-bb1e53937fad" strings: $name = "gray_hat_csharp_code" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_NativePayload_ReverseShell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/DamonMohammadbagher/NativePayload_ReverseShell" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "eec77c09-02db-5d74-8526-e201d2fe6fc8" strings: $name = "NativePayload_ReverseShell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_DotNetAVBypass { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/mandreko/DotNetAVBypass" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "918eba2b-150d-5e69-bed0-0979ae889165" strings: $name = "DotNetAVBypass" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_HexyRunner { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/bao7uo/HexyRunner" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "67741b4d-7336-5c88-8f2c-e48c10b187b9" strings: $name = "HexyRunner" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_SharpOffensiveShell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/darkr4y/SharpOffensiveShell" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "f223fb95-9f16-5504-a6ce-de9d75b38eaa" strings: $name = "SharpOffensiveShell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_reconness { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/reconness/reconness" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "a30188e4-d96a-59d0-9f51-d7a7e07b14ba" strings: $name = "reconness" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_tvasion { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/loadenmb/tvasion" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "324cddc6-36d9-5670-827e-24e80dcc66a9" strings: $name = "tvasion" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_ibombshell { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Telefonica/ibombshell" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "02f3272f-8e75-5df4-9052-a315ae202050" strings: $name = "ibombshell" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_RemoteProcessInjection { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/Mr-Un1k0d3r/RemoteProcessInjection" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "f1698cf2-211a-551a-8bc4-4faefcc6106f" strings: $name = "RemoteProcessInjection" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_CACTUSTORCH { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/mdsecactivebreach/CACTUSTORCH" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "7b1e3015-fada-592c-b120-20aa12247d32" strings: $name = "CACTUSTORCH" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_PandaSniper { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/QAX-A-Team/PandaSniper" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "006400fb-7e6d-563b-ba78-17937983c9ba" strings: $name = "PandaSniper" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_xbapAppWhitelistBypassPOC { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/jpginc/xbapAppWhitelistBypassPOC" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "b05253ce-cba4-531d-8f39-d8fae71b114d" strings: $name = "xbapAppWhitelistBypassPOC" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them } rule HKTL_NET_NAME_StageStrike { meta: description = "Detects .NET red/black-team tools via name" reference = "https://github.com/RedXRanger/StageStrike" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Arnim Rupp" date = "2021-01-22" id = "e3f9de04-87f6-5b07-b5b0-a26167937fcc" strings: $name = "StageStrike" ascii wide $compile = "AssemblyTitle" ascii wide condition: (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and all of them }