mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 10:05:18 +00:00
492 KiB
492 KiB
| 1 | ACE_Containing_EXE | Looks for ACE Archives containing an exe/scr file | - | 2015-09-09 00:00:00 | 50 | Florian Roth - based on Nick Hoffman' rule - Morphick Inc | FILE |
|---|---|---|---|---|---|---|---|
| 2 | ALFA_SHELL | Detects web shell often used by Iranian APT groups | Internal Research - APT33 | 2017-09-21 00:00:00 | 70 | Florian Roth | APT,WEBSHELL |
| 3 | APT10_Malware_Sample_Gen | APT 10 / Cloud Hopper malware campaign | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-06 00:00:00 | 80 | Florian Roth | APT,MAL |
| 4 | APT12_Malware_Aug17 | Detects APT 12 Malware | http://blog.macnica.net/blog/2017/08/post-fb81.html | 2017-08-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 5 | APT15_Malware_Mar18_BS2005 | Detects malware from APT 15 report by NCC Group | https://goo.gl/HZ5XMN | 2018-03-10 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 6 | APT15_Malware_Mar18_MSExchangeTool | Detects malware from APT 15 report by NCC Group | https://goo.gl/HZ5XMN | 2018-03-10 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 7 | APT15_Malware_Mar18_RoyalCli | Detects malware from APT 15 report by NCC Group | https://goo.gl/HZ5XMN | 2018-03-10 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 8 | APT15_Malware_Mar18_RoyalDNS | Detects malware from APT 15 report by NCC Group | https://goo.gl/HZ5XMN | 2018-03-10 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 9 | APT17_Malware_Oct17_1 | Detects APT17 malware | https://goo.gl/puVc9q | 2017-10-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 10 | APT17_Malware_Oct17_2 | Detects APT17 malware | https://goo.gl/puVc9q | 2017-10-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 11 | APT17_Malware_Oct17_Gen | Detects APT17 malware | https://goo.gl/puVc9q | 2017-10-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 12 | APT17_Sample_FXSST_DLL | Detects Samples related to APT17 activity - file FXSST.DLL | https://goo.gl/ZiJyQv | 2015-05-14 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 13 | APT17_Unsigned_Symantec_Binary_EFA | Detects APT17 malware | https://goo.gl/puVc9q | 2017-10-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 14 | APT28_CHOPSTICK | Detects a malware that behaves like CHOPSTICK mentioned in APT28 report | https://goo.gl/v3ebal | 2015-06-02 00:00:00 | 60 | Florian Roth | APT,EXE,FILE,RUSSIA |
| 15 | APT28_HospitalityMalware_document | Yara Rule for APT28_Hospitality_Malware document identification | http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf | 1970-01-01 01:00:00 | 70 | CSE CybSec Enterprise - Z-Lab | APT,MAL,RUSSIA |
| 16 | APT28_HospitalityMalware_mvtband_file | Yara Rule for mvtband.dll malware | http://csecybsec.com/download/zlab/APT28_Hospitality_Malware_report.pdf | 1970-01-01 01:00:00 | 70 | CSE CybSec Enterprise - Z-Lab | EXTVAR |
| 17 | APT28_SourFace_Malware1 | Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server. | https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html | 2015-06-01 00:00:00 | 60 | Florian Roth | APT,EXE,FILE,MAL,RUSSIA |
| 18 | APT28_SourFace_Malware2 | Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server. | https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html | 2015-06-01 00:00:00 | 60 | Florian Roth | APT,EXE,FILE,MAL,RUSSIA |
| 19 | APT28_SourFace_Malware3 | Detects Malware from APT28 incident - SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server. | https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html | 2015-06-01 00:00:00 | 60 | Florian Roth | APT,EXE,FILE,MAL,RUSSIA |
| 20 | APT30_Generic_1 | FireEye APT30 Report Sample | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 21 | APT30_Generic_2 | FireEye APT30 Report Sample - from many files | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 22 | APT30_Generic_3 | FireEye APT30 Report Sample | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 23 | APT30_Generic_4 | FireEye APT30 Report Sample | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 24 | APT30_Generic_5 | FireEye APT30 Report Sample | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 25 | APT30_Generic_6 | FireEye APT30 Report Sample | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 26 | APT30_Generic_7 | FireEye APT30 Report Sample | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 27 | APT30_Generic_8 | FireEye APT30 Report Sample | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 28 | APT30_Generic_9 | FireEye APT30 Report Sample | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 29 | APT30_Generic_A | FireEye APT30 Report Sample - file af1c1c5d8031c4942630b6a10270d8f4 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 30 | APT30_Generic_B | FireEye APT30 Report Sample - file 29395c528693b69233c1c12bef8a64b3 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 31 | APT30_Generic_C | FireEye APT30 Report Sample - file 0c4fcef3b583d0ffffc2b14b9297d3a4 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 32 | APT30_Generic_D | FireEye APT30 Report Sample - file 597805832d45d522c4882f21db800ecf | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 33 | APT30_Generic_E | FireEye APT30 Report Sample - file 8ff473bedbcc77df2c49a91167b1abeb | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 34 | APT30_Generic_E_v2 | FireEye APT30 Report Sample - file 71f25831681c19ea17b2f2a84a41bbfb | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 35 | APT30_Generic_F | FireEye APT30 Report Sample - file 4c10a1efed25b828e4785d9526507fbc | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 36 | APT30_Generic_G | FireEye APT30 Report Sample - file 53f1358cbc298da96ec56e9a08851b4b | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 37 | APT30_Generic_H | FireEye APT30 Report Sample - file db3e5c2f2ce07c2d3fa38d6fc1ceb854 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 38 | APT30_Generic_I | FireEye APT30 Report Sample - file fe211c7a081c1dac46e3935f7c614549 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 39 | APT30_Generic_J | FireEye APT30 Report Sample - file baff5262ae01a9217b10fcd5dad9d1d5 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 40 | APT30_Generic_K | FireEye APT30 Report Sample - file b5a343d11e1f7340de99118ce9fc1bbb | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE,GEN |
| 41 | APT30_Microfost | FireEye APT30 Report Sample - file 310a4a62ba3765cbf8e8bbb9f324c503 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 42 | APT30_Sample_10 | FireEye APT30 Report Sample - file 8c713117af4ca6bbd69292a78069e75b | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 43 | APT30_Sample_11 | FireEye APT30 Report Sample - file d97aace631d6f089595f5ce177f54a39 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 44 | APT30_Sample_12 | FireEye APT30 Report Sample - file c95cd106c1fecbd500f4b97566d8dc96 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 45 | APT30_Sample_13 | FireEye APT30 Report Sample - file 95bb314fe8fdbe4df31a6d23b0d378bc | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 46 | APT30_Sample_14 | FireEye APT30 Report Sample - file 6f931c15789d234881be8ae8ccfe33f4 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 47 | APT30_Sample_15 | FireEye APT30 Report Sample - file e26a2afaaddfb09d9ede505c6f1cc4e3 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 48 | APT30_Sample_16 | FireEye APT30 Report Sample - file 37e568bed4ae057e548439dc811b4d3a | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 49 | APT30_Sample_17 | FireEye APT30 Report Sample - file 23813c5bf6a7af322b40bd2fd94bd42e | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 50 | APT30_Sample_18 | FireEye APT30 Report Sample - file b2138a57f723326eda5a26d2dec56851 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 51 | APT30_Sample_19 | FireEye APT30 Report Sample - file 5d4f2871fd1818527ebd65b0ff930a77 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 52 | APT30_Sample_1 | FireEye APT30 Report Sample - file 4c6b21e98ca03e0ef0910e07cef45dac | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 53 | APT30_Sample_20 | FireEye APT30 Report Sample - file 5ae51243647b7d03a5cb20dccbc0d561 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 54 | APT30_Sample_21 | FireEye APT30 Report Sample - file 78c4fcee5b7fdbabf3b9941225d95166 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 55 | APT30_Sample_22 | FireEye APT30 Report Sample - file fad06d7b4450c4631302264486611ec3 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 56 | APT30_Sample_23 | FireEye APT30 Report Sample - file a5ca2c5b4d8c0c1bc93570ed13dcab1a | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 57 | APT30_Sample_24 | FireEye APT30 Report Sample - file 062fe1336459a851bd0ea271bb2afe35 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 58 | APT30_Sample_25 | FireEye APT30 Report Sample - file c4c068200ad8033a0f0cf28507b51842 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 59 | APT30_Sample_26 | FireEye APT30 Report Sample - file 428fc53c84e921ac518e54a5d055f54a | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 60 | APT30_Sample_27 | FireEye APT30 Report Sample - file d38e02eac7e3b299b46ff2607dd0f288 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 61 | APT30_Sample_28 | FireEye APT30 Report Sample - file e62a63307deead5c9fcca6b9a2d51fb0 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 62 | APT30_Sample_29 | FireEye APT30 Report Sample - file 1b81b80ff0edf57da2440456d516cc90 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 63 | APT30_Sample_2 | FireEye APT30 Report Sample - file c4dec6d69d8035d481e4f2c86f580e81 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 64 | APT30_Sample_30 | FireEye APT30 Report Sample - file bf8616bbed6d804a3dea09b230c2ab0c | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 65 | APT30_Sample_31 | FireEye APT30 Report Sample - file d8e68db503f4155ed1aeba95d1f5e3e4 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 66 | APT30_Sample_33 | FireEye APT30 Report Sample - file 5eaf3deaaf2efac92c73ada82a651afe | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 67 | APT30_Sample_34 | FireEye APT30 Report Sample - file a9e8e402a7ee459e4896d0ba83543684 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 68 | APT30_Sample_35 | FireEye APT30 Report Sample - file 414854a9b40f7757ed7bfc6a1b01250f | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 69 | APT30_Sample_3 | FireEye APT30 Report Sample - file 59e055cee87d8faf6f701293e5830b5a | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 70 | APT30_Sample_4 | FireEye APT30 Report Sample - file 6ba315275561d99b1eb8fc614ff0b2b3 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 71 | APT30_Sample_5 | FireEye APT30 Report Sample - file ebf42e8b532e2f3b19046b028b5dfb23 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 72 | APT30_Sample_6 | FireEye APT30 Report Sample - file ee1b23c97f809151805792f8778ead74 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 73 | APT30_Sample_7 | FireEye APT30 Report Sample - file 74b87086887e0c67ffb035069b195ac7 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 74 | APT30_Sample_8 | FireEye APT30 Report Sample - file 44b98f22155f420af4528d17bb4a5ec8 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 75 | APT30_Sample_9 | FireEye APT30 Report Sample - file e3ae3cbc024e39121c87d73e87bb2210 | https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf | 2015-04-13 00:00:00 | 70 | Florian Roth | APT,FILE |
| 76 | APT34_Malware_Exeruner | Detects APT 34 malware | https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html | 2017-12-07 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 77 | APT34_Malware_HTA | Detects APT 34 malware | https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html | 2017-12-07 00:00:00 | 70 | Florian Roth | APT,MAL |
| 78 | APT6_Malware_Sample_Gen | Rule written for 2 malware samples that communicated to APT6 C2 servers | https://otx.alienvault.com/pulse/56c4d1664637f26ad04e5b73/ | 2016-04-09 00:00:00 | 80 | Florian Roth | APT,EXE,FILE,MAL |
| 79 | APTGroupX_PlugXTrojanLoader_StringDecode | Rule to detect PlugX Malware | https://t.co/4xQ8G2mNap | 1970-01-01 01:00:00 | 80 | Jay DiMartino | MAL |
| 80 | APT_APT10_Malware_Imphash_Dec18_1 | Detects APT10 malware based on ImpHashes | AlienVault OTX IOCs - statistical sample analysis | 2018-12-28 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,MAL |
| 81 | APT_APT28_Cannon_Trojan_Nov18_1 | Detects Cannon Trojan used by Sofacy | https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/ | 2018-11-20 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,RUSSIA |
| 82 | APT_Area1_SSF_GoogleSend_Strings | Detects send tool used in phishing campaign reported by Area 1 in December 2018 | https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf | 2018-12-19 00:00:00 | 70 | Area 1 (modified by Florian Roth) | EXE,FILE |
| 83 | APT_Area1_SSF_PlugX | Detects send tool used in phishing campaign reported by Area 1 in December 2018 | https://cdn.area1security.com/reports/Area-1-Security-PhishingDiplomacy.pdf | 2018-12-19 00:00:00 | 70 | Area 1 | |
| 84 | APT_Cloaked_PsExec | Looks like a cloaked PsExec. May be APT group activity. | - | 2014-07-18 00:00:00 | 60 | Florian Roth | APT,EXE,EXTVAR,FILE |
| 85 | APT_Cloaked_ScanLine | Looks like a cloaked ScanLine Port Scanner. May be APT group activity. | - | 2014-07-18 00:00:00 | 50 | Florian Roth | APT,EXTVAR,HKTL |
| 86 | APT_Cloaked_SuperScan | Looks like a cloaked SuperScan Port Scanner. May be APT group activity. | - | 2014-07-18 00:00:00 | 50 | Florian Roth | APT,EXTVAR,HKTL |
| 87 | APT_CobaltStrike_Beacon_Indicator | Detects CobaltStrike beacons | https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py | 2018-11-09 00:00:00 | 70 | JPCERT | EXE,FILE |
| 88 | APT_DarkHydrus_Jul18_1 | Detects strings found in malware samples in APT report in DarkHydrus | https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ | 2018-07-28 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MIDDLE_EAST |
| 89 | APT_DarkHydrus_Jul18_2 | Detects strings found in malware samples in APT report in DarkHydrus | https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ | 2018-07-28 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MIDDLE_EAST |
| 90 | APT_DarkHydrus_Jul18_3 | Detects strings found in malware samples in APT report in DarkHydrus | https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ | 2018-07-28 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MIDDLE_EAST |
| 91 | APT_DarkHydrus_Jul18_4 | Detects strings found in malware samples in APT report in DarkHydrus | https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ | 2018-07-28 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MIDDLE_EAST |
| 92 | APT_DarkHydrus_Jul18_5 | Detects strings found in malware samples in APT report in DarkHydrus | https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ | 2018-07-28 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MIDDLE_EAST |
| 93 | APT_DonotTeam_YTYframework | Modular malware framework with similarities to EHDevel | arbornetworks.com/blog/asert/don | 2018-08-03 00:00:00 | 70 | James E.C, ProofPoint | FILE |
| 94 | APT_FIN7_EXE_Sample_Aug18_10 | Detects sample from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 95 | APT_FIN7_EXE_Sample_Aug18_1 | Detects sample from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 96 | APT_FIN7_EXE_Sample_Aug18_2 | Detects sample from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 97 | APT_FIN7_EXE_Sample_Aug18_3 | Detects sample from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 98 | APT_FIN7_EXE_Sample_Aug18_4 | Detects sample from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 99 | APT_FIN7_EXE_Sample_Aug18_5 | Detects sample from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 100 | APT_FIN7_EXE_Sample_Aug18_6 | Detects sample from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 101 | APT_FIN7_EXE_Sample_Aug18_7 | Detects sample from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 102 | APT_FIN7_EXE_Sample_Aug18_8 | Detects sample from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 103 | APT_FIN7_MalDoc_Aug18_1 | Detects malicious Doc from FIN7 campaign | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | RUSSIA |
| 104 | APT_FIN7_Sample_Aug18_1 | Detects FIN7 samples mentioned in FireEye report | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | FILE,RUSSIA |
| 105 | APT_FIN7_Sample_Aug18_2 | Detects FIN7 malware sample | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | FILE,RUSSIA |
| 106 | APT_FIN7_Sample_EXE_Aug18_1 | Detects FIN7 Sample | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 107 | APT_FIN7_Strings_Aug18_1 | Detects strings from FIN7 report in August 2018 | https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html | 2018-08-01 00:00:00 | 70 | Florian Roth | RUSSIA |
| 108 | APT_FallChill_RC4_Keys | Detects FallChill RC4 keys | https://securelist.com/operation-applejeus/87553/ | 2018-08-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 109 | APT_GreyEnergy_Malware_Oct18_1 | Detects samples from Grey Energy report | https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ | 2018-10-17 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 110 | APT_GreyEnergy_Malware_Oct18_2 | Detects samples from Grey Energy report | https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ | 2018-10-17 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 111 | APT_GreyEnergy_Malware_Oct18_3 | Detects samples from Grey Energy report | https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ | 2018-10-17 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 112 | APT_GreyEnergy_Malware_Oct18_4 | Detects samples from Grey Energy report | https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ | 2018-10-17 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 113 | APT_GreyEnergy_Malware_Oct18_5 | Detects samples from Grey Energy report | https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ | 2018-10-17 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 114 | APT_HiddenCobra_GhostSecret_1 | Detects Hidden Cobra Sample | https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ | 2018-08-11 00:00:00 | 70 | Florian Roth | EXE,FILE,NK |
| 115 | APT_HiddenCobra_GhostSecret_2 | Detects Hidden Cobra Sample | https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ | 2018-08-11 00:00:00 | 70 | Florian Roth | EXE,FILE,NK |
| 116 | APT_HiddenCobra_enc_PK_header | Hidden Cobra - Detects trojan with encrypted header | https://www.us-cert.gov/ncas/analysis-reports/AR18-165A | 2018-04-12 00:00:00 | 70 | NCCIC trusted 3rd party - Edit: Tobias Michalski | FILE,NK |
| 117 | APT_HiddenCobra_import_obfuscation_2 | Hidden Cobra - Detects remote access trojan | https://www.us-cert.gov/ncas/analysis-reports/AR18-165A | 2018-04-12 00:00:00 | 70 | NCCIC trusted 3rd party - Edit: Tobias Michalski | FILE,NK,OBFUS |
| 118 | APT_Kaspersky_Duqu2_SamsungPrint | Kaspersky APT Report - Duqu2 Sample - file 2a9a5afc342cde12c6eb9a91ad29f7afdfd8f0fb17b983dcfddceccfbc17af69 | https://goo.gl/7yKyOj | 2015-06-10 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 119 | APT_Kaspersky_Duqu2_msi3_32 | Kaspersky APT Report - Duqu2 Sample - file d8a849654ab97debaf28ae5b749c3b1ff1812ea49978713853333db48c3972c3 | https://goo.gl/7yKyOj | 2015-06-10 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 120 | APT_Kaspersky_Duqu2_procexp | Kaspersky APT Report - Duqu2 Sample - Malicious MSI | https://goo.gl/7yKyOj | 2015-06-10 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 121 | APT_Lazarus_Aug18_1 | Detects Lazarus Group Malware | https://securelist.com/operation-applejeus/87553/ | 2018-08-24 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,NK |
| 122 | APT_Lazarus_Aug18_2 | Detects Lazarus Group Malware | https://securelist.com/operation-applejeus/87553/ | 2018-08-24 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,NK |
| 123 | APT_Lazarus_Aug18_Downloader_1 | Detects Lazarus Group Malware Downloadery | https://securelist.com/operation-applejeus/87553/ | 2018-08-24 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,NK |
| 124 | APT_Lazarus_Dropper_Jun18_1 | Detects Lazarus Group Dropper | https://twitter.com/DrunkBinary/status/1002587521073721346 | 2018-06-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,NK |
| 125 | APT_Lazarus_RAT_Jun18_1 | Detects Lazarus Group RAT | https://twitter.com/DrunkBinary/status/1002587521073721346 | 2018-06-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,NK |
| 126 | APT_Lazarus_RAT_Jun18_2 | Detects Lazarus Group RAT | https://twitter.com/DrunkBinary/status/1002587521073721346 | 2018-06-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,NK |
| 127 | APT_Liudoor | Detects Liudoor daemon backdoor | - | 2015-07-23 00:00:00 | 70 | RSA FirstWatch | MAL |
| 128 | APT_MAL_DNS_Hijacking_Campaign_AA19_024A | Detects malware used in DNS Hijackign campaign | https://www.us-cert.gov/ncas/alerts/AA19-024A | 2019-01-25 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 129 | APT_ME_BigBang_Gen_Jul18_1 | Detects malware from Big Bang campaign against Palestinian authorities | https://research.checkpoint.com/apt-attack-middle-east-big-bang/ | 2018-07-09 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN |
| 130 | APT_ME_BigBang_Mal_Jul18_1 | Detects malware from Big Bang report | https://research.checkpoint.com/apt-attack-middle-east-big-bang/ | 2018-07-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 131 | APT_MagicHound_MalMacro | Detects malicious macro / powershell in Office document | https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations | 2017-02-17 00:00:00 | 70 | Florian Roth | FILE,OFFICE |
| 132 | APT_Malware_CommentCrew_MiniASP | CommentCrew Malware MiniASP APT | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 133 | APT_Malware_PutterPanda_Gen1 | Detects a malware | not set | 2015-06-03 00:00:00 | 70 | YarGen Rule Generator | EXE,FILE,MAL |
| 134 | APT_Malware_PutterPanda_Gen4 | Detects Malware related to PutterPanda | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 135 | APT_Malware_PutterPanda_MsUpdater_1 | Detects Malware related to PutterPanda - MSUpdater | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 136 | APT_Malware_PutterPanda_MsUpdater_2 | Detects Malware related to PutterPanda - MSUpdater | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 137 | APT_Malware_PutterPanda_MsUpdater_3 | Detects Malware related to PutterPanda - MSUpdater | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 138 | APT_Malware_PutterPanda_PSAPI | Detects a malware related to Putter Panda | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 139 | APT_Malware_PutterPanda_Rel | Detects an APT malware related to PutterPanda | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,MAL |
| 140 | APT_Malware_PutterPanda_Rel_2 | APT Malware related to PutterPanda Group | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,MAL |
| 141 | APT_Malware_PutterPanda_WUAUCLT | Detects a malware related to Putter Panda | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | CHINA,MAL |
| 142 | APT_NK_AR18_165A_1 | Detects APT malware from AR18-165A report by US CERT | https://www.us-cert.gov/ncas/analysis-reports/AR18-165A | 2018-06-15 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 143 | APT_NK_AR18_165A_HiddenCobra_import_deob | Hidden Cobra - Detects installed proxy module as a service | https://www.us-cert.gov/ncas/analysis-reports/AR18-165A | 2018-04-12 00:00:00 | 70 | NCCIC trusted 3rd party - Edit: Tobias Michalski | FILE,NK |
| 144 | APT_Project_Sauron_Custom_M1 | Detects malware from Project Sauron APT | https://goo.gl/eFoP4A | 2016-08-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 145 | APT_Project_Sauron_Custom_M2 | Detects malware from Project Sauron APT | https://goo.gl/eFoP4A | 2016-08-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 146 | APT_Project_Sauron_Custom_M3 | Detects malware from Project Sauron APT | https://goo.gl/eFoP4A | 2016-08-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 147 | APT_Project_Sauron_Custom_M4 | Detects malware from Project Sauron APT | https://goo.gl/eFoP4A | 2016-08-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 148 | APT_Project_Sauron_Custom_M6 | Detects malware from Project Sauron APT | https://goo.gl/eFoP4A | 2016-08-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 149 | APT_Project_Sauron_Custom_M7 | Detects malware from Project Sauron APT | https://goo.gl/eFoP4A | 2016-08-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 150 | APT_Project_Sauron_Scripts | Detects scripts (mostly LUA) from Project Sauron report by Kaspersky | https://goo.gl/eFoP4A | 2016-08-08 00:00:00 | 70 | Florian Roth | |
| 151 | APT_Project_Sauron_arping_module | Detects strings from arping module - Project Sauron report by Kaspersky | https://goo.gl/eFoP4A | 2016-08-08 00:00:00 | 70 | Florian Roth | |
| 152 | APT_Project_Sauron_basex_module | Detects strings from basex module - Project Sauron report by Kaspersky | https://goo.gl/eFoP4A | 2016-08-08 00:00:00 | 70 | Florian Roth | |
| 153 | APT_Project_Sauron_dext_module | Detects strings from dext module - Project Sauron report by Kaspersky | https://goo.gl/eFoP4A | 2016-08-08 00:00:00 | 70 | Florian Roth | |
| 154 | APT_Project_Sauron_kblogi_module | Detects strings from kblogi module - Project Sauron report by Kaspersky | https://goo.gl/eFoP4A | 2016-08-08 00:00:00 | 70 | Florian Roth | |
| 155 | APT_Proxy_Malware_Packed_dev | APT Malware - Proxy | - | 2014-11-10 00:00:00 | 50 | FRoth | APT,HKTL,MAL |
| 156 | APT_PupyRAT_PY | Detects Pupy RAT | https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations | 2017-02-17 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 157 | APT_RANCOR_DDKONG_Malware_Exports | Detects DDKONG malware | https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/ | 2018-06-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 158 | APT_RANCOR_JS_Malware | Rancor Malware | https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/ | 2018-06-26 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 159 | APT_RANCOR_PLAINTEE_Malware_Exports | Detects PLAINTEE malware | https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/ | 2018-06-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 160 | APT_RANCOR_PLAINTEE_Variant | Detects PLAINTEE malware | https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/ | 2018-06-26 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 161 | APT_TA18_149A_Joanap_Sample1 | Detects malware from TA18-149A report by US-CERT | https://www.us-cert.gov/ncas/alerts/TA18-149A | 2018-05-30 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 162 | APT_TA18_149A_Joanap_Sample2 | Detects malware from TA18-149A report by US-CERT | https://www.us-cert.gov/ncas/alerts/TA18-149A | 2018-05-30 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 163 | APT_TA18_149A_Joanap_Sample3 | Detects malware from TA18-149A report by US-CERT | https://www.us-cert.gov/ncas/alerts/TA18-149A | 2018-05-30 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 164 | APT_Thrip_Sample_Jun18_10 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 165 | APT_Thrip_Sample_Jun18_11 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 166 | APT_Thrip_Sample_Jun18_12 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 167 | APT_Thrip_Sample_Jun18_13 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 168 | APT_Thrip_Sample_Jun18_14 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 169 | APT_Thrip_Sample_Jun18_15 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 170 | APT_Thrip_Sample_Jun18_16 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 171 | APT_Thrip_Sample_Jun18_17 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 172 | APT_Thrip_Sample_Jun18_18 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 173 | APT_Thrip_Sample_Jun18_1 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 174 | APT_Thrip_Sample_Jun18_2 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 175 | APT_Thrip_Sample_Jun18_3 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 176 | APT_Thrip_Sample_Jun18_4 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 177 | APT_Thrip_Sample_Jun18_5 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 178 | APT_Thrip_Sample_Jun18_6 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 179 | APT_Thrip_Sample_Jun18_7 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 180 | APT_Thrip_Sample_Jun18_8 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | |
| 181 | APT_Thrip_Sample_Jun18_9 | Detects sample found in Thrip report by Symantec | https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets | 2018-06-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 182 | APT_Tick_HomamDownloader_Jun18 | Detects HomamDownloader from Tick group incident - Weaponized USB | https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ | 2018-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 183 | APT_Tick_Sysmon_Loader_Jun18 | Detects Sysmon Loader from Tick group incident - Weaponized USB | https://researchcenter.paloaltonetworks.com/2018/06/unit42-tick-group-weaponized-secure-usb-drives-target-air-gapped-critical-systems/ | 2018-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 184 | APT_Turla_Agent_BTZ_Gen_1 | Detects Turla Agent.BTZ | Internal Research | 2018-06-16 00:00:00 | 80 | Florian Roth | EXE,FILE,GEN,RUSSIA |
| 185 | ASPXspy2 | Web shell - file ASPXspy2.aspx | not set | 2015-01-24 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 186 | ASP_CmdAsp | Webshells Auto-generated - file CmdAsp.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 187 | ASPack_ASPACK | Disclosed hacktool set (old stuff) - file ASPACK.EXE | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 188 | ASPack_Chinese | Disclosed hacktool set (old stuff) - file ASPack Chinese.ini | - | 2014-11-23 00:00:00 | 60 | Florian Roth | CHINA,HKTL |
| 189 | Acrotray_Anomaly | Detects an acrotray.exe that does not contain the usual strings | - | 1970-01-01 01:00:00 | 75 | Florian Roth | EXE,EXTVAR,FILE |
| 190 | Agent_BTZ_Aug17 | Detects Agent.BTZ | http://www.intezer.com/new-variants-of-agent-btz-comrat-found/ | 2017-08-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 191 | Agent_BTZ_Proxy_DLL_1 | Detects Agent-BTZ Proxy DLL - activeds.dll | http://www.intezer.com/new-variants-of-agent-btz-comrat-found/ | 2017-08-07 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 192 | Agent_BTZ_Proxy_DLL_2 | Detects Agent-BTZ Proxy DLL - activeds.dll | http://www.intezer.com/new-variants-of-agent-btz-comrat-found/ | 2017-08-07 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 193 | Ajan_asp | Semi-Auto-generated - file Ajan.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 194 | Ajax_PHP_Command_Shell_php | Semi-Auto-generated - file Ajax_PHP Command Shell.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 195 | AllTheThings | Detects AllTheThings | https://github.com/subTee/AllTheThings | 2017-07-27 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 196 | Ammyy_Admin_AA_v3 | Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe | http://goo.gl/gkAg2E | 2014-12-22 00:00:00 | 55 | Florian Roth | APT,HKTL |
| 197 | Amplia_Security_Tool | Amplia Security Tool | - | 1970-01-01 01:00:00 | 60 | - | HKTL |
| 198 | Andromeda_MalBot_Jun_1A | Detects a malicious Worm Andromeda / RETADUP | http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/ | 2017-06-30 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 199 | Angry_IP_Scanner_v2_08_ipscan | Auto-generated rule on file ipscan.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 200 | Antichat_Shell_v1_3_php | Semi-Auto-generated - file Antichat Shell v1.3.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 201 | Antichat_Socks5_Server_php_php | Semi-Auto-generated - file Antichat Socks5 Server.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 202 | Antiy_Ports_1_21 | Disclosed hacktool set (old stuff) - file Antiy Ports 1.21.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 203 | Apolmy_Privesc_Trojan | Apolmy Privilege Escalation Trojan used in APT Terracotta | https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/ | 2015-08-04 00:00:00 | 80 | Florian Roth | APT,EXE,FILE,MAL |
| 204 | AppInitHook | AppInitGlobalHooks-Mimikatz - Hide Mimikatz From Process Lists - file AppInitHook.dll | https://goo.gl/Z292v6 | 2015-07-15 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 205 | Armitage_MeterpreterSession_Strings | Detects Armitage component | Internal Research | 2017-12-24 00:00:00 | 70 | Florian Roth | |
| 206 | Armitage_OSX | Detects Armitage component | Internal Research | 2017-12-24 00:00:00 | 70 | Florian Roth | |
| 207 | Armitage_msfconsole | Detects Armitage component | Internal Research | 2017-12-24 00:00:00 | 70 | Florian Roth | FILE |
| 208 | Arp_EMP_v1_0 | Chinese Hacktool Set - file Arp EMP v1.0.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 209 | ArtTrayHookDll | Disclosed hacktool set (old stuff) - file ArtTrayHookDll.dll | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 210 | ArtTray_zip_Folder_ArtTray | Disclosed hacktool set (old stuff) - file ArtTray.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 211 | Asmodeus_v0_1_pl | Semi-Auto-generated - file Asmodeus v0.1.pl.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 212 | Ayyildiz_Tim___AYT__Shell_v_2_1_Biz_html | Semi-Auto-generated - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.html.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 213 | BIN_Client | Webshells Auto-generated - file Client.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 214 | BIN_Server | Webshells Auto-generated - file Server.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 215 | BKDR_Snarasite_Oct17 | Auto-generated rule - file 36ba92cba23971ca9d16a0b4f45c853fd5b3108076464d5f2027b0f56054fd62 | Internal Research | 2017-10-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 216 | BTC_Miner_lsass1_chrome_2 | Detects a Bitcoin Miner | Internal Research - CN Actor | 2017-06-22 00:00:00 | 60 | Florian Roth | EXE,FILE |
| 217 | BackDooR__fr_ | Webshells Auto-generated - file BackDooR (fr).php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 218 | Backdoor_Naikon_APT_Sample1 | Detects backdoors related to the Naikon APT | https://goo.gl/7vHyvh | 2015-05-14 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 219 | Backdoor_Nitol_Jun17 | Detects malware backdoor Nitol - file wyawou.exe - Attention: this rule also matches on Upatre Downloader | https://goo.gl/OOB3mH | 2017-06-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 220 | Backdoor_Redosdru_Jun17 | Detects malware Redosdru - file systemHome.exe | https://goo.gl/OOB3mH | 2017-06-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 221 | BadRabbit_Gen | Detects BadRabbit Ransomware | https://pastebin.com/Y7pJv3tK | 2017-10-25 00:00:00 | 70 | Florian Roth | CRIME,EXE,FILE,MAL,RANSOM |
| 222 | BadRabbit_Mimikatz_Comp | Auto-generated rule - file 2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 | https://pastebin.com/Y7pJv3tK | 2017-10-25 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 223 | Base64_PS1_Shellcode | Detects Base64 encoded PS1 Shellcode | https://twitter.com/ItsReallyNick/status/1062601684566843392 | 2018-11-14 00:00:00 | 65 | Nick Carr, David Ledbetter | |
| 224 | Base64_encoded_Executable | Detects an base64 encoded executable (often embedded) | - | 2015-05-28 00:00:00 | 40 | Florian Roth | EXE,EXTVAR,FILE |
| 225 | Batch_Powershell_Invoke_Inveigh | Detects malicious batch file from NCSC report | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | |
| 226 | Batch_Script_To_Run_PsExec | Detects malicious batch file from NCSC report | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | |
| 227 | Beacon_K5om | Detects Meterpreter Beacon - file K5om.dll | https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html | 2017-06-07 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL,METASPLOIT |
| 228 | Beastdoor_Backdoor | Detects the backdoor Beastdoor | - | 1970-01-01 01:00:00 | 55 | Florian Roth | HKTL,MAL |
| 229 | BeepService_Hacktool | Detects BeepService Hacktool used by Chinese APT groups | https://goo.gl/p32Ozf | 2016-05-12 00:00:00 | 85 | Florian Roth | APT,CHINA,EXE,FILE,HKTL |
| 230 | BergSilva_Malware | Detects a malware from the same author as the Indetectables RAT | - | 2015-10-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 231 | BernhardPOS | BernhardPOS Credit Card dumping tool | http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick | 1970-01-01 01:00:00 | 70 | Nick Hoffman / Jeremy Humble | |
| 232 | BeyondExec_RemoteAccess_Tool | Detects BeyondExec Remote Access Tool - file rexesvr.exe | https://goo.gl/BvYurS | 2017-03-17 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 233 | Binary_Drop_Certutil | Drop binary as base64 encoded cert trick | https://goo.gl/9DNn8q | 2015-07-15 00:00:00 | 70 | Florian Roth | |
| 234 | BlackEnergy_BE_2 | Detects BlackEnergy 2 Malware | http://goo.gl/DThzLz | 2015-02-19 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 235 | BlackEnergy_BackdoorPass_DropBear_SSH | Detects the password of the backdoored DropBear SSH Server - BlackEnergy | http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/ | 2016-01-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,RUSSIA |
| 236 | BlackEnergy_Driver_AMDIDE | Black Energy Malware | http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ | 2016-01-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 237 | BlackEnergy_Driver_USBMDM | Black Energy Driver | http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/ | 2016-01-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 238 | BlackEnergy_KillDisk_1 | Detects KillDisk malware from BlackEnergy | http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/ | 2016-01-03 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 239 | BlackEnergy_KillDisk_2 | Detects KillDisk malware from BlackEnergy | http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/ | 2016-01-03 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 240 | BlackEnergy_VBS_Agent | Detects VBS Agent from BlackEnergy Report - file Dropbearrun.vbs | http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/ | 2016-01-03 00:00:00 | 70 | Florian Roth | SCRIPT |
| 241 | Bladabindi_Malware_B64 | Detects Bladabindi Malware using Base64 encoded strings | Internal Research | 2016-10-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 242 | BluenoroffPoS_DLL | Bluenoroff POS malware - hkp.dll | http://blog.trex.re.kr/3?category=737685 | 2018-06-07 00:00:00 | 70 | http://blog.trex.re.kr/ | |
| 243 | BluesPortScan | Auto-generated rule on file BluesPortScan.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 244 | BronzeButler_DGet_1 | Detects malware / hacktool sample from Bronze Butler incident | https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses | 2017-10-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 245 | BronzeButler_Daserf_C_1 | Detects malware / hacktool sample from Bronze Butler incident | https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses | 2017-10-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 246 | BronzeButler_Daserf_Delphi_1 | Detects malware / hacktool sample from Bronze Butler incident | https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses | 2017-10-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 247 | BronzeButler_RarStar_1 | Detects malware / hacktool sample from Bronze Butler incident | https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses | 2017-10-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 248 | BronzeButler_UACBypass_1 | Detects malware / hacktool sample from Bronze Butler incident | https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses | 2017-10-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 249 | BronzeButler_xxmm_1 | Detects malware / hacktool sample from Bronze Butler incident | https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses | 2017-10-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 250 | Buckeye_Osinfo | Detects OSinfo tool used by the Buckeye APT group | http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong | 2016-09-05 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 251 | ByPassFireWall_zip_Folder_Ie | Disclosed hacktool set (old stuff) - file Ie.dll | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 252 | ByPassFireWall_zip_Folder_Inject | Disclosed hacktool set (old stuff) - file Inject.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 253 | BypassUac2 | Auto-generated rule - file BypassUac2.zip | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator | HKTL |
| 254 | BypassUacDll_6 | Auto-generated rule - file BypassUacDll.aps | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator | HKTL |
| 255 | BypassUac_3 | Auto-generated rule - file BypassUacDll.dll | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator | HKTL |
| 256 | BypassUac_9 | Auto-generated rule - file BypassUac.zip | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator | HKTL |
| 257 | BypassUac_EXE | Auto-generated rule - file BypassUacDll.aps | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator | HKTL |
| 258 | Bytes_used_in_AES_key_generation | Detects Backdoor.goodor | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | EXE,FILE,MAL |
| 259 | CACTUSTORCH | Detects CactusTorch Hacktool | https://github.com/mdsecactivebreach/CACTUSTORCH | 2017-07-31 00:00:00 | 70 | Florian Roth | HKTL |
| 260 | CGISscan_CGIScan | Auto-generated rule on file CGIScan.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 261 | CHAOS_Payload | Detects a CHAOS back connect payload | https://github.com/tiagorlampert/CHAOS | 2017-07-15 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 262 | CMStar_Malware_Sep17 | Detects CMStar Malware | https://goo.gl/pTffPA | 2017-10-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 263 | CN_APT_ZeroT_extracted_Go | Chinese APT by Proofpoint ZeroT RAT - file Go.exe | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-04 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,MAL |
| 264 | CN_APT_ZeroT_extracted_Mcutil | Chinese APT by Proofpoint ZeroT RAT - file Mcutil.dll | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-04 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,MAL |
| 265 | CN_APT_ZeroT_extracted_Zlh | Chinese APT by Proofpoint ZeroT RAT - file Zlh.exe | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-04 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,MAL |
| 266 | CN_APT_ZeroT_nflogger | Chinese APT by Proofpoint ZeroT RAT - file nflogger.dll | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-04 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,HKTL,MAL |
| 267 | CN_Actor_AmmyyAdmin | Detects Ammyy Admin Downloader | Internal Research - CN Actor | 2017-06-22 00:00:00 | 60 | Florian Roth | EXE,FILE |
| 268 | CN_Actor_RA_Tool_Ammyy_mscorsvw | Detects Ammyy remote access tool | Internal Research - CN Actor | 2017-06-22 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 269 | CN_GUI_Scanner | Detects an unknown GUI scanner tool - CN background | - | 2014-04-10 00:00:00 | 65 | Florian Roth | HKTL |
| 270 | CN_Hacktool_1433_Scanner | Detects a chinese MSSQL scanner | - | 2014-12-10 00:00:00 | 40 | Florian Roth | HKTL |
| 271 | CN_Hacktool_1433_Scanner_Comp2 | Detects a chinese MSSQL scanner - component 2 | - | 2014-12-10 00:00:00 | 40 | Florian Roth | HKTL |
| 272 | CN_Hacktool_BAT_PortsOpen | Detects a chinese BAT hacktool for local port evaluation | - | 2014-12-10 00:00:00 | 60 | Florian Roth | HKTL |
| 273 | CN_Hacktool_MilkT_BAT | Detects a chinese Portscanner named MilkT - shipped BAT | - | 2014-12-10 00:00:00 | 70 | Florian Roth | HKTL |
| 274 | CN_Hacktool_MilkT_Scanner | Detects a chinese Portscanner named MilkT | - | 2014-12-10 00:00:00 | 60 | Florian Roth | HKTL |
| 275 | CN_Hacktool_SSPort_Portscanner | Detects a chinese Portscanner named SSPort | - | 2014-12-10 00:00:00 | 70 | Florian Roth | HKTL |
| 276 | CN_Hacktool_S_EXE_Portscanner | Detects a chinese Portscanner named s.exe | - | 2014-12-10 00:00:00 | 70 | Florian Roth | HKTL |
| 277 | CN_Hacktool_ScanPort_Portscanner | Detects a chinese Portscanner named ScanPort | - | 2014-12-10 00:00:00 | 70 | Florian Roth | HKTL |
| 278 | CN_Honker_ACCESS_brute | Sample from CN Honker Pentest Toolset - file ACCESS_brute.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 279 | CN_Honker_ASP_wshell | Sample from CN Honker Pentest Toolset - file wshell.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE |
| 280 | CN_Honker_Acunetix_Web_Vulnerability_Scanner_8_x_Enterprise_Edition_KeyGen | Sample from CN Honker Pentest Toolset - file Acunetix_Web_Vulnerability_Scanner_8.x_Enterprise_Edition_KeyGen.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,HKTL |
| 281 | CN_Honker_Alien_D | Script from disclosed CN Honker Pentest Toolset - file D.ASP | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 282 | CN_Honker_Alien_command | Script from disclosed CN Honker Pentest Toolset - file command.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 283 | CN_Honker_Alien_ee | Sample from CN Honker Pentest Toolset - file ee.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 284 | CN_Honker_Alien_iispwd | Sample from CN Honker Pentest Toolset - file iispwd.vbs | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | |
| 285 | CN_Honker_Arp_EMP_v1_0 | Sample from CN Honker Pentest Toolset - file Arp EMP v1.0.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 286 | CN_Honker_AspxClient | Sample from CN Honker Pentest Toolset - file AspxClient.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 287 | CN_Honker_Baidu_Extractor_Ver1_0 | Sample from CN Honker Pentest Toolset - file Baidu_Extractor_Ver1.0.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 288 | CN_Honker_COOKIE_CooKie | Sample from CN Honker Pentest Toolset - file CooKie.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 289 | CN_Honker_ChinaChopper | Sample from CN Honker Pentest Toolset - file ChinaChopper.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE |
| 290 | CN_Honker_ChinaChopper_db | Script from disclosed CN Honker Pentest Toolset - file db.mdb | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 291 | CN_Honker_Churrasco | Sample from CN Honker Pentest Toolset - file Churrasco.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 292 | CN_Honker_CleanIISLog | Sample from CN Honker Pentest Toolset - file CleanIISLog.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 293 | CN_Honker_CnCerT_CCdoor_CMD | Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 294 | CN_Honker_CnCerT_CCdoor_CMD_2 | Sample from CN Honker Pentest Toolset - file CnCerT.CCdoor.CMD.dll2 | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 295 | CN_Honker_Codeeer_Explorer | Sample from CN Honker Pentest Toolset - file Codeeer Explorer.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 296 | CN_Honker_CookiesView | Sample from CN Honker Pentest Toolset - file CookiesView.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 297 | CN_Honker_CoolScan_scan | Sample from CN Honker Pentest Toolset - file scan.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 298 | CN_Honker_Cracker_SHELL | Sample from CN Honker Pentest Toolset - file SHELL.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 299 | CN_Honker_DLL_passive_privilege_escalation_ws2help | Sample from CN Honker Pentest Toolset - file ws2help.dll | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 300 | CN_Honker_D_injection_V2_32 | Sample from CN Honker Pentest Toolset - file D_injection_V2.32.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 301 | CN_Honker_DictionaryGenerator | Sample from CN Honker Pentest Toolset - file DictionaryGenerator.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN |
| 302 | CN_Honker_F4ck_Team_F4ck_3 | Sample from CN Honker Pentest Toolset - file F4ck_3.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 303 | CN_Honker_F4ck_Team_f4ck | Script from disclosed CN Honker Pentest Toolset - file f4ck.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 304 | CN_Honker_F4ck_Team_f4ck_2 | Sample from CN Honker Pentest Toolset - file f4ck_2.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 305 | CN_Honker_F4ck_Team_f4ck_3 | Sample from CN Honker Pentest Toolset - file f4ck.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 306 | CN_Honker_FTP_scanning | Sample from CN Honker Pentest Toolset - file FTP_scanning.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 307 | CN_Honker_Fckeditor | Sample from CN Honker Pentest Toolset - file Fckeditor.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 308 | CN_Honker_Fpipe_FPipe | Sample from CN Honker Pentest Toolset - file FPipe.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 50 | Florian Roth | EXE,FILE |
| 309 | CN_Honker_GetHashes | Sample from CN Honker Pentest Toolset - file GetHashes.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 310 | CN_Honker_GetHashes_2 | Sample from CN Honker Pentest Toolset - file GetHashes.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 311 | CN_Honker_GetPass_GetPass | Sample from CN Honker Pentest Toolset - file GetPass.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 312 | CN_Honker_GetSyskey | Sample from CN Honker Pentest Toolset - file GetSyskey.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 313 | CN_Honker_GetWebShell | Sample from CN Honker Pentest Toolset - file GetWebShell.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 314 | CN_Honker_GroupPolicyRemover | Sample from CN Honker Pentest Toolset - file GroupPolicyRemover.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 315 | CN_Honker_HASH_32 | Sample from CN Honker Pentest Toolset - file 32.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 316 | CN_Honker_HASH_PwDump7 | Sample from CN Honker Pentest Toolset - file PwDump7.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 317 | CN_Honker_HASH_pwhash | Sample from CN Honker Pentest Toolset - file pwhash.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 318 | CN_Honker_HTran2_4 | Sample from CN Honker Pentest Toolset - file HTran2.4.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 319 | CN_Honker_Happy_Happy | Sample from CN Honker Pentest Toolset - file Happy.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 320 | CN_Honker_Havij_Havij | Sample from CN Honker Pentest Toolset - file Havij.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 321 | CN_Honker_HconSTFportable | Sample from CN Honker Pentest Toolset - file HconSTFportable.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 322 | CN_Honker_Hookmsgina | Sample from CN Honker Pentest Toolset - file Hookmsgina.dll | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 323 | CN_Honker_Htran_V2_40_htran20 | Sample from CN Honker Pentest Toolset - file htran20.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 324 | CN_Honker_IIS6_iis6 | Sample from CN Honker Pentest Toolset - file iis6.com | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 325 | CN_Honker_IIS_logcleaner1_0_readme | Script from disclosed CN Honker Pentest Toolset - file readme.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 326 | CN_Honker_Injection | Sample from CN Honker Pentest Toolset - file Injection.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 327 | CN_Honker_Injection_Transit_jmCook | Script from disclosed CN Honker Pentest Toolset - file jmCook.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 328 | CN_Honker_Injection_transit | Sample from CN Honker Pentest Toolset - file Injection_transit.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 329 | CN_Honker_Interception3389_setup | Sample from CN Honker Pentest Toolset - file setup.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 330 | CN_Honker_Interception | Sample from CN Honker Pentest Toolset - file Interception.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 331 | CN_Honker_Intersect2_Beta | Script from disclosed CN Honker Pentest Toolset - file Intersect2-Beta.py | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE,SCRIPTS |
| 332 | CN_Honker_InvasionErasor | Sample from CN Honker Pentest Toolset - file InvasionErasor.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 333 | CN_Honker_LPK2_0_LPK | Sample from CN Honker Pentest Toolset - file LPK.DAT | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 334 | CN_Honker_Layer_Layer | Sample from CN Honker Pentest Toolset - file Layer.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 335 | CN_Honker_LogCleaner | Sample from CN Honker Pentest Toolset - file LogCleaner.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 336 | CN_Honker_MAC_IPMAC | Sample from CN Honker Pentest Toolset - file IPMAC.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 337 | CN_Honker_MSTSC_can_direct_copy | Sample from CN Honker Pentest Toolset - file MSTSC_can_direct_copy.EXE | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 338 | CN_Honker_ManualInjection | Sample from CN Honker Pentest Toolset - file ManualInjection.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 339 | CN_Honker_Master_beta_1_7 | Sample from CN Honker Pentest Toolset - file Master_beta_1.7.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 340 | CN_Honker_MatriXay1073 | Sample from CN Honker Pentest Toolset - file MatriXay1073.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 341 | CN_Honker_Md5CrackTools | Sample from CN Honker Pentest Toolset - file Md5CrackTools.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 342 | CN_Honker_NBSI_3_0 | Sample from CN Honker Pentest Toolset - file NBSI 3.0.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 343 | CN_Honker_NetFuke_NetFuke | Sample from CN Honker Pentest Toolset - file NetFuke.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 344 | CN_Honker_Oracle_v1_0_Oracle | Sample from CN Honker Pentest Toolset - file Oracle.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 345 | CN_Honker_PHP_php11 | Sample from CN Honker Pentest Toolset - file php11.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | |
| 346 | CN_Honker_Perl_serv_U | Script from disclosed CN Honker Pentest Toolset - file Perl-serv-U.pl | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 347 | CN_Honker_Pk_Pker | Sample from CN Honker Pentest Toolset - file Pker.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 348 | CN_Honker_PostgreSQL | Sample from CN Honker Pentest Toolset - file PostgreSQL.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 349 | CN_Honker_Pwdump7_Pwdump7 | Script from disclosed CN Honker Pentest Toolset - file Pwdump7.bat | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 350 | CN_Honker_SAMInside | Sample from CN Honker Pentest Toolset - file SAMInside.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 351 | CN_Honker_SQLServer_inject_Creaked | Sample from CN Honker Pentest Toolset - file SQLServer_inject_Creaked.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 352 | CN_Honker_Safe3WVS | Sample from CN Honker Pentest Toolset - file Safe3WVS.EXE | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 353 | CN_Honker_ScanHistory | Sample from CN Honker Pentest Toolset - file ScanHistory.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 354 | CN_Honker_SegmentWeapon | Sample from CN Honker Pentest Toolset - file SegmentWeapon.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 355 | CN_Honker_ShiftBackdoor_Server | Sample from CN Honker Pentest Toolset - file Server.dat | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 356 | CN_Honker_SkinHRootkit_SkinH | Sample from CN Honker Pentest Toolset - file SkinH.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 357 | CN_Honker_SqlMap_Python_Run | Sample from CN Honker Pentest Toolset - file Run.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,SCRIPT |
| 358 | CN_Honker_Sword1_5 | Sample from CN Honker Pentest Toolset - file Sword1.5.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 359 | CN_Honker_SwordCollEdition | Sample from CN Honker Pentest Toolset - file SwordCollEdition.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 360 | CN_Honker_SwordHonkerEdition | Sample from CN Honker Pentest Toolset - file SwordHonkerEdition.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 361 | CN_Honker_T00ls_Lpk_Sethc_v2 | Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v2.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 362 | CN_Honker_T00ls_Lpk_Sethc_v3_0 | Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v3.0.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 363 | CN_Honker_T00ls_Lpk_Sethc_v3_LPK | Sample from CN Honker Pentest Toolset - file LPK.DAT | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 364 | CN_Honker_T00ls_Lpk_Sethc_v4_0 | Sample from CN Honker Pentest Toolset - file T00ls Lpk Sethc v4.0.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 365 | CN_Honker_T00ls_Lpk_Sethc_v4_LPK | Sample from CN Honker Pentest Toolset - file LPK.DAT | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 366 | CN_Honker_T00ls_scanner | Sample from CN Honker Pentest Toolset - file T00ls_scanner.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 367 | CN_Honker_Tuoku_script_MSSQL_ | Script from disclosed CN Honker Pentest Toolset - file MSSQL_.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 368 | CN_Honker_Tuoku_script_oracle_2 | Sample from CN Honker Pentest Toolset - file oracle.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | |
| 369 | CN_Honker_WebCruiserWVS | Sample from CN Honker Pentest Toolset - file WebCruiserWVS.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 370 | CN_Honker_WebRobot | Sample from CN Honker Pentest Toolset - file WebRobot.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 371 | CN_Honker_WebScan_WebScan | Sample from CN Honker Pentest Toolset - file WebScan.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 372 | CN_Honker_WebScan_wwwscan | Sample from CN Honker Pentest Toolset - file wwwscan.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 373 | CN_Honker_Webshell | Sample from CN Honker Pentest Toolset - file Webshell.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,WEBSHELL |
| 374 | CN_Honker_Webshell_ASPX_aspx2 | Webshell from CN Honker Pentest Toolset - file aspx2.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 375 | CN_Honker_Webshell_ASPX_aspx3 | Webshell from CN Honker Pentest Toolset - file aspx3.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 376 | CN_Honker_Webshell_ASPX_aspx4 | Webshell from CN Honker Pentest Toolset - file aspx4.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 377 | CN_Honker_Webshell_ASPX_aspx | Webshell from CN Honker Pentest Toolset - file aspx.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 378 | CN_Honker_Webshell_ASPX_shell_shell | Webshell from CN Honker Pentest Toolset - file shell.aspx | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 379 | CN_Honker_Webshell_ASPX_sniff | Webshell from CN Honker Pentest Toolset - file sniff.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 380 | CN_Honker_Webshell_ASP_asp1 | Webshell from CN Honker Pentest Toolset - file asp1.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 381 | CN_Honker_Webshell_ASP_asp2 | Webshell from CN Honker Pentest Toolset - file asp2.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 382 | CN_Honker_Webshell_ASP_asp3 | Webshell from CN Honker Pentest Toolset - file asp3.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 383 | CN_Honker_Webshell_ASP_asp404 | Webshell from CN Honker Pentest Toolset - file asp404.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 384 | CN_Honker_Webshell_ASP_asp4 | Webshell from CN Honker Pentest Toolset - file asp4.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 385 | CN_Honker_Webshell_ASP_hy2006a | Webshell from CN Honker Pentest Toolset - file hy2006a.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 386 | CN_Honker_Webshell_ASP_rootkit | Webshell from CN Honker Pentest Toolset - file rootkit.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 387 | CN_Honker_Webshell_ASP_shell | Webshell from CN Honker Pentest Toolset - file shell.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 388 | CN_Honker_Webshell_ASP_web_asp | Webshell from CN Honker Pentest Toolset - file web.asp.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 389 | CN_Honker_Webshell_FTP_MYSQL_MSSQL_SSH | Webshell from CN Honker Pentest Toolset - file FTP MYSQL MSSQL SSH.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 390 | CN_Honker_Webshell_Injection_Transit_jmPost | Webshell from CN Honker Pentest Toolset - file jmPost.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 391 | CN_Honker_Webshell_Interception3389_get | Webshell from CN Honker Pentest Toolset - file get.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 392 | CN_Honker_Webshell_JSPMSSQL | Webshell from CN Honker Pentest Toolset - file JSPMSSQL.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 393 | CN_Honker_Webshell_JSP_jsp | Webshell from CN Honker Pentest Toolset - file jsp.html | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 394 | CN_Honker_Webshell_Linux_2_6_Exploit | Webshell from CN Honker Pentest Toolset - file 2.6.9 | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | LINUX,WEBSHELL |
| 395 | CN_Honker_Webshell_PHP_BlackSky | Webshell from CN Honker Pentest Toolset - file php6.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 396 | CN_Honker_Webshell_PHP_linux | Webshell from CN Honker Pentest Toolset - file linux.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 397 | CN_Honker_Webshell_PHP_php10 | Webshell from CN Honker Pentest Toolset - file php10.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 398 | CN_Honker_Webshell_PHP_php1 | Webshell from CN Honker Pentest Toolset - file php1.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 399 | CN_Honker_Webshell_PHP_php2 | Webshell from CN Honker Pentest Toolset - file php2.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 400 | CN_Honker_Webshell_PHP_php3 | Webshell from CN Honker Pentest Toolset - file php3.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 401 | CN_Honker_Webshell_PHP_php4 | Webshell from CN Honker Pentest Toolset - file php4.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 402 | CN_Honker_Webshell_PHP_php5 | Webshell from CN Honker Pentest Toolset - file php5.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 403 | CN_Honker_Webshell_PHP_php7 | Webshell from CN Honker Pentest Toolset - file php7.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 404 | CN_Honker_Webshell_PHP_php8 | Webshell from CN Honker Pentest Toolset - file php8.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 405 | CN_Honker_Webshell_PHP_php9 | Webshell from CN Honker Pentest Toolset - file php9.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 406 | CN_Honker_Webshell_Serv_U_2_admin_by_lake2 | Webshell from CN Honker Pentest Toolset - file Serv-U 2 admin by lake2.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 407 | CN_Honker_Webshell_Serv_U_asp | Webshell from CN Honker Pentest Toolset - file Serv-U asp.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 408 | CN_Honker_Webshell_Serv_U_by_Goldsun | Webshell from CN Honker Pentest Toolset - file Serv-U_by_Goldsun.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 409 | CN_Honker_Webshell_Serv_U_serv_u | Webshell from CN Honker Pentest Toolset - file serv-u.php | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 410 | CN_Honker_Webshell_Serv_U_servu | Webshell from CN Honker Pentest Toolset - file servu.php | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 411 | CN_Honker_Webshell_T00ls_Lpk_Sethc_v4_mail | Webshell from CN Honker Pentest Toolset - file mail.php | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 412 | CN_Honker_Webshell_Tuoku_script_mssql_2 | Webshell from CN Honker Pentest Toolset - file mssql.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 413 | CN_Honker_Webshell_Tuoku_script_mysql | Webshell from CN Honker Pentest Toolset - file mysql.aspx | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 414 | CN_Honker_Webshell_Tuoku_script_oracle | Webshell from CN Honker Pentest Toolset - file oracle.jsp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 415 | CN_Honker_Webshell_Tuoku_script_xx | Webshell from CN Honker Pentest Toolset - file xx.php | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 416 | CN_Honker_Webshell_WebShell | Webshell from CN Honker Pentest Toolset - file WebShell.cgi | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 417 | CN_Honker_Webshell__Injection_jmCook_jmPost_ManualInjection | Webshell from CN Honker Pentest Toolset - from files Injection.exe, jmCook.asp, jmPost.asp, ManualInjection.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 418 | CN_Honker_Webshell__Serv_U_by_Goldsun_asp3_Serv_U_asp | Webshell from CN Honker Pentest Toolset - from files Serv-U_by_Goldsun.asp, asp3.txt, Serv-U asp.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 419 | CN_Honker_Webshell__asp4_asp4_MSSQL__MSSQL_ | Webshell from CN Honker Pentest Toolset - from files asp4.txt, asp4.txt, MSSQL_.asp, MSSQL_.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 420 | CN_Honker_Webshell__php1_php7_php9 | Webshell from CN Honker Pentest Toolset - from files php1.txt, php7.txt, php9.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 421 | CN_Honker_Webshell_assembly | Webshell from CN Honker Pentest Toolset - file assembly.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 422 | CN_Honker_Webshell_cfmShell | Webshell from CN Honker Pentest Toolset - file cfmShell.cfm | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 423 | CN_Honker_Webshell_cfm_list | Webshell from CN Honker Pentest Toolset - file list.cfm | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 424 | CN_Honker_Webshell_cfm_xl | Webshell from CN Honker Pentest Toolset - file xl.cfm | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 425 | CN_Honker_Webshell_cmfshell | Webshell from CN Honker Pentest Toolset - file cmfshell.cmf | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 426 | CN_Honker_Webshell_dz_phpcms_phpbb | Webshell from CN Honker Pentest Toolset - file dz_phpcms_phpbb.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 427 | CN_Honker_Webshell_jspshell2 | Webshell from CN Honker Pentest Toolset - file jspshell2.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 428 | CN_Honker_Webshell_jspshell | Webshell from CN Honker Pentest Toolset - file jspshell.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 429 | CN_Honker_Webshell_mycode12 | Webshell from CN Honker Pentest Toolset - file mycode12.cfm | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 430 | CN_Honker_Webshell_nc_1 | Webshell from CN Honker Pentest Toolset - file 1.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 431 | CN_Honker_Webshell_offlibrary | Webshell from CN Honker Pentest Toolset - file offlibrary.php | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 432 | CN_Honker_Webshell_phpwebbackup | Webshell from CN Honker Pentest Toolset - file phpwebbackup.php | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 433 | CN_Honker_Webshell_picloaked_1 | Webshell from CN Honker Pentest Toolset - file 1.gif | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 434 | CN_Honker_Webshell_portRecall_jsp2 | Webshell from CN Honker Pentest Toolset - file jsp2.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 435 | CN_Honker_Webshell_portRecall_jsp | Webshell from CN Honker Pentest Toolset - file jsp.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 436 | CN_Honker_Webshell_su7_x_9_x | Webshell from CN Honker Pentest Toolset - file su7.x-9.x.asp | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 437 | CN_Honker_Webshell_test3693 | Webshell from CN Honker Pentest Toolset - file test3693.war | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 438 | CN_Honker_Webshell_udf_udf | Webshell from CN Honker Pentest Toolset - file udf.php | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 439 | CN_Honker_Webshell_wshell_asp | Webshell from CN Honker Pentest Toolset - file wshell-asp.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 440 | CN_Honker_Without_a_trace_Wywz | Sample from CN Honker Pentest Toolset - file Wywz.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 441 | CN_Honker_WordpressScanner | Sample from CN Honker Pentest Toolset - file WordpressScanner.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL,OFFICE |
| 442 | CN_Honker_Xiaokui_conversion_tool | Sample from CN Honker Pentest Toolset - file Xiaokui_conversion_tool.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 443 | CN_Honker__D_injection_V2_32_D_injection_V2_32_D_injection_V2_32 | Sample from CN Honker Pentest Toolset - from files D_injection_V2.32.exe, D_injection_V2.32.exe, D_injection_V2.32.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 444 | CN_Honker__LPK_LPK_LPK | Sample from CN Honker Pentest Toolset - from files LPK.DAT, LPK.DAT, LPK.DAT | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 445 | CN_Honker__PostgreSQL_mysql_injectV1_1_Creak_Oracle_SQLServer_inject_Creaked | Sample from CN Honker Pentest Toolset | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 446 | CN_Honker__builder_shift_SkinH | Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 447 | CN_Honker__lcx_HTran2_4_htran20 | Sample from CN Honker Pentest Toolset - from files lcx.exe, HTran2.4.exe, htran20.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 448 | CN_Honker__wwwscan_wwwscan_wwwscan_gui | Sample from CN Honker Pentest Toolset - from files wwwscan.exe, wwwscan.exe, wwwscan_gui.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 449 | CN_Honker_arp3_7_arp3_7 | Sample from CN Honker Pentest Toolset - file arp3.7.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 450 | CN_Honker_cleaner_cl_2 | Sample from CN Honker Pentest Toolset - file cl.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 451 | CN_Honker_cleaniis | Sample from CN Honker Pentest Toolset - file cleaniis.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 452 | CN_Honker_clearlogs | Sample from CN Honker Pentest Toolset - file clearlogs.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 453 | CN_Honker_dedecms5_7 | Sample from CN Honker Pentest Toolset - file dedecms5.7.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 454 | CN_Honker_dirdown_dirdown | Sample from CN Honker Pentest Toolset - file dirdown.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 455 | CN_Honker_exp_iis7 | Sample from CN Honker Pentest Toolset - file iis7.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 456 | CN_Honker_exp_ms11011 | Sample from CN Honker Pentest Toolset - file ms11011.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 457 | CN_Honker_exp_ms11046 | Sample from CN Honker Pentest Toolset - file ms11046.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 458 | CN_Honker_exp_ms11080 | Sample from CN Honker Pentest Toolset - file ms11080.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 459 | CN_Honker_exp_win2003 | Sample from CN Honker Pentest Toolset - file win2003.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 460 | CN_Honker_getlsasrvaddr | Sample from CN Honker Pentest Toolset - file getlsasrvaddr.exe - WCE Amplia Security | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 461 | CN_Honker_hashq_Hashq | Sample from CN Honker Pentest Toolset - file Hashq.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 462 | CN_Honker_hkmjjiis6 | Sample from CN Honker Pentest Toolset - file hkmjjiis6.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 463 | CN_Honker_hxdef100 | Sample from CN Honker Pentest Toolset - file hxdef100.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 464 | CN_Honker_lcx_lcx | Sample from CN Honker Pentest Toolset - HTRAN - file lcx.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 465 | CN_Honker_linux_bin | Script from disclosed CN Honker Pentest Toolset - file linux_bin | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 466 | CN_Honker_mafix_root | Script from disclosed CN Honker Pentest Toolset - file root | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 467 | CN_Honker_mempodipper2_6 | Sample from CN Honker Pentest Toolset - file mempodipper2.6.39 | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | |
| 468 | CN_Honker_ms10048_x64 | Sample from CN Honker Pentest Toolset - file ms10048-x64.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 469 | CN_Honker_ms10048_x86 | Sample from CN Honker Pentest Toolset - file ms10048-x86.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 470 | CN_Honker_ms11080_withcmd | Sample from CN Honker Pentest Toolset - file ms11080_withcmd.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 471 | CN_Honker_mssqlpw_scan | Script from disclosed CN Honker Pentest Toolset - file mssqlpw scan.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 472 | CN_Honker_mysql_injectV1_1_Creak | Sample from CN Honker Pentest Toolset - file mysql_injectV1.1_Creak.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 473 | CN_Honker_nc_MOVE | Script from disclosed CN Honker Pentest Toolset - file MOVE.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 474 | CN_Honker_net_packet_capt | Sample from CN Honker Pentest Toolset - file net_packet_capt.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 475 | CN_Honker_net_priv_esc2 | Sample from CN Honker Pentest Toolset - file net-priv-esc2.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 476 | CN_Honker_no_net_priv_esc_AddUser | Sample from CN Honker Pentest Toolset - file AddUser.dll | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 477 | CN_Honker_passwd_dict_3389 | Script from disclosed CN Honker Pentest Toolset - file 3389.txt | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 478 | CN_Honker_portRecall_bc | Script from disclosed CN Honker Pentest Toolset - file bc.pl | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 479 | CN_Honker_portRecall_pr | Script from disclosed CN Honker Pentest Toolset - file pr | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 480 | CN_Honker_pr_debug | Sample from CN Honker Pentest Toolset - file debug.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 481 | CN_Honker_safe3wvs_cgiscan | Sample from CN Honker Pentest Toolset - file cgiscan.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 482 | CN_Honker_shell_brute_tool | Sample from CN Honker Pentest Toolset - file shell_brute_tool.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 483 | CN_Honker_sig_3389_2_3389 | Sample from CN Honker Pentest Toolset - file 3389.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 484 | CN_Honker_sig_3389_3389 | Script from disclosed CN Honker Pentest Toolset - file 3389.vbs | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 485 | CN_Honker_sig_3389_3389_2 | Script from disclosed CN Honker Pentest Toolset - file 3389.bat | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 486 | CN_Honker_sig_3389_3389_3 | Script from disclosed CN Honker Pentest Toolset - file 3389.bat | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 487 | CN_Honker_sig_3389_80_AntiFW | Sample from CN Honker Pentest Toolset - file AntiFW.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 488 | CN_Honker_sig_3389_DUBrute_v3_0_RC3_2_0 | Sample from CN Honker Pentest Toolset - file 2.0.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 489 | CN_Honker_sig_3389_DUBrute_v3_0_RC3_3_0 | Sample from CN Honker Pentest Toolset - file 3.0.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 490 | CN_Honker_sig_3389_mstsc_MSTSCAX | Sample from CN Honker Pentest Toolset - file MSTSCAX.DLL | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 491 | CN_Honker_sig_3389_xp3389 | Sample from CN Honker Pentest Toolset - file xp3389.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 492 | CN_Honker_smsniff_smsniff | Sample from CN Honker Pentest Toolset - file smsniff.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 493 | CN_Honker_struts2_catbox | Sample from CN Honker Pentest Toolset - file catbox.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 494 | CN_Honker_super_Injection1 | Sample from CN Honker Pentest Toolset - file super Injection1.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 495 | CN_Honker_syconfig | Script from disclosed CN Honker Pentest Toolset - file syconfig.dll | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | FILE,SCRIPTS |
| 496 | CN_Honker_termsrvhack | Sample from CN Honker Pentest Toolset - file termsrvhack.dll | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 497 | CN_Honker_windows_exp | Sample from CN Honker Pentest Toolset - file exp.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 498 | CN_Honker_windows_mstsc_enhanced_RMDSTC | Sample from CN Honker Pentest Toolset - file RMDSTC.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 499 | CN_Honker_wwwscan_1_wwwscan | Sample from CN Honker Pentest Toolset - file wwwscan.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 500 | CN_Honker_wwwscan_gui | Sample from CN Honker Pentest Toolset - file wwwscan_gui.exe | Disclosed CN Honker Pentest Toolset | 2015-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 501 | CN_Packed_Scanner | Suspiciously packed executable | - | 2014-06-10 00:00:00 | 40 | Florian Roth | HKTL |
| 502 | CN_Portscan | CN Port Scanner | - | 1970-01-01 01:00:00 | 70 | Florian Roth | FILE,HKTL |
| 503 | CN_Tools_MyUPnP | Chinese Hacktool Set - file MyUPnP.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 504 | CN_Tools_PcShare | Chinese Hacktool Set - file PcShare.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 505 | CN_Tools_Shiell | Chinese Hacktool Set - file Shiell.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 506 | CN_Tools_Temp | Chinese Hacktool Set - file Temp.war | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,FILE,HKTL,SCRIPTS |
| 507 | CN_Tools_VNCLink | Chinese Hacktool Set - file VNCLink.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 508 | CN_Tools_Vscan | Chinese Hacktool Set - file Vscan.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 509 | CN_Tools_hscan | Chinese Hacktool Set - file hscan.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 510 | CN_Tools_item | Chinese Hacktool Set - file item.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 511 | CN_Tools_old | Chinese Hacktool Set - file old.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 512 | CN_Tools_pc | Chinese Hacktool Set - file pc.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 513 | CN_Tools_srss | Chinese Hacktool Set - file srss.bat | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,SCRIPTS |
| 514 | CN_Tools_srss_2 | Chinese Hacktool Set - file srss.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 515 | CN_Tools_xbat | Chinese Hacktool Set - file xbat.vbs | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,FILE,HKTL,SCRIPTS |
| 516 | CN_Tools_xsniff | Chinese Hacktool Set - file xsniff.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 517 | CN_Toolset_LScanPortss_2 | Detects a Chinese hacktool from a disclosed toolset - file LScanPortss.exe | http://qiannao.com/ls/905300366/33834c0c/ | 2015-03-30 00:00:00 | 70 | Florian Roth | CHINA,HKTL |
| 518 | CN_Toolset_NTscan_PipeCmd | Detects a Chinese hacktool from a disclosed toolset - file PipeCmd.exe | http://qiannao.com/ls/905300366/33834c0c/ | 2015-03-30 00:00:00 | 70 | Florian Roth | CHINA,HKTL |
| 519 | CN_Toolset__XScanLib_XScanLib_XScanLib | Detects a Chinese hacktool from a disclosed toolset - from files XScanLib.dll, XScanLib.dll, XScanLib.dll | http://qiannao.com/ls/905300366/33834c0c/ | 2015-03-30 00:00:00 | 70 | Florian Roth | CHINA,HKTL |
| 520 | CN_Toolset_sig_1433_135_sqlr | Detects a Chinese hacktool from a disclosed toolset - file sqlr.exe | http://qiannao.com/ls/905300366/33834c0c/ | 2015-03-30 00:00:00 | 70 | Florian Roth | CHINA,HKTL |
| 521 | CN_disclosed_20180208_KeyLogger_1 | Detects malware from disclosed CN malware set | https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details | 2018-02-08 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 522 | CN_disclosed_20180208_Mal1 | Detects malware from disclosed CN malware set | https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details | 2018-02-08 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 523 | CN_disclosed_20180208_Mal4 | Detects malware from disclosed CN malware set | https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details | 2018-02-08 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 524 | CN_disclosed_20180208_Mal5 | Detects malware from disclosed CN malware set | https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details | 2018-02-08 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 525 | CN_disclosed_20180208_System3 | Detects malware from disclosed CN malware set | https://twitter.com/cyberintproject/status/961714165550342146 | 2018-02-08 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 526 | CN_disclosed_20180208_c | Detects malware from disclosed CN malware set | https://twitter.com/cyberintproject/status/961714165550342146 | 2018-02-08 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 527 | CN_disclosed_20180208_lsls | Detects malware from disclosed CN malware set | https://twitter.com/cyberintproject/status/961714165550342146 | 2018-02-08 00:00:00 | 70 | Florian Roth | FILE |
| 528 | COZY_FANCY_BEAR_Hunt | Detects Cozy Bear / Fancy Bear C2 Server IPs | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | 2016-06-14 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 529 | COZY_FANCY_BEAR_modified_VmUpgradeHelper | Detects a malicious VmUpgradeHelper.exe as mentioned in the CrowdStrike report | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | 2016-06-14 00:00:00 | 70 | Florian Roth | EXE,EXTVAR,FILE,RUSSIA |
| 530 | COZY_FANCY_BEAR_pagemgr_Hunt | Detects a pagemgr.exe as mentioned in the CrowdStrike report | https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ | 2016-06-14 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 531 | CVE_2014_4076_Exploitcode | Detects an exploit code for CVE-2014-4076 | https://github.com/Neo23x0/yarGen | 2018-04-04 00:00:00 | 70 | Florian Roth | EXE,EXPLOIT,FILE |
| 532 | CVE_2015_1674_CNGSYS | Detects exploits for CVE-2015-1674 | http://www.binvul.com/viewthread.php?tid=508 | 2015-05-14 00:00:00 | 70 | Florian Roth | EXE,EXPLOIT,FILE |
| 533 | CVE_2015_1701_Taihou | CVE-2015-1701 compiled exploit code | http://goo.gl/W4nU0q | 2015-05-13 00:00:00 | 70 | Florian Roth | EXE,EXPLOIT,FILE |
| 534 | CVE_2017_11882_RTF | Detects suspicious Microsoft Equation OLE contents as used in CVE-2017-11882 | Internal Research | 2018-02-13 00:00:00 | 60 | Florian Roth | EXPLOIT,FILE |
| 535 | CVE_2017_8759_Mal_Doc | Detects malicious files related to CVE-2017-8759 - file Doc1.doc | https://github.com/Voulnet/CVE-2017-8759-Exploit-sample | 2017-09-14 00:00:00 | 70 | Florian Roth | EXPLOIT,FILE |
| 536 | CVE_2017_8759_Mal_HTA | Detects malicious files related to CVE-2017-8759 - file cmd.hta | https://github.com/Voulnet/CVE-2017-8759-Exploit-sample | 2017-09-14 00:00:00 | 70 | Florian Roth | EXPLOIT,FILE |
| 537 | CVE_2017_8759_SOAP_Excel | Detects malicious files related to CVE-2017-8759 | https://twitter.com/buffaloverflow/status/908455053345869825 | 2017-09-15 00:00:00 | 60 | Florian Roth | EXPLOIT |
| 538 | CVE_2017_8759_SOAP_txt | Detects malicious file in releation with CVE-2017-8759 - file exploit.txt | https://github.com/Voulnet/CVE-2017-8759-Exploit-sample | 2017-09-14 00:00:00 | 70 | Florian Roth | EXPLOIT |
| 539 | CVE_2017_8759_SOAP_via_JS | Detects SOAP WDSL Download via JavaScript | https://twitter.com/buffaloverflow/status/907728364278087680 | 2017-09-14 00:00:00 | 60 | Florian Roth | |
| 540 | CVE_2017_8759_WSDL_in_RTF | Detects malicious RTF file related CVE-2017-8759 | https://twitter.com/xdxdxdxdoa/status/908665278199996416 | 2017-09-15 00:00:00 | 70 | Security Doggo @xdxdxdxdoa | EXPLOIT,EXTVAR |
| 541 | Casper_Backdoor_x86 | Casper French Espionage Malware - Win32/ProxyBot.B - x86 Payload http://goo.gl/VRJNLo | http://goo.gl/VRJNLo | 2015-03-05 00:00:00 | 80 | Florian Roth | HKTL,MAL |
| 542 | Casper_EXE_Dropper | Casper French Espionage Malware - Win32/ProxyBot.B - Dropper http://goo.gl/VRJNLo | http://goo.gl/VRJNLo | 2015-03-05 00:00:00 | 80 | Florian Roth | HKTL,MAL |
| 543 | Casper_Included_Strings | Casper French Espionage Malware - String Match in File - http://goo.gl/VRJNLo | http://goo.gl/VRJNLo | 2015-03-06 00:00:00 | 50 | Florian Roth | MAL |
| 544 | Casper_SystemInformation_Output | Casper French Espionage Malware - System Info Output - http://goo.gl/VRJNLo | http://goo.gl/VRJNLo | 2015-03-06 00:00:00 | 70 | Florian Roth | MAL |
| 545 | Casus15_php_php | Semi-Auto-generated - file Casus15.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 546 | Certutil_Decode_OR_Download | Certutil Decode | Internal Research | 2017-08-29 00:00:00 | 40 | Florian Roth | EXTVAR,SCRIPTS |
| 547 | Chafer_Exploit_Copyright_2017 | Detects Oilrig Internet Server Extension with Copyright (C) 2017 Exploit | https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf | 2018-03-22 00:00:00 | 70 | Markus Neis | EXE,FILE |
| 548 | Chafer_Mimikatz_Custom | Detects Custom Mimikatz Version | https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf | 2018-03-22 00:00:00 | 70 | Florian Roth / Markus Neis | EXE,FILE |
| 549 | Chafer_Packed_Mimikatz | Detects Oilrig Packed Mimikatz also detected as Chafer_WSC_x64 by FR | https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf | 2018-03-22 00:00:00 | 70 | Florian Roth / Markus Neis | EXE,FILE,MIDDLE_EAST |
| 550 | Chafer_Portscanner | Detects Custom Portscanner used by Oilrig | https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf | 2018-03-22 00:00:00 | 70 | Markus Neis | EXE,FILE |
| 551 | CheshireCat_Gen1 | Auto-generated rule - file ec41b029c3ff4147b6a5252cb8b659f851f4538d4af0a574f7e16bc1cd14a300 | https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/ | 2015-08-08 00:00:00 | 90 | Florian Roth | EXE,FILE |
| 552 | CheshireCat_Gen2 | Cheshire Cat Malware | https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/ | 2015-08-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 553 | CheshireCat_Sample2 | Auto-generated rule - file dc18850d065ff6a8364421a9c8f9dd5fcce6c7567f4881466cee00e5cd0c7aa8 | https://malware-research.org/prepare-father-of-stuxnet-news-are-coming/ | 2015-08-08 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 554 | ChinaChopper_Generic | China Chopper Webshells - PHP and ASPX | https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf | 2015-03-10 00:00:00 | 70 | Florian Roth | CHINA,WEBSHELL |
| 555 | ChinaChopper_caidao | Chinese Hacktool Set - file caidao.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 556 | ChinaChopper_one | Chinese Hacktool Set - file one.asp | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 557 | ChinaChopper_temp | Chinese Hacktool Set - file temp.asp | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 558 | ChinaChopper_temp_2 | Chinese Hacktool Set - file temp.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 559 | ChinaChopper_temp_3 | Chinese Hacktool Set - file temp.aspx | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,FILE,HKTL,WEBSHELL |
| 560 | Chinese_Hacktool_1014 | Detects a chinese hacktool with unknown use | - | 2014-10-10 00:00:00 | 60 | Florian Roth | HKTL |
| 561 | ChromePass | Detects a tool used by APT groups - file ChromePass.exe | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 562 | CleanIISLog | Disclosed hacktool set (old stuff) - file CleanIISLog.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 563 | Cloaked_RAR_File | RAR file cloaked by a different extension | - | 1970-01-01 01:00:00 | 70 | Florian Roth | EXTVAR,FILE |
| 564 | Cloaked_as_JPG | Detects a cloaked file as JPG | - | 2015-02-28 00:00:00 | 40 | Florian Roth (eval section from Didier Stevens) | EXTVAR,FILE |
| 565 | CloudDuke_Malware | Detects CloudDuke Malware | https://www.f-secure.com/weblog/archives/00002822.html | 2015-07-22 00:00:00 | 60 | Florian Roth | EXE,FILE,MAL,RUSSIA |
| 566 | CmdAsp_asp | Semi-Auto-generated - file CmdAsp.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 567 | CmdShell64 | Chinese Hacktool Set - file CmdShell64.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 568 | Cmdshell32 | Chinese Hacktool Set - file Cmdshell32.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 569 | CobaltGang_Malware_Aug17_1 | Detects a Cobalt Gang malware | https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c | 2017-08-09 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 570 | CobaltGang_Malware_Aug17_2 | Detects a Cobalt Gang malware | https://sslbl.abuse.ch/intel/6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c | 2017-08-09 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 571 | CobaltStrike_CN_Group_BeaconDropper_Aug17 | Detects Script Dropper of Cobalt Gang used in August 2017 | Internal Research | 2017-08-09 00:00:00 | 70 | Florian Roth | MAL |
| 572 | Cobaltgang_PDF_Metadata_Rev_A | Find documents saved from the same potential Cobalt Gang PDF template | https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/ | 2018-10-25 00:00:00 | 70 | Palo Alto Networks Unit 42 | |
| 573 | Codoso_CustomTCP | Codoso CustomTCP Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 574 | Codoso_CustomTCP_2 | Detects Codoso APT CustomTCP Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 575 | Codoso_CustomTCP_3 | Detects Codoso APT CustomTCP Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 576 | Codoso_CustomTCP_4 | Detects Codoso APT CustomTCP Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 577 | Codoso_Gh0st_1 | Detects Codoso APT Gh0st Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 578 | Codoso_Gh0st_2 | Detects Codoso APT Gh0st Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 579 | Codoso_Gh0st_3 | Detects Codoso APT Gh0st Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 580 | Codoso_PGV_PVID_1 | Detects Codoso APT PGV PVID Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 581 | Codoso_PGV_PVID_2 | Detects Codoso APT PGV PVID Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 582 | Codoso_PGV_PVID_3 | Detects Codoso APT PGV PVID Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,MAL |
| 583 | Codoso_PGV_PVID_4 | Detects Codoso APT PlugX Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 584 | Codoso_PGV_PVID_5 | Detects Codoso APT PGV PVID Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 585 | Codoso_PGV_PVID_6 | Detects Codoso APT PGV_PVID Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 586 | Codoso_PlugX_1 | Detects Codoso APT PlugX Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 587 | Codoso_PlugX_2 | Detects Codoso APT PlugX Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 588 | Codoso_PlugX_3 | Detects Codoso APT PlugX Malware | https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks | 2016-01-30 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 589 | CoinHive_Javascript_MoneroMiner | Detects CoinHive - JavaScript Crypto Miner | https://coinhive.com/documentation/miner | 2018-01-04 00:00:00 | 50 | Florian Roth | |
| 590 | CoinMiner_Strings | Detects mining pool protocol string in Executable | https://minergate.com/faq/what-pool-address | 2018-01-04 00:00:00 | 50 | Florian Roth | |
| 591 | CookieTools2 | Chinese Hacktool Set - file CookieTools2.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 592 | CookieTools | Chinese Hacktool Set - file CookieTools.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 593 | CoreImpact_sysdll_exe | Detects a malware sysdll.exe from the Rocket Kitten APT | - | 2014-12-27 00:00:00 | 70 | Florian Roth | APT,MIDDLE_EAST |
| 594 | CorkowDLL | Rule to detect the Corkow DLL files | - | 2016-02-07 00:00:00 | 70 | Group IB | EXE,FILE |
| 595 | Crackmapexec_EXE | Detects CrackMapExec hack tool | Internal Research | 2018-04-06 00:00:00 | 85 | Florian Roth | EXE,FILE,HKTL |
| 596 | CredentialStealer_Generic_Backdoor | Detects credential stealer byed on many strings that indicate password store access | Internal Research | 2017-06-07 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN |
| 597 | CrimsonRAT_Mar18_1 | Detects CrimsonRAT malware | Internal Research | 2018-03-06 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 598 | CrowdStrike_Shamoon_DroppedFile | Rule to detect Shamoon malware http://goo.gl/QTxohN | http://www.rsaconference.com/writable/presentations/file_upload/exp-w01-hacking-exposed-day-of-destruction.pdf | 1970-01-01 01:00:00 | 70 | - | MIDDLE_EAST |
| 599 | CrunchRAT | Detects CrunchRAT - file CrunchRAT.exe | https://github.com/t3ntman/CrunchRAT | 2017-11-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 600 | Customize | Chinese Hacktool Set - file Customize.aspx | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 601 | Customize_2 | Chinese Hacktool Set - file Customize.jsp | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 602 | DKShell_f0772be3c95802a2d1e7a4a3f5a45dcdef6997f3 | Detects a web shell | https://github.com/bartblaze/PHP-backdoors | 2016-09-10 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 603 | DK_Brute | PoS Scammer Toolbox - http://goo.gl/xiIphp - file DK Brute.exe | http://goo.gl/xiIphp | 2014-11-22 00:00:00 | 70 | Florian Roth | HKTL |
| 604 | DLL_Injector_Lynx | Detects Lynx DLL Injector | Internal Research | 2017-08-20 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 605 | DTool_Pro_php | Semi-Auto-generated - file DTool Pro.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 606 | DTools2_02_DTools | Chinese Hacktool Set - file DTools.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 607 | DUBrute_DUBrute | Chinese Hacktool Set - file DUBrute.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 608 | DarkComet_Keylogger_File | Looks like a keylogger file created by DarkComet Malware | - | 2014-07-25 00:00:00 | 50 | Florian Roth | FILE,HKTL,MAL |
| 609 | DarkEYEv3_Cryptor | Rule to detect DarkEYEv3 encrypted executables (often malware) | http://darkeyev3.blogspot.fi/ | 2015-05-24 00:00:00 | 55 | Florian Roth | EXE,FILE |
| 610 | DarkSecurityTeam_Webshell | Dark Security Team Webshell | - | 1970-01-01 01:00:00 | 50 | Florian Roth | WEBSHELL |
| 611 | DarkSpy105 | Webshells Auto-generated - file DarkSpy105.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 612 | Daserf_Nov1_BronzeButler | Detects Daserf malware used by Bronze Butler | https://goo.gl/ffeCfd | 2017-11-08 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 613 | Datper_Backdoor | Detects Datper Malware | http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html | 2017-08-21 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 614 | Debug_BDoor | Webshells Auto-generated - file BDoor.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 615 | Debug_cress | Webshells Auto-generated - file cress.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 616 | Debug_dllTest_2 | Webshells Auto-generated - file dllTest.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 617 | DeepPanda_Trojan_Kakfum | Hack Deep Panda - Trojan.Kakfum sqlsrv32.dll | - | 2015-02-08 00:00:00 | 70 | Florian Roth | CHINA,MAL |
| 618 | DeepPanda_htran_exe | Hack Deep Panda - htran-exe | - | 2015-02-08 00:00:00 | 70 | Florian Roth | CHINA |
| 619 | DeepPanda_lot1 | Hack Deep Panda - lot1.tmp-pwdump | - | 2015-02-08 00:00:00 | 70 | Florian Roth | CHINA |
| 620 | DeepPanda_sl_txt_packed | Hack Deep Panda - ScanLine sl-txt-packed | - | 2015-02-08 00:00:00 | 70 | Florian Roth | CHINA |
| 621 | DefaceKeeper_0_2_php | Semi-Auto-generated - file DefaceKeeper_0.2.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 622 | Derusbi_Backdoor_Mar17_1 | Detects a variant of the Derusbi backdoor | Internal Research | 2017-03-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 623 | Derusbi_Code_Signing_Cert | Detects an executable signed with a certificate also used for Derusbi Trojan - suspicious | http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family | 2015-12-15 00:00:00 | 60 | Florian Roth | EXE,FILE,MAL |
| 624 | Derusbi_Kernel_Driver_WD_UDFS | Detects Derusbi Kernel Driver | http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family | 2015-12-15 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 625 | Destructive_Ransomware_Gen1 | Detects destructive malware | http://blog.talosintelligence.com/2018/02/olympic-destroyer.html | 2018-02-12 00:00:00 | 70 | Florian Roth | CRIME,EXE,FILE |
| 626 | DeviceGuard_WDS_Evasion | Detects WDS file used to circumvent Device Guard | http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html | 1970-01-01 01:00:00 | 80 | Florian Roth | |
| 627 | Dexter_Malware | Detects the Dexter Trojan/Agent http://goo.gl/oBvy8b | http://goo.gl/oBvy8b | 2015-02-10 00:00:00 | 70 | Florian Roth | MAL |
| 628 | Disclosed_0day_POCs_InjectDll | Detects POC code from disclosed 0day hacktool set | Disclosed 0day Repos | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,EXPLOIT,FILE,HKTL |
| 629 | Disclosed_0day_POCs_exploit | Detects POC code from disclosed 0day hacktool set | Disclosed 0day Repos | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,EXPLOIT,FILE,HKTL |
| 630 | Disclosed_0day_POCs_injector | Detects POC code from disclosed 0day hacktool set | Disclosed 0day Repos | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,EXPLOIT,FILE,HKTL |
| 631 | Disclosed_0day_POCs_lpe | Detects POC code from disclosed 0day hacktool set | Disclosed 0day Repos | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,EXPLOIT,FILE,HKTL |
| 632 | Disclosed_0day_POCs_lpe_2 | Detects POC code from disclosed 0day hacktool set | Disclosed 0day Repos | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,EXPLOIT,FILE,HKTL |
| 633 | Disclosed_0day_POCs_payload_MSI | Detects POC code from disclosed 0day hacktool set | Disclosed 0day Repos | 2017-07-07 00:00:00 | 70 | Florian Roth | EXPLOIT,FILE,HKTL |
| 634 | Disclosed_0day_POCs_shellcodegenerator | Detects POC code from disclosed 0day hacktool set | Disclosed 0day Repos | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,EXPLOIT,FILE,HKTL |
| 635 | Dive_Shell_1_0___Emperor_Hacking_Team_php | Semi-Auto-generated - file Dive Shell 1.0 - Emperor Hacking Team.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 636 | DkShell_4000bd83451f0d8501a9dfad60dce39e55ae167d | Detects a web shell | https://github.com/bartblaze/PHP-backdoors | 2016-09-10 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 637 | DllInjection | Webshells Auto-generated - file DllInjection.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 638 | Dll_LoadEx | Chinese Hacktool Set - file Dll_LoadEx.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 639 | Docm_in_PDF | Detects an embedded DOCM in PDF combined with OpenAction | Internal Research | 2017-05-15 00:00:00 | 70 | Florian Roth | FILE |
| 640 | DomainScanV1_0 | Auto-generated rule on file DomainScanV1_0.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 641 | Dorkbot_Injector_Malware | Detects Darkbot Injector | Internal Research | 2016-10-08 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL,MAL |
| 642 | Dos_1 | Chinese Hacktool Set - file 1.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 643 | Dos_Down32 | Chinese Hacktool Set - file Down32.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 644 | Dos_Down64 | Chinese Hacktool Set - file Down64.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 645 | Dos_GetPass | Chinese Hacktool Set - file GetPass.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 646 | Dos_NtGod | Chinese Hacktool Set - file NtGod.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 647 | Dos_c | Chinese Hacktool Set - file c.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 648 | Dos_ch | Chinese Hacktool Set - file ch.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 649 | Dos_fp | Chinese Hacktool Set - file fp.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 650 | Dos_iis7 | Chinese Hacktool Set - file iis7.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 651 | Dos_iis | Chinese Hacktool Set - file iis.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 652 | Dos_lcx | Chinese Hacktool Set - file lcx.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 653 | Dos_look | Chinese Hacktool Set - file look.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 654 | Dos_netstat | Chinese Hacktool Set - file netstat.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 655 | Dos_sys | Chinese Hacktool Set - file sys.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 656 | DragonFly_APT_Sep17_1 | Detects malware from DrqgonFly APT report | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group | 2017-09-12 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 657 | DragonFly_APT_Sep17_2 | Detects malware from DrqgonFly APT report | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group | 2017-09-12 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 658 | DragonFly_APT_Sep17_3 | Detects malware from DrqgonFly APT report | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group | 2017-09-12 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 659 | DragonFly_APT_Sep17_4 | Detects malware from DrqgonFly APT report | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group | 2017-09-12 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 660 | Dridex_Trojan_XML | Dridex Malware in XML Document | https://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503 | 2015-03-08 00:00:00 | 70 | Florian Roth @4nc4p | MAL |
| 661 | DropBear_SSH_Server | Detects DropBear SSH Server (not a threat but used to maintain access) | http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/ | 2016-01-03 00:00:00 | 50 | Florian Roth | EXE,FILE,RUSSIA |
| 662 | Dropper_DeploysMalwareViaSideLoading | Detect a dropper used to deploy an implant via side loading. This dropper has specifically been observed deploying REDLEAVES & PlugX | https://www.us-cert.gov/ncas/alerts/TA17-117A | 1970-01-01 01:00:00 | 70 | USG | |
| 663 | Dubnium_Sample_1 | Detects sample mentioned in the Dubnium Report | https://goo.gl/AW9Cuu | 2016-06-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 664 | Dubnium_Sample_2 | Detects sample mentioned in the Dubnium Report | https://goo.gl/AW9Cuu | 2016-06-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 665 | Dubnium_Sample_3 | Detects sample mentioned in the Dubnium Report | https://goo.gl/AW9Cuu | 2016-06-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 666 | Dubnium_Sample_5 | Detects sample mentioned in the Dubnium Report | https://goo.gl/AW9Cuu | 2016-06-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 667 | Dubnium_Sample_6 | Detects sample mentioned in the Dubnium Report | https://goo.gl/AW9Cuu | 2016-06-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 668 | Dubnium_Sample_7 | Detects sample mentioned in the Dubnium Report | https://goo.gl/AW9Cuu | 2016-06-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 669 | Dubnium_Sample_SSHOpenSSL | Detects sample mentioned in the Dubnium Report | https://goo.gl/AW9Cuu | 2016-06-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 670 | Duqu2_Generic1 | Kaspersky APT Report - Duqu2 Sample - Generic Rule | https://goo.gl/7yKyOj | 2015-06-10 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,GEN |
| 671 | Duqu2_Sample1 | Detects malware - Duqu2 (cross-matches with IronTiger malware and Derusbi) | https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ | 2016-07-02 00:00:00 | 80 | Florian Roth | EXE,FILE,INDIA |
| 672 | Duqu2_Sample2 | Detects Duqu2 Malware | https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ | 2016-07-02 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 673 | Duqu2_Sample3 | Detects Duqu2 Malware | https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ | 2016-07-02 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 674 | Duqu2_Sample4 | Detects Duqu2 Malware | https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ | 2016-07-02 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 675 | Duqu2_UAs | Detects Duqu2 Executable based on the specific UAs in the file | https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ | 2016-07-02 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 676 | DxShell_php_php | Semi-Auto-generated - file DxShell.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 677 | Dx_php_php | Semi-Auto-generated - file Dx.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 678 | EFSO_2_asp | Semi-Auto-generated - file EFSO_2.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 679 | EQGRP_1212 | Detects tool from EQGRP toolset - file 1212.pl | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | |
| 680 | EQGRP_1212_dehex | Detects tool from EQGRP toolset - from files 1212.pl, dehex.pl | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | FILE |
| 681 | EQGRP_BARPUNCH_BPICKER | EQGRP Toolset Firewall - from files BARPUNCH-3110, BPICKER-3100 | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 682 | EQGRP_BBALL | EQGRP Toolset Firewall - file BBALL_E28F6-2201.exe | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 683 | EQGRP_BBALL_M50FW08_2201 | EQGRP Toolset Firewall - file BBALL_M50FW08-2201.exe | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 684 | EQGRP_BBANJO | EQGRP Toolset Firewall - file BBANJO-3011.exe | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 685 | EQGRP_BFLEA_2201 | EQGRP Toolset Firewall - file BFLEA-2201.exe | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 686 | EQGRP_BICECREAM | EQGRP Toolset Firewall - file BICECREAM-2140 | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 687 | EQGRP_BLIAR_BLIQUER | EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230 | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 688 | EQGRP_BPATROL_2201 | EQGRP Toolset Firewall - file BPATROL-2201.exe | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 689 | EQGRP_BPIE | EQGRP Toolset Firewall - file BPIE-2201.exe | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 690 | EQGRP_BUSURPER_2211_724 | EQGRP Toolset Firewall - file BUSURPER-2211-724.exe | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 691 | EQGRP_BUSURPER_3001_724 | EQGRP Toolset Firewall - file BUSURPER-3001-724.exe | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 692 | EQGRP_BananaAid | EQGRP Toolset Firewall - file BananaAid | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 693 | EQGRP_BananaUsurper_writeJetPlow | EQGRP Toolset Firewall - from files BananaUsurper-2120, writeJetPlow-2130 | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 694 | EQGRP_BpfCreator_RHEL4 | EQGRP Toolset Firewall - file BpfCreator-RHEL4 | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 695 | EQGRP_EPBA | EQGRP Toolset Firewall - file EPBA.script | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 696 | EQGRP_Extrabacon_Output | EQGRP Toolset Firewall - Extrabacon exploit output | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 697 | EQGRP_Implants_Gen1 | EQGRP Toolset Firewall | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 698 | EQGRP_Implants_Gen2 | EQGRP Toolset Firewall | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 699 | EQGRP_Implants_Gen3 | EQGRP Toolset Firewall | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 700 | EQGRP_Implants_Gen4 | EQGRP Toolset Firewall - from files BLIAR-2110, BLIQUER-2230, BLIQUER-3030, BLIQUER-3120 | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 701 | EQGRP_Implants_Gen5 | EQGRP Toolset Firewall | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 702 | EQGRP_Implants_Gen6 | EQGRP Toolset Firewall | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 703 | EQGRP_MixText | EQGRP Toolset Firewall - file MixText.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 704 | EQGRP_RC5_RC6_Opcode | EQGRP Toolset Firewall - RC5 / RC6 opcode | https://securelist.com/blog/incidents/75812/the-equation-giveaway/ | 2016-08-17 00:00:00 | 70 | Florian Roth | |
| 705 | EQGRP_SecondDate_2211 | EQGRP Toolset Firewall - file SecondDate-2211.exe | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 706 | EQGRP_StoreFc | EQGRP Toolset Firewall - file StoreFc.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 707 | EQGRP_Unique_Strings | EQGRP Toolset Firewall - Unique strings | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 708 | EQGRP_bc_parser | Detects tool from EQGRP toolset - file bc-parser | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | FILE |
| 709 | EQGRP_bo | EQGRP Toolset Firewall - file bo | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 710 | EQGRP_callbacks | EQGRP Toolset Firewall - Callback addresses | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 711 | EQGRP_config_jp1_UA | EQGRP Toolset Firewall - file config_jp1_UA.pl | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 712 | EQGRP_create_dns_injection | EQGRP Toolset Firewall - file create_dns_injection.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 713 | EQGRP_create_http_injection | EQGRP Toolset Firewall - file create_http_injection.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 714 | EQGRP_dn_1_0_2_1 | Detects tool from EQGRP toolset - file dn.1.0.2.1.linux | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | FILE |
| 715 | EQGRP_durablenapkin_solaris_2_0_1 | Detects tool from EQGRP toolset - file durablenapkin.solaris.2.0.1.1 | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | FILE |
| 716 | EQGRP_eligiblebombshell_generic | EQGRP Toolset Firewall - from files eligiblebombshell_1.2.0.1.py, eligiblebombshell_1.2.0.1.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 717 | EQGRP_eligiblecandidate | EQGRP Toolset Firewall - file eligiblecandidate.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 718 | EQGRP_epicbanana_2_1_0_1 | EQGRP Toolset Firewall - file epicbanana_2.1.0.1.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 719 | EQGRP_extrabacon | EQGRP Toolset Firewall - file extrabacon_1.1.0.1.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 720 | EQGRP_false | Detects tool from EQGRP toolset - file false.exe | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | EXE,FILE |
| 721 | EQGRP_hexdump | EQGRP Toolset Firewall - file hexdump.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 722 | EQGRP_installdate | Detects tool from EQGRP toolset - file installdate.pl | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | |
| 723 | EQGRP_jetplow_SH | EQGRP Toolset Firewall - file jetplow.sh | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 724 | EQGRP_morel | Detects tool from EQGRP toolset - file morel.exe | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | EXE,FILE |
| 725 | EQGRP_networkProfiler_orderScans | EQGRP Toolset Firewall - file networkProfiler_orderScans.sh | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 726 | EQGRP_noclient_3_0_5 | Detects tool from EQGRP toolset - file noclient-3.0.5.3 | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | FILE |
| 727 | EQGRP_pandarock | EQGRP Toolset Firewall - from files pandarock_v1.11.1.1.bin, pit | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 728 | EQGRP_payload | EQGRP Toolset Firewall - file payload.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 729 | EQGRP_screamingplow | EQGRP Toolset Firewall - file screamingplow.sh | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 730 | EQGRP_shellcode | EQGRP Toolset Firewall - file shellcode.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 731 | EQGRP_sniffer_xml2pcap | EQGRP Toolset Firewall - file sniffer_xml2pcap | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 732 | EQGRP_sploit | EQGRP Toolset Firewall - from files sploit.py, sploit.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 733 | EQGRP_sploit_py | EQGRP Toolset Firewall - file sploit.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 734 | EQGRP_ssh_telnet_29 | EQGRP Toolset Firewall - from files ssh.py, telnet.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 735 | EQGRP_teflondoor | Detects tool from EQGRP toolset - file teflondoor.exe | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | EXE,FILE |
| 736 | EQGRP_teflonhandle | Detects tool from EQGRP toolset - file teflonhandle.exe | Research | 2016-08-15 00:00:00 | 75 | Florian Roth | EXE,FILE |
| 737 | EQGRP_tinyexec | EQGRP Toolset Firewall - from files tinyexec | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 738 | EQGRP_tinyhttp_setup | EQGRP Toolset Firewall - file tinyhttp_setup.sh | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 739 | EQGRP_tunnel_state_reader | EQGRP Toolset Firewall - file tunnel_state_reader | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 740 | EQGRP_uninstallPBD | EQGRP Toolset Firewall - file uninstallPBD.bat | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 741 | EQGRP_userscript | EQGRP Toolset Firewall - file userscript.FW | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 742 | EQGRP_workit | EQGRP Toolset Firewall - file workit.py | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | |
| 743 | EXE_cloaked_as_TXT | Executable with TXT extension | - | 1970-01-01 01:00:00 | 70 | Florian Roth | EXE,EXTVAR,FILE |
| 744 | EXE_extension_cloaking | Executable showing different extension (Windows default 'hide known extension') | - | 1970-01-01 01:00:00 | 70 | Florian Roth | EXTVAR |
| 745 | EXP_DriveCrypt_1 | Detects DriveCrypt exploit | Internal Research | 2018-08-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 746 | EXP_DriveCrypt_x64passldr | Detects DriveCrypt exploit | Internal Research | 2018-08-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 747 | EXP_Libre_Office_CVE_2018_16858 | RCE in Libre Office with crafted ODT file (CVE-2018-16858) | https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html | 2019-02-01 00:00:00 | 70 | John Lambert @JohnLaTwC / modified by Florian Roth | EXPLOIT,FILE,OFFICE |
| 748 | EXP_potential_CVE_2017_11882 | - | https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html | 1970-01-01 01:00:00 | 70 | ReversingLabs | EXPLOIT,FILE |
| 749 | EditKeyLog | Disclosed hacktool set (old stuff) - file EditKeyLog.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 750 | EditKeyLogReadMe | Disclosed hacktool set (old stuff) - file EditKeyLogReadMe.txt | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 751 | EditServer | Disclosed hacktool set (old stuff) - file EditServer.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 752 | EditServer_2 | Webshells Auto-generated - file EditServer.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 753 | EditServer_EXE | Webshells Auto-generated - file EditServer.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 754 | EldoS_RawDisk | EldoS Rawdisk Device Driver (Commercial raw disk access driver - used in Operation Shamoon 2.0) | https://goo.gl/jKIfGB | 2016-12-01 00:00:00 | 50 | Florian Roth (with Binar.ly) | EXE,FILE,MIDDLE_EAST |
| 755 | Elise_Jan18_1 | Detects Elise malware samples - fake Norton Security NavShExt.dll | https://twitter.com/blu3_team/status/955971742329135105 | 2018-01-24 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 756 | Embedded_EXE_Cloaking | Detects an embedded executable in a non-executable file | - | 2015-02-27 00:00:00 | 65 | Florian Roth | EXTVAR |
| 757 | Emdivi_Gen1 | Detects Emdivi Malware | https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/ | 2015-08-20 00:00:00 | 80 | Florian Roth @Cyber0ps | EXE,FILE,MAL |
| 758 | Emdivi_Gen2 | Detects Emdivi Malware | https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/ | 2015-08-20 00:00:00 | 80 | Florian Roth @Cyber0ps | EXE,FILE,MAL |
| 759 | Emdivi_Gen3 | Detects Emdivi Malware | https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/ | 2015-08-20 00:00:00 | 80 | Florian Roth @Cyber0ps | EXE,FILE,MAL |
| 760 | Emdivi_Gen4 | Detects Emdivi Malware | https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/ | 2015-08-20 00:00:00 | 80 | Florian Roth @Cyber0ps | EXE,FILE,MAL |
| 761 | Emdivi_SFX | Detects Emdivi malware in SFX Archive | https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/ | 2015-08-20 00:00:00 | 70 | Florian Roth @Cyber0ps | EXE,FILE |
| 762 | Emissary_APT_Malware_1 | Detect Emissary Malware - from samples A08E81B411.DAT, ishelp.dll | http://goo.gl/V0epcf | 2016-01-02 00:00:00 | 75 | Florian Roth | APT,EXE,FILE,MAL |
| 763 | Empire_Agent_Gen | Detects Empire component - from files agent.ps1, agent.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 764 | Empire_Exploit_JBoss | Detects Empire component - file Exploit-JBoss.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 765 | Empire_Exploit_Jenkins | Detects Empire component - file Exploit-Jenkins.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 766 | Empire_Get_GPPPassword | Detects Empire component - file Get-GPPPassword.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 767 | Empire_Get_Keystrokes | Detects Empire component - file Get-Keystrokes.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 768 | Empire_Get_SecurityPackages | Detects Empire component - file Get-SecurityPackages.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 769 | Empire_Install_SSP | Detects Empire component - file Install-SSP.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 770 | Empire_Invoke_BypassUAC | Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1 | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 771 | Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen | Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 772 | Empire_Invoke_DllInjection | Detects Empire component - file Invoke-DllInjection.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 773 | Empire_Invoke_EgressCheck | Detects Empire component - file Invoke-EgressCheck.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 774 | Empire_Invoke_Gen | Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 775 | Empire_Invoke_InveighRelay_Gen | Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 776 | Empire_Invoke_MetasploitPayload | Detects Empire component - file Invoke-MetasploitPayload.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,METASPLOIT |
| 777 | Empire_Invoke_Mimikatz | Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1 | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 778 | Empire_Invoke_Mimikatz_Gen | Detects Empire component - file Invoke-Mimikatz.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 779 | Empire_Invoke_Portscan_Gen | Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 780 | Empire_Invoke_PostExfil | Detects Empire component - file Invoke-PostExfil.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 781 | Empire_Invoke_PowerDump | Detects Empire component - file Invoke-PowerDump.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 782 | Empire_Invoke_PsExec | Detects Empire component - file Invoke-PsExec.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 783 | Empire_Invoke_SMBAutoBrute | Detects Empire component - file Invoke-SMBAutoBrute.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 784 | Empire_Invoke_SSHCommand | Detects Empire component - file Invoke-SSHCommand.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 785 | Empire_Invoke_Shellcode | Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1 | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 786 | Empire_Invoke_ShellcodeMSIL | Detects Empire component - file Invoke-ShellcodeMSIL.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 787 | Empire_Invoke_SmbScanner | Detects Empire component - file Invoke-SmbScanner.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 788 | Empire_KeePassConfig | Detects Empire component - file KeePassConfig.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 789 | Empire_KeePassConfig_Gen | Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 790 | Empire_Out_Minidump | Detects Empire component - file Out-Minidump.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 791 | Empire_Persistence | Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1 | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 792 | Empire_PowerShell_Framework_Gen1 | Detects Empire component | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 793 | Empire_PowerShell_Framework_Gen2 | Detects Empire component | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 794 | Empire_PowerShell_Framework_Gen3 | Detects Empire component | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 795 | Empire_PowerShell_Framework_Gen4 | Detects Empire component | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 796 | Empire_PowerShell_Framework_Gen5 | Detects Empire component | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 797 | Empire_PowerUp_Gen | Detects Empire component - from files PowerUp.ps1, PowerUp.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 798 | Empire_ReflectivePick_x64_orig | Detects Empire component - file ReflectivePick_x64_orig.dll | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 799 | Empire_Write_HijackDll | Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1 | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 800 | Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp | Detects Empire component - file PowerUp.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 801 | Empire_dumpCredStore | Detects Empire component - file dumpCredStore.ps1 | https://github.com/adaptivethreat/Empire | 2016-11-05 00:00:00 | 70 | Florian Roth | FILE |
| 802 | Empire_invoke_wmi | Empire - a pure PowerShell post-exploitation agent - file invoke_wmi.py | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 803 | Empire_lib_modules_credentials_mimikatz_pth | Empire - a pure PowerShell post-exploitation agent - file pth.py | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 804 | Empire_lib_modules_trollsploit_message | Empire - a pure PowerShell post-exploitation agent - file message.py | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 805 | Empire_portscan | Empire - a pure PowerShell post-exploitation agent - file portscan.py | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 806 | Empire_skeleton_key | Empire - a pure PowerShell post-exploitation agent - file skeleton_key.py | https://github.com/PowerShellEmpire/Empire | 2015-08-06 00:00:00 | 70 | Florian Roth | SCRIPT |
| 807 | Enfal_Malware | Detects a certain type of Enfal Malware | not set | 2015-02-10 00:00:00 | 60 | Florian Roth | MAL |
| 808 | Enfal_Malware_Backdoor | Generic Rule to detect the Enfal Malware | - | 2015-02-10 00:00:00 | 60 | Florian Roth | GEN,MAL |
| 809 | EnigmaPacker_Rare | Detects an ENIGMA packed executable | Internal Research | 2017-04-27 00:00:00 | 60 | Florian Roth | EXE,FILE |
| 810 | Enigma_Protected_Malware | Detects samples packed by Enigma Protector | https://goo.gl/OEVQ9w | 2017-02-03 00:00:00 | 70 | Florian Roth with the help of binar.ly | EXE,FILE |
| 811 | Enigma_Protected_Malware_May17_RhxFiles | Auto-generated rule - file RhxFiles.dll | Internal Research | 2017-05-02 00:00:00 | 70 | Florian Roth with the help of binar.ly | EXE,FILE,MAL |
| 812 | EquationDrug_CompatLayer_UnilayDLL | EquationDrug - Unilay.DLL | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 813 | EquationDrug_FileSystem_Filter | EquationDrug - Filesystem filter driver - volrec.sys, scsi2mgr.sys | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 814 | EquationDrug_HDDSSD_Op | EquationDrug - HDD/SSD firmware operation - nls_933w.dll | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 815 | EquationDrug_KernelRootkit | EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 816 | EquationDrug_Keylogger | EquationDrug - Key/clipboard logger driver - msrtvd.sys | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | HKTL |
| 817 | EquationDrug_MS_Identifier | Microsoft Identifier used in EquationDrug Platform | - | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 818 | EquationDrug_NetworkSniffer1 | EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | MAL |
| 819 | EquationDrug_NetworkSniffer2 | EquationDrug - Network Sniffer - tdip.sys | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 820 | EquationDrug_NetworkSniffer3 | EquationDrug - Network Sniffer - tdip.sys | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 821 | EquationDrug_NetworkSniffer4 | EquationDrug - Network-sniffer/patcher - atmdkdrv.sys | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 822 | EquationDrug_NetworkSniffer5 | EquationDrug - Network-sniffer/patcher - atmdkdrv.sys | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 823 | EquationDrug_PlatformOrchestrator | EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 824 | EquationDrug_VolRec_Driver | EquationDrug - Collector plugin for Volrec - msrstd.sys | http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/ | 2015-03-11 00:00:00 | 70 | Florian Roth @4nc4p | |
| 825 | EquationGroup_Auditcleaner | Equation Group hack tool leaked by ShadowBrokers- file Auditcleaner | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 826 | EquationGroup_DUL | Equation Group hack tool leaked by ShadowBrokers- file DUL | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 827 | EquationGroup_DXGHLP16 | EquationGroup Malware - file DXGHLP16.SYS | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 828 | EquationGroup_EquationDrug_Gen_1 | EquationGroup Malware | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 829 | EquationGroup_EquationDrug_Gen_2 | EquationGroup Malware - file PortMap_Implant.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Auto Generated | EXE,FILE,GEN,MAL |
| 830 | EquationGroup_EquationDrug_Gen_3 | EquationGroup Malware - file mssld.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Auto Generated | EXE,FILE,GEN,MAL |
| 831 | EquationGroup_EquationDrug_Gen_4 | EquationGroup Malware - file PC_Level4_flav_dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Auto Generated | EXE,FILE,GEN,MAL |
| 832 | EquationGroup_EquationDrug_Gen_5 | EquationGroup Malware - file PC_Level3_http_dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 833 | EquationGroup_EquationDrug_Gen_6 | EquationGroup Malware - file PC_Level3_dll_x64 | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 834 | EquationGroup_EquationDrug_msgkd | EquationGroup Malware - file msgkd.ex_ | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 835 | EquationGroup_EquationDrug_mstcp32 | EquationGroup Malware - file mstcp32.sys | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 836 | EquationGroup_EquationDrug_ntevt | EquationGroup Malware - file ntevt.sys | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 837 | EquationGroup_EquationDrug_tdi6 | EquationGroup Malware - file tdi6.sys | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 838 | EquationGroup_EventLogEdit_Implant | EquationGroup Malware - file EventLogEdit_Implant.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 839 | EquationGroup_GetAdmin_Lp | EquationGroup Malware - file GetAdmin_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 840 | EquationGroup_LSADUMP_Lp | EquationGroup Malware - file LSADUMP_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL,MAL |
| 841 | EquationGroup_ModifyGroup_Lp | EquationGroup Malware - file ModifyGroup_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 842 | EquationGroup_PC_Level3_http_flav_dll | EquationGroup Malware - file PC_Level3_http_flav_dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 843 | EquationGroup_PC_Level3_http_flav_dll_x64 | EquationGroup Malware - file PC_Level3_http_flav_dll_x64 | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 844 | EquationGroup_PC_Level4_flav_dll_x64 | EquationGroup Malware - file PC_Level4_flav_dll_x64 | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 845 | EquationGroup_PC_Level4_flav_exe | EquationGroup Malware - file PC_Level4_flav_exe | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 846 | EquationGroup_PassFreely_Lp | EquationGroup Malware - file PassFreely_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 847 | EquationGroup_PortMap_Lp | EquationGroup Malware - file PortMap_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 848 | EquationGroup_ProcessHide_Lp | EquationGroup Malware - file ProcessHide_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 849 | EquationGroup_ProcessOptions_Lp | EquationGroup Malware - file ProcessOptions_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 850 | EquationGroup_RunAsChild_Lp | EquationGroup Malware - file RunAsChild_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 851 | EquationGroup_Toolset_Apr17_ActiveDirectory_Target | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 852 | EquationGroup_Toolset_Apr17_AdUser_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 853 | EquationGroup_Toolset_Apr17_Architouch_1_0_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 854 | EquationGroup_Toolset_Apr17_Architouch_Eternalsynergy_Smbtouch | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 855 | EquationGroup_Toolset_Apr17_Banner_Implant9x | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 856 | EquationGroup_Toolset_Apr17_DS_ParseLogs | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 857 | EquationGroup_Toolset_Apr17_Darkpulsar_1_1_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 858 | EquationGroup_Toolset_Apr17_DiBa_Target | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 859 | EquationGroup_Toolset_Apr17_DiBa_Target_2000 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 860 | EquationGroup_Toolset_Apr17_DiBa_Target_BH | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 861 | EquationGroup_Toolset_Apr17_DiBa_Target_BH_2000 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 862 | EquationGroup_Toolset_Apr17_DllLoad_Target | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 863 | EquationGroup_Toolset_Apr17_DmGz_Target | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 864 | EquationGroup_Toolset_Apr17_DmGz_Target_2 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 865 | EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_2 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 866 | EquationGroup_Toolset_Apr17_DoubleFeatureDll_dll_3 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 867 | EquationGroup_Toolset_Apr17_Doublepulsar_1_3_1 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 868 | EquationGroup_Toolset_Apr17_Dsz_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 869 | EquationGroup_Toolset_Apr17_EXPA | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 870 | EquationGroup_Toolset_Apr17_Easybee_1_0_1 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 871 | EquationGroup_Toolset_Apr17_Easypi_Explodingcan | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 872 | EquationGroup_Toolset_Apr17_Eclipsedwing_Rpcproxy_Pcdlllauncher | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 873 | EquationGroup_Toolset_Apr17_Eclipsedwingtouch_1_0_4 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 874 | EquationGroup_Toolset_Apr17_Educatedscholar_1_0_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 875 | EquationGroup_Toolset_Apr17_Educatedscholartouch_1_0_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 876 | EquationGroup_Toolset_Apr17_Englishmansdentist_1_2_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 877 | EquationGroup_Toolset_Apr17_EpWrapper | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 878 | EquationGroup_Toolset_Apr17_Erraticgopher_1_0_1 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 879 | EquationGroup_Toolset_Apr17_Erraticgophertouch_1_0_1 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 880 | EquationGroup_Toolset_Apr17_Esteemaudit_2_1_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 881 | EquationGroup_Toolset_Apr17_Esteemaudittouch_2_1_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 882 | EquationGroup_Toolset_Apr17_Eternalromance | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 883 | EquationGroup_Toolset_Apr17_Eternalromance_2 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 884 | EquationGroup_Toolset_Apr17_Explodingcantouch_1_2_1 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 885 | EquationGroup_Toolset_Apr17_GangsterThief_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 886 | EquationGroup_Toolset_Apr17_Gen1 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 887 | EquationGroup_Toolset_Apr17_Gen2 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 888 | EquationGroup_Toolset_Apr17_Gen3 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 889 | EquationGroup_Toolset_Apr17_Gen4 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 890 | EquationGroup_Toolset_Apr17_GenKey | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 891 | EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 892 | EquationGroup_Toolset_Apr17_GrDo_FileScanner_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 893 | EquationGroup_Toolset_Apr17_Ifconfig_Target | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 894 | EquationGroup_Toolset_Apr17_Iistouch_1_2_2 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 895 | EquationGroup_Toolset_Apr17_KisuComms_Target_2000 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 896 | EquationGroup_Toolset_Apr17_Mcl_NtMemory_Std | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 897 | EquationGroup_Toolset_Apr17_Mofconfig_1_0_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 898 | EquationGroup_Toolset_Apr17_Namedpipetouch_2_0_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 899 | EquationGroup_Toolset_Apr17_Oracle_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 900 | EquationGroup_Toolset_Apr17_PC_Exploit | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 901 | EquationGroup_Toolset_Apr17_PC_LP | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 902 | EquationGroup_Toolset_Apr17_PC_Legacy_dll | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 903 | EquationGroup_Toolset_Apr17_PC_Level3_Gen | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 904 | EquationGroup_Toolset_Apr17_PC_Level3_http_exe | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 905 | EquationGroup_Toolset_Apr17_PC_Level_Generic | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 906 | EquationGroup_Toolset_Apr17_PacketScan_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 907 | EquationGroup_Toolset_Apr17_ParseCapture | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 908 | EquationGroup_Toolset_Apr17_Processes_Target | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 909 | EquationGroup_Toolset_Apr17_Regread_1_1_1 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 910 | EquationGroup_Toolset_Apr17_RemoteCommand_Lp | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 911 | EquationGroup_Toolset_Apr17_RemoteExecute_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 912 | EquationGroup_Toolset_Apr17_RemoteExecute_Target | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 913 | EquationGroup_Toolset_Apr17_Rpctouch_2_1_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 914 | EquationGroup_Toolset_Apr17_SendPKTrigger | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 915 | EquationGroup_Toolset_Apr17_SetCallback | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 916 | EquationGroup_Toolset_Apr17_SetCallbackPorts | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 917 | EquationGroup_Toolset_Apr17_SetOurAddr | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 918 | EquationGroup_Toolset_Apr17_SetPorts | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 919 | EquationGroup_Toolset_Apr17_SetResourceName | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 920 | EquationGroup_Toolset_Apr17_Shares_Target | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 921 | EquationGroup_Toolset_Apr17_SlDecoder | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 922 | EquationGroup_Toolset_Apr17_Smbtouch_1_1_1 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 923 | EquationGroup_Toolset_Apr17_Windows_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 924 | EquationGroup_Toolset_Apr17__AddResource | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 925 | EquationGroup_Toolset_Apr17__DoubleFeatureReader_DoubleFeatureReader_0 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 926 | EquationGroup_Toolset_Apr17__EAFU_ecwi_ESKE_EVFR_RPC2_4 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 927 | EquationGroup_Toolset_Apr17__ELV_ESKE_13 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 928 | EquationGroup_Toolset_Apr17__ELV_ESKE_ETBL_ETRE_EVFR_11 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 929 | EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_16 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 930 | EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RPC2_15 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 931 | EquationGroup_Toolset_Apr17__ELV_ESKE_EVFR_RideArea2_12 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 932 | EquationGroup_Toolset_Apr17__ESKE_RPC2_8 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 933 | EquationGroup_Toolset_Apr17__ETBL_ETRE_10 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 934 | EquationGroup_Toolset_Apr17__ETBL_ETRE_SMBTOUCH_17 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 935 | EquationGroup_Toolset_Apr17__Emphasismine | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 936 | EquationGroup_Toolset_Apr17__LSADUMP_Lp_ModifyPrivilege_Lp_PacketScan_Lp_put_Lp_RemoteExecute_Lp_Windows_Lp_wmi_Lp_9 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 937 | EquationGroup_Toolset_Apr17__NameProbe_SMBTOUCH_14 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 938 | EquationGroup_Toolset_Apr17__SendCFTrigger_SendPKTrigger_6 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 939 | EquationGroup_Toolset_Apr17__ecwi_ESKE_EVFR_RPC2_2 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 940 | EquationGroup_Toolset_Apr17__vtuner_vtuner_1 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 941 | EquationGroup_Toolset_Apr17_clocksvc | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 942 | EquationGroup_Toolset_Apr17_drivers_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 943 | EquationGroup_Toolset_Apr17_greatdoc_dll_config | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 944 | EquationGroup_Toolset_Apr17_lp_mstcp | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 945 | EquationGroup_Toolset_Apr17_msgkd_msslu64_msgki_mssld | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 946 | EquationGroup_Toolset_Apr17_msgks_mskgu | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 947 | EquationGroup_Toolset_Apr17_mstcp32_DXGHLP16_tdip | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 948 | EquationGroup_Toolset_Apr17_ntevt | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 949 | EquationGroup_Toolset_Apr17_ntfltmgr | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 950 | EquationGroup_Toolset_Apr17_promiscdetect_safe | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 951 | EquationGroup_Toolset_Apr17_put_Implant9x | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 952 | EquationGroup_Toolset_Apr17_pwd_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 953 | EquationGroup_Toolset_Apr17_rc5 | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 954 | EquationGroup_Toolset_Apr17_regprobe | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 955 | EquationGroup_Toolset_Apr17_renamer | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 956 | EquationGroup_Toolset_Apr17_scanner | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 957 | EquationGroup_Toolset_Apr17_st_lp | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 958 | EquationGroup_Toolset_Apr17_svctouch | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 959 | EquationGroup_Toolset_Apr17_tacothief | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 960 | EquationGroup_Toolset_Apr17_wmi_Implant | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 961 | EquationGroup_Toolset_Apr17_xxxRIDEAREA | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 962 | EquationGroup_Toolset_Apr17_yak | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 963 | EquationGroup_Toolset_Apr17_yak_min_install | Detects EquationGroup Tool - April Leak | https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation | 2017-04-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 964 | EquationGroup__ftshell | Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 965 | EquationGroup__ftshell_ftshell_v3_10_3_0 | Equation Group hack tool leaked by ShadowBrokers- from files ftshell, ftshell.v3.10.3.7 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 966 | EquationGroup__funnelout_v4_1_0_1 | Equation Group hack tool leaked by ShadowBrokers- from files funnelout.v4.1.0.1.pl | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 967 | EquationGroup__ghost_sparc_ghost_x86_3 | Equation Group hack tool leaked by ShadowBrokers- from files ghost_sparc, ghost_x86 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 968 | EquationGroup__jparsescan_parsescan_5 | Equation Group hack tool leaked by ShadowBrokers- from files jparsescan, parsescan | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 969 | EquationGroup__magicjack_v1_1_0_0_client | Equation Group hack tool leaked by ShadowBrokers- from files magicjack_v1.1.0.0_client-1.1.0.0.py | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 970 | EquationGroup__pclean_v2_1_1_pclean_v2_1_1_4 | Equation Group hack tool leaked by ShadowBrokers- from files pclean.v2.1.1.0-linux-i386, pclean.v2.1.1.0-linux-x86_64 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 971 | EquationGroup__scanner_scanner_v2_1_2 | Equation Group hack tool leaked by ShadowBrokers- from files scanner, scanner.v2.1.2 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 972 | EquationGroup_calserver | Equation Group hack tool leaked by ShadowBrokers- file calserver | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 973 | EquationGroup_charm_saver_win2k_v_2_0_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 974 | EquationGroup_cmsd | Equation Group hack tool leaked by ShadowBrokers- file cmsd | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 975 | EquationGroup_cmsex | Equation Group hack tool leaked by ShadowBrokers- file cmsex | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 976 | EquationGroup_cryptTool | Equation Group hack tool leaked by ShadowBrokers- file cryptTool | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 977 | EquationGroup_curseflower_mswin32_v_1_0_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 978 | EquationGroup_cursehappy_win2k_v_6_1_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 979 | EquationGroup_cursehelper_win2k_i686_v_2_2_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 980 | EquationGroup_curseroot_win2k_v_2_1_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 981 | EquationGroup_cursesleepy_mswin32_v_1_0_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 982 | EquationGroup_cursetingle_2_0_1_2_mswin32_v_2_0_1 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 983 | EquationGroup_cursewham_curserazor_cursezinger_curseroot_win2k | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 984 | EquationGroup_curseyo_win2k_v_1_0_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 985 | EquationGroup_cursezinger_linuxrh7_3_v_2_0_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 986 | EquationGroup_dumppoppy | Equation Group hack tool leaked by ShadowBrokers- file dumppoppy | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 987 | EquationGroup_ebbisland | Equation Group hack tool leaked by ShadowBrokers- file ebbisland | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 988 | EquationGroup_ebbshave | Equation Group hack tool leaked by ShadowBrokers- file ebbshave.v5 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 989 | EquationGroup_eggbasket | Equation Group hack tool leaked by ShadowBrokers- file eggbasket | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 990 | EquationGroup_eh_1_1_0 | Equation Group hack tool leaked by ShadowBrokers- file eh.1.1.0.0 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 991 | EquationGroup_elatedmonkey_1_0_1_1 | Equation Group hack tool leaked by ShadowBrokers- file elatedmonkey.1.0.1.1.sh | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 992 | EquationGroup_electricslide | Equation Group hack tool leaked by ShadowBrokers- file electricslide | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 993 | EquationGroup_elgingamble | Equation Group hack tool leaked by ShadowBrokers- file elgingamble | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 994 | EquationGroup_emptycriss | Equation Group hack tool leaked by ShadowBrokers- file emptycriss | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 995 | EquationGroup_envisioncollision | Equation Group hack tool leaked by ShadowBrokers- file envisioncollision | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 996 | EquationGroup_envoytomato | Equation Group hack tool leaked by ShadowBrokers- file envoytomato | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 997 | EquationGroup_epoxyresin_v1_0_0 | Equation Group hack tool leaked by ShadowBrokers- file epoxyresin.v1.0.0.1 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 998 | EquationGroup_estesfox | Equation Group hack tool leaked by ShadowBrokers- file estesfox | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 999 | EquationGroup_estopmoonlit | Equation Group hack tool leaked by ShadowBrokers- file estopmoonlit | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1000 | EquationGroup_evolvingstrategy_1_0_1 | Equation Group hack tool leaked by ShadowBrokers- file evolvingstrategy.1.0.1.1 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1001 | EquationGroup_ewok | Equation Group hack tool leaked by ShadowBrokers- file ewok | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1002 | EquationGroup_exze | Equation Group hack tool leaked by ShadowBrokers- file exze | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1003 | EquationGroup_gr | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | |
| 1004 | EquationGroup_gr_dev_bin_now | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | |
| 1005 | EquationGroup_gr_dev_bin_post | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | |
| 1006 | EquationGroup_jackpop | Equation Group hack tool leaked by ShadowBrokers- file jackpop | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1007 | EquationGroup_jparsescan | Equation Group hack tool leaked by ShadowBrokers- file jparsescan | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1008 | EquationGroup_jscan | Equation Group hack tool leaked by ShadowBrokers- file jscan | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1009 | EquationGroup_libXmexploit2 | Equation Group hack tool leaked by ShadowBrokers- file libXmexploit2.8 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1010 | EquationGroup_linux_exactchange | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1011 | EquationGroup_magicjack_v1_1_0_0_client_1_1_0_0 | Equation Group hack tool leaked by ShadowBrokers- file magicjack_v1.1.0.0_client-1.1.0.0.py | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1012 | EquationGroup_modifyAudit_Implant | EquationGroup Malware - file modifyAudit_Implant.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1013 | EquationGroup_modifyAudit_Lp | EquationGroup Malware - file modifyAudit_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1014 | EquationGroup_modifyAuthentication_Implant | EquationGroup Malware - file modifyAuthentication_Implant.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1015 | EquationGroup_morerats_client_Store | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1016 | EquationGroup_morerats_client_addkey | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | |
| 1017 | EquationGroup_morerats_client_genkey | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | |
| 1018 | EquationGroup_morerats_client_noprep | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | |
| 1019 | EquationGroup_nethide_Implant | EquationGroup Malware - file nethide_Implant.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1020 | EquationGroup_nethide_Lp | EquationGroup Malware - file nethide_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1021 | EquationGroup_noclient_3_3_2 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | |
| 1022 | EquationGroup_ntfltmgr | EquationGroup Malware - file ntfltmgr.sys | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1023 | EquationGroup_orleans_stride_sunos5_9_v_2_4_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1024 | EquationGroup_packrat | Equation Group hack tool leaked by ShadowBrokers- file packrat | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1025 | EquationGroup_parsescan | Equation Group hack tool leaked by ShadowBrokers- file parsescan | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1026 | EquationGroup_pclean_v2_1_1_2 | Equation Group hack tool leaked by ShadowBrokers- file pclean.v2.1.1.0-linux-i386 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1027 | EquationGroup_porkclient | Equation Group hack tool leaked by ShadowBrokers- file porkclient | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1028 | EquationGroup_porkserver | Equation Group hack tool leaked by ShadowBrokers- file porkserver | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1029 | EquationGroup_porkserver_v3_0_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1030 | EquationGroup_processinfo_Implant | EquationGroup Malware - file processinfo_Implant.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1031 | EquationGroup_promptkill | Equation Group hack tool leaked by ShadowBrokers- file promptkill | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1032 | EquationGroup_pwdump_Implant | EquationGroup Malware - file pwdump_Implant.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1033 | EquationGroup_pwdump_Lp | EquationGroup Malware - file pwdump_Lp.dll | https://goo.gl/tcSoiJ | 2017-01-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1034 | EquationGroup_ratload | Equation Group hack tool leaked by ShadowBrokers- file ratload | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1035 | EquationGroup_reverse_shell | Equation Group hack tool leaked by ShadowBrokers- file reverse.shell.script | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1036 | EquationGroup_sambal | Equation Group hack tool leaked by ShadowBrokers- file sambal | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1037 | EquationGroup_scanner | Equation Group hack tool leaked by ShadowBrokers- file scanner | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1038 | EquationGroup_scanner_output | Detects output generated by EQGRP scanner.exe | Internal Research | 2017-04-17 00:00:00 | 70 | Florian Roth | |
| 1039 | EquationGroup_scripme | Equation Group hack tool leaked by ShadowBrokers- file scripme | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1040 | EquationGroup_seconddate_ImplantStandalone_3_0_3 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1041 | EquationGroup_slugger2 | Equation Group hack tool leaked by ShadowBrokers- file slugger2 | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1042 | EquationGroup_smash | Equation Group hack tool leaked by ShadowBrokers- file smash | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1043 | EquationGroup_sshobo | Equation Group hack tool leaked by ShadowBrokers- file sshobo | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1044 | EquationGroup_store_linux_i386_v_3_3_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1045 | EquationGroup_telex | Equation Group hack tool leaked by ShadowBrokers- file telex | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1046 | EquationGroup_tmpwatch | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | |
| 1047 | EquationGroup_tnmunger | Equation Group hack tool leaked by ShadowBrokers- file tnmunger | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1048 | EquationGroup_toast_v3_2_0 | Equation Group hack tool leaked by ShadowBrokers- file toast_v3.2.0.1-linux | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1049 | EquationGroup_watcher_linux_i386_v_3_3_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1050 | EquationGroup_watcher_linux_x86_64_v_3_3_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1051 | EquationGroup_watcher_solaris_i386_v_3_3_0 | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1052 | EquationGroup_wrap_telnet | Equation Group hack tool leaked by ShadowBrokers- file wrap-telnet.sh | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1053 | EquationGroup_x86_linux_exactchange | Equation Group hack tool set | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-09 00:00:00 | 70 | Florian Roth | FILE |
| 1054 | EquationGroup_xspy | Equation Group hack tool leaked by ShadowBrokers- file xspy | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1055 | EquationGroup_ys | Equation Group hack tool leaked by ShadowBrokers- file ys.auto | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | HKTL |
| 1056 | EquationGroup_ys_ratload | Equation Group hack tool leaked by ShadowBrokers- file ys.ratload.sh | https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1 | 2017-04-08 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1057 | Equation_Kaspersky_DoubleFantasy_1 | Equation Group Malware - DoubleFantasy | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | MAL |
| 1058 | Equation_Kaspersky_EOP_Package | Equation Group Malware - EoP package and malware launcher | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | MAL |
| 1059 | Equation_Kaspersky_EquationDrugInstaller | Equation Group Malware - EquationDrug installer LUTEUSOBSTOS | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | MAL |
| 1060 | Equation_Kaspersky_EquationLaserInstaller | Equation Group Malware - EquationLaser Installer | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | MAL |
| 1061 | Equation_Kaspersky_FannyWorm | Equation Group Malware - Fanny Worm | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | MAL |
| 1062 | Equation_Kaspersky_GROK_Keylogger | Equation Group Malware - GROK keylogger | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | HKTL,MAL |
| 1063 | Equation_Kaspersky_GreyFishInstaller | Equation Group Malware - Grey Fish | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | MAL |
| 1064 | Equation_Kaspersky_HDD_reprogramming_module | Equation Group Malware - HDD reprogramming module | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | MAL |
| 1065 | Equation_Kaspersky_SuspiciousString | Equation Group Malware - suspicious string found in sample | http://goo.gl/ivt8EW | 2015-02-17 00:00:00 | 60 | Florian Roth | MAL |
| 1066 | Equation_Kaspersky_TripleFantasy_1 | Equation Group Malware - TripleFantasy http://goo.gl/ivt8EW | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | MAL |
| 1067 | Equation_Kaspersky_TripleFantasy_Loader | Equation Group Malware - TripleFantasy Loader | http://goo.gl/ivt8EW | 2015-02-16 00:00:00 | 70 | Florian Roth | MAL |
| 1068 | EternalRocks_svchost | Detects EternalRocks Malware - file taskhost.exe | https://twitter.com/stamparm/status/864865144748298242 | 2017-05-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1069 | EternalRocks_taskhost | Detects EternalRocks Malware - file taskhost.exe | https://twitter.com/stamparm/status/864865144748298242 | 2017-05-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1070 | Exe_Cloaked_as_ThumbsDb | Detects an executable cloaked as thumbs.db - Malware | - | 2014-07-18 00:00:00 | 50 | Florian Roth | EXE,EXTVAR,FILE,MAL |
| 1071 | Exp_EPS_CVE20152545 | Detects EPS Word Exploit CVE-2015-2545 | Internal Research - ME | 2017-07-19 00:00:00 | 70 | Florian Roth | EXPLOIT,FILE,OFFICE |
| 1072 | Exploit_MS15_077_078 | MS15-078 / MS15-077 exploit - generic signature | https://code.google.com/p/google-security-research/issues/detail?id=473&can=1&start=200 | 2015-07-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1073 | Exploit_MS15_077_078_HackingTeam | MS15-078 / MS15-077 exploit - Hacking Team code | - | 2015-07-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1074 | Explosion_Generic_1 | Generic Rule for Explosion/Explosive Malware - Volatile Cedar APT | not set | 2015-04-03 00:00:00 | 70 | Florian Roth | APT,FILE,GEN,MAL,MIDDLE_EAST |
| 1075 | Explosion_Sample_1 | Explosion/Explosive Malware - Volatile Cedar APT | http://goo.gl/5vYaNb | 2015-04-03 00:00:00 | 70 | Florian Roth | APT,FILE,MAL,MIDDLE_EAST |
| 1076 | Explosion_Sample_2 | Explosion/Explosive Malware - Volatile Cedar APT | http://goo.gl/5vYaNb | 2015-04-03 00:00:00 | 70 | Florian Roth | APT,FILE,MAL,MIDDLE_EAST |
| 1077 | Explosive_EXE | Explosion/Explosive Malware - Volatile Cedar APT | - | 1970-01-01 01:00:00 | 70 | Check Point Software Technologies Inc. | APT,FILE,MAL,MIDDLE_EAST |
| 1078 | Explosive_UA | Explosive Malware Embedded User Agent - Volatile Cedar APT http://goo.gl/HQRCdw | http://goo.gl/HQRCdw | 2015-04-03 00:00:00 | 60 | Florian Roth | APT,FILE,MAL,MIDDLE_EAST |
| 1079 | FE_LEGALSTRIKE_MACRO | This rule is designed to identify macros with the specific encoding used in the sample 30f149479c02b741e897cdb9ecd22da7. | - | 2017-06-02 00:00:00 | 70 | Ian.Ahl@fireeye.com @TekDefense - modified by Florian Roth | |
| 1080 | FE_LEGALSTRIKE_RTF | Rtf Phishing Campaign leveraging the CVE 2017-0199 exploit, to point to the domain 2bunnyDOTcom | - | 2017-06-02 00:00:00 | 70 | joshua.kim@FireEye. - modified by Florian Roth | EXPLOIT,FILE |
| 1081 | FIN7_Backdoor_Aug17 | Detects Word Dropper from Proofpoint FIN7 Report | https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor | 2017-08-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,OFFICE,RUSSIA |
| 1082 | FIN7_Dropper_Aug17 | Detects Word Dropper from Proofpoint FIN7 Report | https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor | 2017-08-04 00:00:00 | 70 | Florian Roth | FILE,MAL,OFFICE,RUSSIA |
| 1083 | FPipe2_0 | Disclosed hacktool set (old stuff) - file FPipe2.0.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 1084 | FSO_s_EFSO_2 | Webshells Auto-generated - file EFSO_2.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1085 | FSO_s_EFSO_2_2 | Webshells Auto-generated - file EFSO_2.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1086 | FSO_s_RemExp | Webshells Auto-generated - file RemExp.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1087 | FSO_s_RemExp_2 | Webshells Auto-generated - file RemExp.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1088 | FSO_s_ajan | Webshells Auto-generated - file ajan.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1089 | FSO_s_ajan_2 | Webshells Auto-generated - file ajan.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1090 | FSO_s_c99 | Webshells Auto-generated - file c99.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1091 | FSO_s_casus15 | Webshells Auto-generated - file casus15.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1092 | FSO_s_casus15_2 | Webshells Auto-generated - file casus15.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1093 | FSO_s_cmd | Webshells Auto-generated - file cmd.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1094 | FSO_s_indexer | Webshells Auto-generated - file indexer.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1095 | FSO_s_indexer_2 | Webshells Auto-generated - file indexer.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1096 | FSO_s_ntdaddy | Webshells Auto-generated - file ntdaddy.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1097 | FSO_s_phpinj | Webshells Auto-generated - file phpinj.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1098 | FSO_s_phpinj_2 | Webshells Auto-generated - file phpinj.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1099 | FSO_s_phvayv | Webshells Auto-generated - file phvayv.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1100 | FSO_s_phvayv_2 | Webshells Auto-generated - file phvayv.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1101 | FSO_s_reader | Webshells Auto-generated - file reader.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1102 | FSO_s_remview | Webshells Auto-generated - file remview.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1103 | FSO_s_remview_2 | Webshells Auto-generated - file remview.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1104 | FSO_s_sincap | Webshells Auto-generated - file sincap.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1105 | FSO_s_test | Webshells Auto-generated - file test.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1106 | FSO_s_tool | Webshells Auto-generated - file tool.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1107 | FSO_s_zehir4 | Webshells Auto-generated - file zehir4.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1108 | FSO_s_zehir4_2 | Webshells Auto-generated - file zehir4.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1109 | FVEY_ShadowBroker_Auct_Dez16_Strings | String from the ShodowBroker Files Screenshots - Dec 2016 | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 60 | Florian Roth | EXE,FILE,HKTL |
| 1110 | FVEY_ShadowBroker_Gen_Readme1 | Auto-generated rule | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | GEN,HKTL |
| 1111 | FVEY_ShadowBroker_Gen_Readme2 | Auto-generated rule - from files user.tool.orleansstride.COMMON, user.tool.curserazor.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | GEN,HKTL |
| 1112 | FVEY_ShadowBroker_Gen_Readme3 | Auto-generated rule | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | GEN,HKTL |
| 1113 | FVEY_ShadowBroker_Gen_Readme4 | Auto-generated rule - from files violetspirit.README, violetspirit.README | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | GEN,HKTL |
| 1114 | FVEY_ShadowBroker_README_cup | Auto-generated rule - file README.cup.NOPEN | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1115 | FVEY_ShadowBroker_eleganteagle_opscript_1_0_0 | Auto-generated rule - file eleganteagle_opscript.1.0.0.6 | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1116 | FVEY_ShadowBroker_gr_gr | Auto-generated rule - file gr.notes | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1117 | FVEY_ShadowBroker_nopen_oneshot | Auto-generated rule - file oneshot.example | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1118 | FVEY_ShadowBroker_opscript | Auto-generated rule - file opscript.se | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1119 | FVEY_ShadowBroker_strifeworld | Auto-generated rule - file strifeworld.1 | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1120 | FVEY_ShadowBroker_user_tool | Auto-generated rule - file user.tool.elatedmonkey | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1121 | FVEY_ShadowBroker_user_tool_dubmoat | Auto-generated rule - file user.tool.dubmoat.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1122 | FVEY_ShadowBroker_user_tool_earlyshovel | Auto-generated rule - file user.tool.earlyshovel.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1123 | FVEY_ShadowBroker_user_tool_ebbisland | Auto-generated rule - file user.tool.ebbisland.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1124 | FVEY_ShadowBroker_user_tool_elgingamble | Auto-generated rule - file user.tool.elgingamble.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1125 | FVEY_ShadowBroker_user_tool_envisioncollision | Auto-generated rule - file user.tool.envisioncollision.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1126 | FVEY_ShadowBroker_user_tool_epichero | Auto-generated rule - file user.tool.epichero.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1127 | FVEY_ShadowBroker_user_tool_pork | Auto-generated rule - file user.tool.pork.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1128 | FVEY_ShadowBroker_user_tool_shentysdelight | Auto-generated rule - file user.tool.shentysdelight.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1129 | FVEY_ShadowBroker_user_tool_stoicsurgeon | Auto-generated rule - file user.tool.stoicsurgeon.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1130 | FVEY_ShadowBroker_user_tool_yellowspirit | Auto-generated rule - file user.tool.yellowspirit.COMMON | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1131 | FVEY_ShadowBroker_violetspirit | Auto-generated rule - file violetspirit.README | https://bit.no.com:43110/theshadowbrokers.bit/post/message6/ | 2016-12-17 00:00:00 | 70 | Florian Roth | HKTL |
| 1132 | FVEY_ShadowBrokers_Jan17_Screen_Strings | Detects strings derived from the ShadowBroker's leak of Windows tools/exploits | https://bit.no.com:43110/theshadowbrokers.bit/post/message7/ | 2017-01-08 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 1133 | FakeM_Generic | Detects FakeM malware samples | http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/ | 2016-01-25 00:00:00 | 85 | Florian Roth | EXE,FILE |
| 1134 | Fake_AdobeReader_EXE | Detects an fake AdobeReader executable based on filesize OR missing strings in file | - | 2014-09-11 00:00:00 | 50 | Florian Roth | EXE,EXTVAR,FILE |
| 1135 | Fake_FlashPlayerUpdaterService_EXE | Detects an fake AdobeReader executable based on filesize OR missing strings in file | - | 2014-09-11 00:00:00 | 50 | Florian Roth | EXE,EXTVAR,FILE |
| 1136 | Fareit_Trojan_Oct15 | Detects Fareit Trojan from Sep/Oct 2015 Wave | http://goo.gl/5VYtlU | 2015-10-18 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 1137 | FeliksPack3___PHP_Shells_2005 | Webshells Auto-generated - file 2005.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1138 | FeliksPack3___PHP_Shells_phpft | Webshells Auto-generated - file phpft.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1139 | FeliksPack3___PHP_Shells_r57 | Webshells Auto-generated - file r57.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1140 | FeliksPack3___PHP_Shells_ssh | Webshells Auto-generated - file ssh.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1141 | FeliksPack3___PHP_Shells_usr | Webshells Auto-generated - file usr.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1142 | FeliksPack3___PHP_Shells_xIShell | Webshells Auto-generated - file xIShell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1143 | FeliksPack3___Scanners_ipscan | Auto-generated rule on file ipscan.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 1144 | Fidelis_Advisory_Purchase_Order_pps | Detects a string found in a malicious document named Purchase_Order.pps | http://goo.gl/ZjJyti | 2015-06-09 00:00:00 | 70 | Florian Roth | |
| 1145 | Fidelis_Advisory_cedt370 | Detects a string found in memory of malware cedt370r(3).exe | http://goo.gl/ZjJyti | 2015-06-09 00:00:00 | 70 | Florian Roth | |
| 1146 | Fierce2 | This signature detects the Fierce2 domain scanner | - | 2014-07-07 00:00:00 | 60 | Florian Roth | HKTL |
| 1147 | Fireball_archer | Detects Fireball malware - file archer.dll | https://goo.gl/4pTkGQ | 2017-06-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1148 | Fireball_de_svr | Detects Fireball malware - file de_svr.exe | https://goo.gl/4pTkGQ | 2017-06-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1149 | Fireball_gubed | Detects Fireball malware - file gubed.exe | https://goo.gl/4pTkGQ | 2017-06-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1150 | Fireball_lancer | Detects Fireball malware - file lancer.dll | https://goo.gl/4pTkGQ | 2017-06-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1151 | Fireball_regkey | Detects Fireball malware - file regkey.exe | https://goo.gl/4pTkGQ | 2017-06-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1152 | Fireball_winsap | Detects Fireball malware - file winsap.dll | https://goo.gl/4pTkGQ | 2017-06-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1153 | FiveEyes_QUERTY_Malwareqwerty_20120 | FiveEyes QUERTY Malware - file 20120.xml | http://www.spiegel.de/media/media-35668.pdf | 2015-01-18 00:00:00 | 70 | Florian Roth | MAL |
| 1154 | FiveEyes_QUERTY_Malwareqwerty_20121 | FiveEyes QUERTY Malware - file 20121.xml | http://www.spiegel.de/media/media-35668.pdf | 2015-01-18 00:00:00 | 70 | Florian Roth | MAL |
| 1155 | FiveEyes_QUERTY_Malwareqwerty_20123 | FiveEyes QUERTY Malware - file 20123.xml | http://www.spiegel.de/media/media-35668.pdf | 2015-01-18 00:00:00 | 70 | Florian Roth | MAL |
| 1156 | FiveEyes_QUERTY_Malwaresig_20120_cmdDef | FiveEyes QUERTY Malware - file 20120_cmdDef.xml | http://www.spiegel.de/media/media-35668.pdf | 2015-01-18 00:00:00 | 70 | Florian Roth | MAL |
| 1157 | FiveEyes_QUERTY_Malwaresig_20120_dll | FiveEyes QUERTY Malware - file 20120.dll.bin | http://www.spiegel.de/media/media-35668.pdf | 2015-01-18 00:00:00 | 70 | Florian Roth | MAL |
| 1158 | FiveEyes_QUERTY_Malwaresig_20121_cmdDef | FiveEyes QUERTY Malware - file 20121_cmdDef.xml | http://www.spiegel.de/media/media-35668.pdf | 2015-01-18 00:00:00 | 70 | Florian Roth | MAL |
| 1159 | FiveEyes_QUERTY_Malwaresig_20121_dll | FiveEyes QUERTY Malware - file 20121.dll.bin | http://www.spiegel.de/media/media-35668.pdf | 2015-01-18 00:00:00 | 70 | Florian Roth | MAL |
| 1160 | FiveEyes_QUERTY_Malwaresig_20123_cmdDef | FiveEyes QUERTY Malware - file 20123_cmdDef.xml | http://www.spiegel.de/media/media-35668.pdf | 2015-01-18 00:00:00 | 70 | Florian Roth | MAL |
| 1161 | FiveEyes_QUERTY_Malwaresig_20123_sys | FiveEyes QUERTY Malware - file 20123.sys.bin | http://www.spiegel.de/media/media-35668.pdf | 2015-01-18 00:00:00 | 70 | Florian Roth | MAL |
| 1162 | Flash_CVE_2015_5119_APT3_leg | Exploit Sample CVE-2015-5119 | - | 2015-08-01 00:00:00 | 70 | Florian Roth | EXPLOIT,FILE |
| 1163 | Foudre_Backdoor_1 | Detects Foudre Backdoor | https://goo.gl/Nbqbt6 | 2017-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1164 | Foudre_Backdoor_Component_1 | Detects Foudre Backdoor | https://goo.gl/Nbqbt6 | 2017-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1165 | Foudre_Backdoor_Dropper_1 | Detects Foudre Backdoor | https://goo.gl/Nbqbt6 | 2017-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1166 | Foudre_Backdoor_SFX | Detects Foudre Backdoor SFX | https://goo.gl/Nbqbt6 | 2017-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1167 | FourElementSword_32DLL | Detects FourElementSword Malware - file 7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6 | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | 2016-04-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1168 | FourElementSword_Config_File | Detects FourElementSword Malware - file f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27 | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | 2016-04-18 00:00:00 | 70 | Florian Roth | MAL |
| 1169 | FourElementSword_ElevateDLL | Detects FourElementSword Malware | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | 2016-04-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1170 | FourElementSword_ElevateDLL_2 | Detects FourElementSword Malware - file 9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95 | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | 2016-04-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1171 | FourElementSword_Keyainst_EXE | Detects FourElementSword Malware - file cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082 | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | 2016-04-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1172 | FourElementSword_PowerShell_Start | Detects FourElementSword Malware - file 9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692 | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | 2016-04-18 00:00:00 | 70 | Florian Roth | MAL,SCRIPT |
| 1173 | FourElementSword_ResN32DLL | Detects FourElementSword Malware - file bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | 2016-04-18 00:00:00 | 70 | Florian Roth | MAL |
| 1174 | FourElementSword_T9000 | Detects FourElementSword Malware - file 5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | 2016-04-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1175 | FourElementSword_fslapi_dll_gui | Detects FourElementSword Malware - file 2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083 | https://www.arbornetworks.com/blog/asert/four-element-sword-engagement/ | 2016-04-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1176 | FreeMilk_APT_Mal_1 | Detects malware from FreeMilk campaign | https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/ | 2017-10-05 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1177 | FreeMilk_APT_Mal_2 | Detects malware from FreeMilk campaign | https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/ | 2017-10-05 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1178 | FreeMilk_APT_Mal_3 | Detects malware from FreeMilk campaign | https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/ | 2017-10-05 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1179 | FreeMilk_APT_Mal_4 | Detects malware from FreeMilk campaign | https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/ | 2017-10-05 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1180 | FreeVersion_debug | Chinese Hacktool Set - file debug.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1181 | FreeVersion_release | Chinese Hacktool Set - file release.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1182 | Freeenki_Infostealer_Nov17 | Detects Freenki infostealer malware | http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html | 2017-11-28 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1183 | Freeenki_Infostealer_Nov17_Export_Sig_Testing | Detects Freenki infostealer malware | http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html | 2017-11-28 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1184 | Fscan_Portscanner | Fscan port scanner scan output / strings | https://twitter.com/JamesHabben/status/817112447970480128 | 2017-01-06 00:00:00 | 70 | Florian Roth | HKTL |
| 1185 | Furtim_Parent_1 | Detects Furtim Parent Malware | https://sentinelone.com/blogs/sfg-furtims-parent/ | 2016-07-16 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1186 | Furtim_nativeDLL | Detects Furtim malware - file native.dll | MISP 3971 | 2016-06-13 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1187 | GIFCloaked_Webshell_A | Looks like a webshell cloaked as GIF | - | 1970-01-01 01:00:00 | 60 | Florian Roth | WEBSHELL |
| 1188 | GRIZZLY_STEPPE_Malware_1 | Auto-generated rule - file HRDG022184_certclint.dll | https://goo.gl/WVflzO | 2016-12-29 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1189 | GRIZZLY_STEPPE_Malware_2 | Auto-generated rule - file 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0 | https://goo.gl/WVflzO | 2016-12-29 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1190 | Gazer_certificate | Detects Tura's Gazer malware | https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/ | 2017-08-30 00:00:00 | 70 | ESET | EXE,FILE |
| 1191 | Gazer_certificate_subject | Detects Tura's Gazer malware | https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/ | 2017-08-30 00:00:00 | 70 | ESET | EXTVAR |
| 1192 | Gazer_logfile_name | Detects Tura's Gazer malware | https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/ | 2017-08-30 00:00:00 | 70 | ESET | EXE,FILE |
| 1193 | Gen_Base64_EXE | Detects Base64 encoded Executable in Executable | Internal Research | 2017-04-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1194 | Gen_Net_LocalGroup_Administrators_Add_Command | Detects an executable that contains a command to add a user account to the local administrators group | Internal Research | 2017-07-08 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1195 | Gen_Trojan_Mikey | Trojan Mikey - file sample_mikey.exe | - | 2015-05-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1196 | Generate | Chinese Hacktool Set - file Generate.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,GEN,HKTL |
| 1197 | Generic_Dropper | Detects Dropper PDB string in file | https://goo.gl/JAHZVL | 2018-03-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1198 | GetUserSPNs_PS1 | Auto-generated rule - file GetUserSPNs.ps1 | https://github.com/skelsec/PyKerberoast | 2016-05-21 00:00:00 | 70 | Florian Roth | |
| 1199 | GetUserSPNs_VBS | Auto-generated rule - file GetUserSPNs.vbs | https://github.com/skelsec/PyKerberoast | 2016-05-21 00:00:00 | 70 | Florian Roth | |
| 1200 | GhostDragon_Gh0stRAT | Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report | https://blog.cylance.com/the-ghost-dragon | 2016-04-23 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1201 | GhostDragon_Gh0stRAT_Sample2 | Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report | https://blog.cylance.com/the-ghost-dragon | 2016-04-23 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1202 | GhostDragon_Gh0stRAT_Sample3 | Detects Gh0st RAT mentioned in Cylance' Ghost Dragon Report | https://blog.cylance.com/the-ghost-dragon | 2016-04-23 00:00:00 | 70 | Florian Roth | CHINA,MAL |
| 1203 | GlassRAT_Generic | Detects GlassRAT Malware | https://blogs.rsa.com/peering-into-glassrat/ | 2015-11-23 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 1204 | GoldDragon_Aux_File | Detects export from Gold Dragon - February 2018 | https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ | 2018-02-03 00:00:00 | 90 | Florian Roth | CHINA |
| 1205 | GoldDragon_Ghost419_RAT | Detects Ghost419 RAT from Gold Dragon report | https://goo.gl/rW1yvZ | 2018-02-03 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1206 | GoldDragon_RunnignRAT | Detects Running RAT malware from Gold Dragon report | https://goo.gl/rW1yvZ | 2018-02-03 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1207 | GoldDragon_RunningRAT | Detects Running RAT from Gold Dragon report | https://goo.gl/rW1yvZ | 2018-02-03 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1208 | GoldDragon_malware_Feb18_1 | Detects malware from Gold Dragon report | https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ | 2018-02-03 00:00:00 | 90 | Florian Roth | CHINA,EXE,FILE |
| 1209 | GoldenEyeRansomware_Dropper_MalformedZoomit | Auto-generated rule - file b5ef16922e2c76b09edd71471dd837e89811c5e658406a8495c1364d0d9dc690 | https://goo.gl/jp2SkT | 2016-12-06 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1210 | GoldenEye_Ransomware_XLS | GoldenEye XLS with Macro - file Schneider-Bewerbung.xls | https://goo.gl/jp2SkT | 2016-12-06 00:00:00 | 70 | Florian Roth | CRIME,FILE |
| 1211 | GoodToolset_ms11011 | Chinese Hacktool Set - file ms11011.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1212 | GoodToolset_ms11046 | Chinese Hacktool Set - file ms11046.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1213 | GoodToolset_ms11080 | Chinese Hacktool Set - file ms11080.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1214 | GoodToolset_pr | Chinese Hacktool Set - file pr.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1215 | GoogleBot_UserAgent | Detects the GoogleBot UserAgent String in an Executable | Internal Research | 2017-01-27 00:00:00 | 65 | Florian Roth | EXE,FILE |
| 1216 | Greenbug_Malware_1 | Detects Malware from Greenbug Incident | https://goo.gl/urp4CD | 2017-01-25 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,MIDDLE_EAST |
| 1217 | Greenbug_Malware_2 | Detects Backdoor from Greenbug Incident | https://goo.gl/urp4CD | 2017-01-25 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,MIDDLE_EAST |
| 1218 | Greenbug_Malware_3 | Detects Backdoor from Greenbug Incident | https://goo.gl/urp4CD | 2017-01-25 00:00:00 | 70 | Florian Roth | MAL,MIDDLE_EAST |
| 1219 | Greenbug_Malware_4 | Detects ISMDoor Backdoor | https://goo.gl/urp4CD | 2017-01-25 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1220 | Greenbug_Malware_5 | Auto-generated rule | https://goo.gl/urp4CD | 2017-01-25 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1221 | Greenbug_Malware_Nov17_1 | Detects Greenbug Malware | http://www.clearskysec.com/greenbug/ | 2017-11-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,MIDDLE_EAST |
| 1222 | Groups_cpassword | Groups XML contains cpassword value, which is decrypted password - key is in MSDN http://goo.gl/mHrC8P | http://www.grouppolicy.biz/2013/11/why-passwords-in-group-policy-preference-are-very-bad/ | 2015-09-08 00:00:00 | 50 | Florian Roth | FILE |
| 1223 | Gsecdump_password_dump_file | Detects a gsecdump output file | https://t.co/OLIj1yVJ4m | 2018-03-06 00:00:00 | 65 | Florian Roth | FILE |
| 1224 | Guilin_veterans_cookie_spoofing_tool | Chinese Hacktool Set - file Guilin veterans cookie spoofing tool.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1225 | HDConfig | Webshells Auto-generated - file HDConfig.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1226 | HDRoot_Sample_Jul17_1 | Detects HDRoot samples | Winnti HDRoot VT | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1227 | HDRoot_Sample_Jul17_2 | Detects HDRoot samples | Winnti HDRoot VT | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1228 | HKTL_EmbeddedPDF | Detects Embedded PDFs which can start malicious content | https://twitter.com/infosecn1nja/status/1021399595899731968?s=12 | 2018-07-25 00:00:00 | 70 | Tobias Michalski | FILE,HKTL |
| 1229 | HKTL_Lazagne_Gen_18 | Detects Lazagne password extractor hacktool | https://github.com/AlessandroZ/LaZagne | 2018-12-11 00:00:00 | 80 | Florian Roth | GEN,HKTL |
| 1230 | HKTL_Lazagne_PasswordDumper_Dec18_1 | Detects password dumper Lazagne often used by middle eastern threat groups | https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group | 2018-12-11 00:00:00 | 85 | Florian Roth | EXE,FILE,HKTL |
| 1231 | HKTL_NoPowerShell | Detects NoPowerShell hack tool | https://github.com/bitsadmin/nopowershell | 2018-12-28 00:00:00 | 70 | Florian Roth | HKTL,SCRIPT |
| 1232 | HKTL_PowerSploit | Detects default strings used by PowerSploit to establish persistence | https://www.hybrid-analysis.com/sample/16937e76db6d88ed0420ee87317424af2d4e19117fe12d1364fee35aa2fadb75?environmentId=100 | 2018-06-23 00:00:00 | 70 | Markus Neis | |
| 1233 | HKTL_SqlMap | Detects sqlmap hacktool | https://github.com/sqlmapproject/sqlmap | 2018-10-09 00:00:00 | 70 | Florian Roth | HKTL |
| 1234 | HKTL_SqlMap_backdoor | Detects SqlMap backdoors | https://github.com/sqlmapproject/sqlmap | 2018-10-09 00:00:00 | 70 | Florian Roth | FILE,HKTL,MAL |
| 1235 | HKTL_beRootexe | Detects beRoot.exe which checks common Windows missconfigurations | https://github.com/AlessandroZ/BeRoot/tree/master/Windows | 2018-07-25 00:00:00 | 70 | yarGen Rule Generator | EXE,FILE,HKTL |
| 1236 | HKTL_beRootexe_output | Detects the output of beRoot.exe | https://github.com/AlessandroZ/BeRoot/tree/master/Windows | 2018-07-25 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1237 | HKTL_htran_go | Detects go based htran variant | - | 2019-01-09 00:00:00 | 70 | Jeff Beley | EXE,FILE,HKTL |
| 1238 | HKTL_shellpop_Netcat_UDP | Detects suspicious netcat popshell | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1239 | HKTL_shellpop_PHP_TCP | Detects malicious PHP shell | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1240 | HKTL_shellpop_Perl | Detects Shellpop Perl script | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1241 | HKTL_shellpop_Powershell_TCP | Detects malicious powershell | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1242 | HKTL_shellpop_Python | Detects malicious python shell | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1243 | HKTL_shellpop_TCLsh | Detects suspicious TCLsh popshell | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1244 | HKTL_shellpop_Telnet_TCP | Detects malicious telnet shell | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1245 | HKTL_shellpop_awk | Detects suspicious AWK Shellpop | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1246 | HKTL_shellpop_netcat | Detects suspcious netcat shellpop | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1247 | HKTL_shellpop_ruby | Detects suspicious ruby shellpop | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1248 | HKTL_shellpop_socat | Detects suspicious socat popshell | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1249 | HScan_v1_20_PipeCmd | Chinese Hacktool Set - file PipeCmd.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1250 | HScan_v1_20_hscan | Chinese Hacktool Set - file hscan.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1251 | HTA_Embedded | Detects an embedded HTA file | https://twitter.com/msftmmpc/status/877396932758560768 | 2017-06-21 00:00:00 | 50 | Florian Roth | |
| 1252 | HTA_with_WScript_Shell | Detects WScript Shell in HTA | https://twitter.com/msftmmpc/status/877396932758560768 | 2017-06-21 00:00:00 | 80 | Florian Roth | |
| 1253 | HTKL_BlackBone_DriverInjector | Detects BlackBone Driver injector | https://github.com/DarthTon/Blackbone | 2018-09-11 00:00:00 | 60 | Florian Roth | EXE,FILE,HKTL |
| 1254 | HTTPSCANNER | Chinese Hacktool Set - file HTTPSCANNER.EXE | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1255 | HYTop2006_rar_Folder_2006 | Webshells Auto-generated - file 2006.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1256 | HYTop2006_rar_Folder_2006X2 | Webshells Auto-generated - file 2006X2.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1257 | HYTop2006_rar_Folder_2006X | Webshells Auto-generated - file 2006X.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1258 | HYTop2006_rar_Folder_2006Z | Webshells Auto-generated - file 2006Z.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1259 | HYTop_AppPack_2005 | Webshells Auto-generated - file 2005.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1260 | HYTop_CaseSwitch_2005 | Webshells Auto-generated - file 2005.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1261 | HYTop_DevPack_2005 | Webshells Auto-generated - file 2005.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1262 | HYTop_DevPack_2005Red | Webshells Auto-generated - file 2005Red.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1263 | HYTop_DevPack_config | Webshells Auto-generated - file config.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1264 | HYTop_DevPack_fso | Webshells Auto-generated - file fso.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1265 | HYTop_DevPack_server | Webshells Auto-generated - file server.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1266 | HYTop_DevPack_upload | Webshells Auto-generated - file upload.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1267 | HackTool_Producers | Hacktool Producers String | - | 1970-01-01 01:00:00 | 50 | - | EXE,EXTVAR,FILE,HKTL |
| 1268 | HackTool_Samples | Hacktool | - | 1970-01-01 01:00:00 | 50 | - | HKTL |
| 1269 | HackingTeam_Elevator_EXE | Hacking Team Disclosure Sample - file elevator.exe | Hacking Team Disclosure elevator.c | 2015-07-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1270 | Hackingteam_Elevator_DLL | Hacking Team Disclosure Sample - file elevator.dll | http://t.co/EG0qtVcKLh | 2015-07-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1271 | Hacktool_Strings_p0wnedShell | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs | https://github.com/Cn33liz/p0wnedShell | 2017-01-14 00:00:00 | 70 | Florian Roth | |
| 1272 | Hacktool_This_Cruft | Detects string 'This cruft' often used in hack tools like netcat or cryptcat and also mentioned in Project Sauron report | https://goo.gl/eFoP4A | 2016-08-08 00:00:00 | 60 | Florian Roth | EXE,FILE |
| 1273 | Hacktools_CN_445_cmd | Disclosed hacktool set - file cmd.bat | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1274 | Hacktools_CN_Burst_Blast | Disclosed hacktool set - file Blast.bat | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1275 | Hacktools_CN_Burst_Clear | Disclosed hacktool set - file Clear.bat | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1276 | Hacktools_CN_Burst_Start | Disclosed hacktool set - file Start.bat - DoS tool | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1277 | Hacktools_CN_Burst_Thecard | Disclosed hacktool set - file Thecard.bat | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1278 | Hacktools_CN_Burst_pass | Disclosed hacktool set - file pass.txt | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1279 | Hacktools_CN_Burst_sql | Disclosed hacktool set - file sql.exe | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1280 | Hacktools_CN_GOGOGO_Bat | Disclosed hacktool set - file GOGOGO.bat | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1281 | Hacktools_CN_Http | Disclosed hacktool set - file Http.exe | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1282 | Hacktools_CN_JoHor_Posts_Killer | Disclosed hacktool set - file JoHor_Posts_Killer.exe | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1283 | Hacktools_CN_Panda_445 | Disclosed hacktool set - file 445.rar | - | 2014-11-17 00:00:00 | 60 | Florian Roth | CHINA,HKTL |
| 1284 | Hacktools_CN_Panda_445TOOL | Disclosed hacktool set - file 445TOOL.rar | - | 2014-11-17 00:00:00 | 60 | Florian Roth | CHINA,HKTL |
| 1285 | Hacktools_CN_Panda_Burst | Disclosed hacktool set - file Burst.rar | - | 2014-11-17 00:00:00 | 60 | Florian Roth | CHINA,HKTL |
| 1286 | Hacktools_CN_Panda_tasksvr | Disclosed hacktool set - file tasksvr.exe | - | 2014-11-17 00:00:00 | 60 | Florian Roth | CHINA,HKTL |
| 1287 | Hacktools_CN_Panda_tesksd | Disclosed hacktool set - file tesksd.jpg | - | 2014-11-17 00:00:00 | 60 | Florian Roth | CHINA,HKTL |
| 1288 | Hacktools_CN_Scan_BAT | Disclosed hacktool set - file scan.bat | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1289 | Hacktools_CN_WinEggDrop | Disclosed hacktool set - file s.exe | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1290 | HawkEye_Keylogger_Feb18_1 | Detects HawkEye keylogger variante observed in February 2018 | https://app.any.run/tasks/ae2521dd-61aa-4bc7-b0d8-8c85ddcbfcc9 | 2018-02-12 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 1291 | HawkEye_PHP_Panel | Detects HawkEye Keyloggers PHP Panel | - | 2014-12-14 00:00:00 | 60 | Florian Roth | HKTL,WEBSHELL |
| 1292 | Hermes2_1 | Detects Hermes Ransomware as used in BAE report on FEIB | https://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html | 2017-10-11 00:00:00 | 70 | BAE | CRIME,MAL,RANSOM |
| 1293 | HiddenCobra_BANKSHOT_Gen | Detects Hidden Cobra BANKSHOT trojan | https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity | 2017-12-26 00:00:00 | 70 | Florian Roth | EXE,FILE,NK |
| 1294 | HiddenCobra_FallChill_1 | Auto-generated rule - file a606716355035d4a1ea0b15f3bee30aad41a2c32df28c2d468eafd18361d60d6 | https://www.us-cert.gov/ncas/alerts/TA17-318A | 2017-11-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1295 | HiddenCobra_FallChill_2 | Auto-generated rule - file 0a118eb23399000d148186b9079fa59caf4c3faa7e7a8f91533e467ac9b6ff41 | https://www.us-cert.gov/ncas/alerts/TA17-318A | 2017-11-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1296 | HiddenCobra_Rule_1 | Detects Hidden Cobra Malware | https://www.us-cert.gov/ncas/alerts/TA17-164A | 2017-06-13 00:00:00 | 70 | US CERT | MAL,NK |
| 1297 | HiddenCobra_Rule_3 | Detects Hidden Cobra Malware | https://www.us-cert.gov/ncas/alerts/TA17-164A | 2017-06-13 00:00:00 | 70 | US CERT | MAL,NK |
| 1298 | HiddenCobra_r4_wiper_1 | Detects HiddenCobra Wiper | https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf | 2017-12-12 00:00:00 | 70 | NCCIC Partner | EXE,FILE,NK |
| 1299 | HiddenCobra_r4_wiper_2 | Detects HiddenCobra Wiper | https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf | 2017-12-12 00:00:00 | 70 | NCCIC Partner | EXE,FILE,NK |
| 1300 | HoneyBee_Dropper_MalDoc | Detects samples from Operation Honeybee | https://goo.gl/JAHZVL | 2018-03-03 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 1301 | HttpBrowser_RAT_Gen | Threat Group 3390 APT Sample - HttpBrowser RAT Generic | http://snip.ly/giNB | 2015-08-06 00:00:00 | 90 | Florian Roth | APT,EXE,FILE,GEN,MAL |
| 1302 | HttpBrowser_RAT_Sample1 | Threat Group 3390 APT Sample - HttpBrowser RAT Sample update.hancominc.com | http://snip.ly/giNB | 2015-08-06 00:00:00 | 80 | Florian Roth | APT,EXE,FILE,MAL |
| 1303 | HttpBrowser_RAT_Sample2 | Threat Group 3390 APT Sample - HttpBrowser RAT Sample | http://snip.ly/giNB | 2015-08-06 00:00:00 | 80 | Florian Roth | APT,EXE,FILE,MAL |
| 1304 | HttpBrowser_RAT_dropper_Gen1 | Threat Group 3390 APT Sample - HttpBrowser RAT Dropper | http://snip.ly/giNB | 2015-08-06 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 1305 | HttpBrowser_RAT_dropper_Gen2 | Threat Group 3390 APT Sample - HttpBrowser RAT Dropper | http://snip.ly/giNB | 2015-08-06 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 1306 | IDTools_For_WinXP_IdtTool | Chinese Hacktool Set - file IdtTool.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1307 | IDTools_For_WinXP_IdtTool_2 | Chinese Hacktool Set - file IdtTool.sys | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1308 | IISPutScanner | Chinese Hacktool Set - file IISPutScanner.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1309 | IISPutScannesr | Chinese Hacktool Set - file IISPutScannesr.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1310 | IMPLANT_10_v2 | CozyDuke / CozyCar / CozyBear Implant by APT29 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1311 | IMPLANT_1_v1 | Downrage Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1312 | IMPLANT_1_v2 | Downrage Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1313 | IMPLANT_1_v3 | Downrage Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1314 | IMPLANT_1_v4 | Downrage Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1315 | IMPLANT_1_v5 | Downrage Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1316 | IMPLANT_1_v7 | Downrage Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1317 | IMPLANT_2_v10 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1318 | IMPLANT_2_v11 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1319 | IMPLANT_2_v12 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1320 | IMPLANT_2_v13 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1321 | IMPLANT_2_v14 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1322 | IMPLANT_2_v15 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1323 | IMPLANT_2_v16 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1324 | IMPLANT_2_v17 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1325 | IMPLANT_2_v18 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1326 | IMPLANT_2_v19 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1327 | IMPLANT_2_v1 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1328 | IMPLANT_2_v20 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1329 | IMPLANT_2_v2 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1330 | IMPLANT_2_v3 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1331 | IMPLANT_2_v4 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1332 | IMPLANT_2_v5 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1333 | IMPLANT_2_v6 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1334 | IMPLANT_2_v7 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1335 | IMPLANT_2_v8 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1336 | IMPLANT_2_v9 | CORESHELL/SOURFACE Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1337 | IMPLANT_3_v1 | X-Agent/CHOPSTICK Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,RUSSIA |
| 1338 | IMPLANT_3_v2 | X-Agent/CHOPSTICK Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1339 | IMPLANT_3_v3 | X-Agent/CHOPSTICK Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1340 | IMPLANT_4_v10 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1341 | IMPLANT_4_v11 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1342 | IMPLANT_4_v13 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1343 | IMPLANT_4_v1 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1344 | IMPLANT_4_v2 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1345 | IMPLANT_4_v3_AlternativeRule | BlackEnergy / Voodoo Bear Implant by APT28 | US CERT Grizzly Steppe Report | 2017-02-12 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,RUSSIA |
| 1346 | IMPLANT_4_v4 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1347 | IMPLANT_4_v5 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1348 | IMPLANT_4_v7 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1349 | IMPLANT_4_v8 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,RUSSIA |
| 1350 | IMPLANT_4_v9 | BlackEnergy / Voodoo Bear Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,RUSSIA |
| 1351 | IMPLANT_5_v1 | XTunnel Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,RUSSIA |
| 1352 | IMPLANT_5_v2 | XTunnel Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,RUSSIA |
| 1353 | IMPLANT_5_v3 | XTunnel Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,RUSSIA |
| 1354 | IMPLANT_5_v4 | XTunnel Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,RUSSIA |
| 1355 | IMPLANT_6_v1 | Sednit / EVILTOSS Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1356 | IMPLANT_6_v2 | Sednit / EVILTOSS Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1357 | IMPLANT_6_v3 | Sednit / EVILTOSS Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1358 | IMPLANT_6_v4 | Sednit / EVILTOSS Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1359 | IMPLANT_6_v5 | Sednit / EVILTOSS Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1360 | IMPLANT_6_v6 | Sednit / EVILTOSS Implant by APT28 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1361 | IMPLANT_7_v1 | Implant 7 by APT29 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1362 | IMPLANT_8_v1 | HAMMERTOSS / HammerDuke Implant by APT29 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1363 | IMPLANT_9_v1 | Onion Duke Implant by APT29 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,FILE,RUSSIA |
| 1364 | IP_Stealing_Utilities | Auto-generated rule on file IP Stealing Utilities.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 1365 | IceFog_Malware_Feb18_1 | Detects IceFog malware | https://twitter.com/ClearskySec/status/968104465818669057 | 2018-02-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1366 | Impacket_Keyword | Detects Impacket Keyword in Executable | Internal Research | 2017-08-04 00:00:00 | 60 | Florian Roth | EXE,FILE,HKTL |
| 1367 | Impacket_Lateral_Movement | Detects Impacket Network Aktivity for Lateral Movement | https://github.com/CoreSecurity/impacket | 2018-03-22 00:00:00 | 60 | Markus Neis | EXE,FILE |
| 1368 | Impacket_Tools_Generic_1 | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN |
| 1369 | Impacket_Tools_atexec | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1370 | Impacket_Tools_esentutl | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1371 | Impacket_Tools_goldenPac | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1372 | Impacket_Tools_ifmap | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1373 | Impacket_Tools_lookupsid | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1374 | Impacket_Tools_mimikatz | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1375 | Impacket_Tools_mmcexec | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1376 | Impacket_Tools_netview | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1377 | Impacket_Tools_opdump | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1378 | Impacket_Tools_psexec | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1379 | Impacket_Tools_rpcdump | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1380 | Impacket_Tools_secretsdump | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1381 | Impacket_Tools_smbexec | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1382 | Impacket_Tools_smbrelayx | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1383 | Impacket_Tools_smbtorture | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1384 | Impacket_Tools_sniff | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1385 | Impacket_Tools_sniffer | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1386 | Impacket_Tools_tracer | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1387 | Impacket_Tools_wmiexec | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1388 | Impacket_Tools_wmipersist | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1389 | Impacket_Tools_wmiquery | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1390 | Imphash_Malware_2_TA17_293A | Detects malware based on Imphash of malware used in TA17-293A | https://www.us-cert.gov/ncas/alerts/TA17-293A | 2017-10-21 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1391 | Imphash_UPX_Packed_Malware_1_TA17_293A | Detects malware based on Imphash of malware used in TA17-293A | https://www.us-cert.gov/ncas/alerts/TA17-293A | 2017-10-21 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1392 | Indetectables_RAT | Detects Indetectables RAT based on strings found in research by Paul Rascagneres & Ronan Mouchoux | http://www.sekoia.fr/blog/when-a-brazilian-string-smells-bad/ | 2015-10-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1393 | Industroyer_Malware_1 | Detects Industroyer related malware | https://goo.gl/x81cSy | 2017-06-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1394 | Industroyer_Malware_2 | Detects Industroyer related malware | https://goo.gl/x81cSy | 2017-06-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1395 | Industroyer_Malware_4 | Detects Industroyer related malware | https://goo.gl/x81cSy | 2017-06-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1396 | Industroyer_Malware_5 | Detects Industroyer related malware | https://goo.gl/x81cSy | 2017-06-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1397 | Industroyer_Portscan_3 | Detects Industroyer related custom port scaner | https://goo.gl/x81cSy | 2017-06-13 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1398 | Industroyer_Portscan_3_Output | Detects Industroyer related custom port scaner output file | https://goo.gl/x81cSy | 2017-06-13 00:00:00 | 70 | Florian Roth | |
| 1399 | InjectionParameters | Chinese Hacktool Set - file InjectionParameters.vb | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 1400 | InstGina | Disclosed hacktool set (old stuff) - file InstGina.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 1401 | Invoke_Metasploit | Detects Invoke-Metasploit Payload | https://github.com/jaredhaight/Invoke-MetasploitPayload/blob/master/Invoke-MetasploitPayload.ps1 | 2017-09-23 00:00:00 | 70 | Florian Roth | HKTL,METASPLOIT |
| 1402 | Invoke_Mimikatz | Detects Invoke-Mimikatz String | https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz | 2016-08-03 00:00:00 | 70 | Florian Roth | |
| 1403 | Invoke_OSiRis | Osiris Device Guard Bypass - file Invoke-OSiRis.ps1 | Internal Research | 2017-03-27 00:00:00 | 70 | Florian Roth | |
| 1404 | Invoke_PSImage | Detects a command to execute PowerShell from String | https://github.com/peewpw/Invoke-PSImage | 2017-12-16 00:00:00 | 70 | Florian Roth | SCRIPT |
| 1405 | Invoke_SMBExec | Detects Invoke-WmiExec or Invoke-SmbExec | https://github.com/Kevin-Robertson/Invoke-TheHash | 2017-06-14 00:00:00 | 70 | Florian Roth | |
| 1406 | Invoke_SMBExec_Invoke_WMIExec_1 | Auto-generated rule - from files Invoke-SMBExec.ps1, Invoke-WMIExec.ps1 | https://github.com/Kevin-Robertson/Invoke-TheHash | 2017-06-14 00:00:00 | 70 | Florian Roth | |
| 1407 | Invoke_WMIExec_Gen | Auto-generated rule - from files Invoke-SMBClient.ps1, Invoke-SMBExec.ps1, Invoke-WMIExec.ps1, Invoke-WMIExec.ps1 | https://github.com/Kevin-Robertson/Invoke-TheHash | 2017-06-14 00:00:00 | 70 | Florian Roth | |
| 1408 | Invoke_WMIExec_Gen_1 | Detects Invoke-WmiExec or Invoke-SmbExec | https://github.com/Kevin-Robertson/Invoke-TheHash | 2017-06-14 00:00:00 | 70 | Florian Roth | GEN |
| 1409 | Invoke_mimikittenz | Detects Mimikittenz - file Invoke-mimikittenz.ps1 | https://github.com/putterpanda/mimikittenz | 2016-07-19 00:00:00 | 90 | Florian Roth | FILE |
| 1410 | IronGate_APT_Step7ProSim_Gen | Detects IronGate APT Malware - Step7ProSim DLL | https://goo.gl/Mr6M2J | 2016-06-04 00:00:00 | 90 | Florian Roth | APT,EXE,FILE,MAL |
| 1411 | IronGate_PyInstaller_update_EXE | Detects a PyInstaller file named update.exe as mentioned in the IronGate APT | https://goo.gl/Mr6M2J | 2016-06-04 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 1412 | IronPanda_DNSTunClient | Iron Panda malware DnsTunClient - file named.exe | https://goo.gl/E4qia9 | 2015-09-16 00:00:00 | 80 | Florian Roth | CHINA,EXE,FILE |
| 1413 | IronPanda_Malware1 | Iron Panda Malware | https://goo.gl/E4qia9 | 2015-09-16 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1414 | IronPanda_Malware2 | Iron Panda Malware | https://goo.gl/E4qia9 | 2015-09-16 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1415 | IronPanda_Malware3 | Iron Panda Malware | https://goo.gl/E4qia9 | 2015-09-16 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1416 | IronPanda_Malware4 | Iron Panda Malware | https://goo.gl/E4qia9 | 2015-09-16 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1417 | IronPanda_Malware_Htran | Iron Panda Malware Htran | https://goo.gl/E4qia9 | 2015-09-16 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 1418 | IronPanda_Webshell_JSP | Iron Panda Malware JSP | https://goo.gl/E4qia9 | 2015-09-16 00:00:00 | 70 | Florian Roth | CHINA,MAL,WEBSHELL |
| 1419 | IronTiger_ASPXSpy | ASPXSpy detection. It might be used by other fraudsters | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | |
| 1420 | IronTiger_ChangePort_Toolkit_ChangePortExe | Iron Tiger Malware - Toolkit ChangePort | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA,MAL |
| 1421 | IronTiger_ChangePort_Toolkit_driversinstall | Iron Tiger Malware - Changeport Toolkit driverinstall | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA,MAL |
| 1422 | IronTiger_EFH3_encoder | Iron Tiger EFH3 Encoder | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA |
| 1423 | IronTiger_GTalk_Trojan | Iron Tiger Malware - GTalk Trojan | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA,MAL |
| 1424 | IronTiger_GetPassword_x64 | Iron Tiger Malware - GetPassword x64 | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA,MAL |
| 1425 | IronTiger_Gh0stRAT_variant | This is a detection for a s.exe variant seen in Op. Iron Tiger | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,EXTVAR,FILE,INDIA |
| 1426 | IronTiger_HTTP_SOCKS_Proxy_soexe | Iron Tiger Toolset - HTTP SOCKS Proxy soexe | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,HKTL,INDIA |
| 1427 | IronTiger_NBDDos_Gh0stvariant_dropper | Iron Tiger Malware - NBDDos Gh0stvariant Dropper | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA,MAL |
| 1428 | IronTiger_PlugX_DosEmulator | Iron Tiger Malware - PlugX DosEmulator | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA,MAL |
| 1429 | IronTiger_PlugX_FastProxy | Iron Tiger Malware - PlugX FastProxy | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,HKTL,INDIA,MAL |
| 1430 | IronTiger_PlugX_Server | Iron Tiger Malware - PlugX Server | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA,MAL |
| 1431 | IronTiger_ReadPWD86 | Iron Tiger Malware - ReadPWD86 | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA,MAL |
| 1432 | IronTiger_Ring_Gh0stvariant | Iron Tiger Malware - Ring Gh0stvariant | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA,MAL |
| 1433 | IronTiger_dllshellexc2010 | dllshellexc2010 Exchange backdoor + remote shell | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,MAL |
| 1434 | IronTiger_dnstunnel | This rule detects a dns tunnel tool used in Operation Iron Tiger | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | EXE,FILE,INDIA |
| 1435 | IronTiger_wmiexec | Iron Tiger Tool - wmi.vbs detection | http://goo.gl/T5fSJC | 1970-01-01 01:00:00 | 70 | Cyber Safety Solutions, Trend Micro | INDIA |
| 1436 | IsDebug_V1_4 | Chinese Hacktool Set - file IsDebug V1.4.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1437 | IsmDoor_Jul17_A2 | Detects IsmDoor Malware | https://twitter.com/Voulnet/status/892104753295110145 | 2017-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1438 | JSP_Browser_APT_webshell | VonLoesch JSP Browser used as web shell by APT groups - jsp File browser 1.1a | - | 2014-10-10 00:00:00 | 60 | F.Roth | APT,WEBSHELL |
| 1439 | JSP_jfigueiredo_APT_webshell | JSP Browser used as web shell by APT groups - author: jfigueiredo | http://ceso.googlecode.com/svn/web/bko/filemanager/Browser.jsp | 2014-12-10 00:00:00 | 60 | F.Roth | APT,WEBSHELL |
| 1440 | JSP_jfigueiredo_APT_webshell_2 | JSP Browser used as web shell by APT groups - author: jfigueiredo | http://ceso.googlecode.com/svn/web/bko/filemanager/ | 2014-12-10 00:00:00 | 60 | F.Roth | APT,WEBSHELL |
| 1441 | JS_Suspicious_MSHTA_Bypass | Detects MSHTA Bypass | https://twitter.com/ItsReallyNick/status/887705105239343104 | 2017-07-19 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 1442 | JS_Suspicious_Obfuscation_Dropbox | Detects PowerShell AMSI Bypass | https://twitter.com/ItsReallyNick/status/887705105239343104 | 2017-07-19 00:00:00 | 70 | Florian Roth | OBFUS,SCRIPT,SCRIPTS |
| 1443 | JavaScript_Run_Suspicious | Detects a suspicious Javascript Run command | https://twitter.com/craiu/status/900314063560998912 | 2017-08-23 00:00:00 | 60 | Florian Roth | SCRIPTS |
| 1444 | Java_Shell_js | Semi-Auto-generated - file Java Shell.js.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1445 | Jc_ALL_WinEggDropShell_rar_Folder_Install_2 | Disclosed hacktool set (old stuff) - file Install.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 1446 | Jc_WinEggDrop_Shell | Disclosed hacktool set (old stuff) - file Jc.WinEggDrop Shell.txt | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 1447 | JspWebshell_1_2_jsp | Semi-Auto-generated - file JspWebshell 1.2.jsp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1448 | KA_uShell | Webshells Auto-generated - file KA_uShell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1449 | KHRAT_Malware | Detects an Imphash of KHRAT malware | https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/ | 2017-08-31 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1450 | KINS_DLL_zeus | Match default bot in KINS leaked dropper, Zeus | http://goo.gl/arPhm3 | 1970-01-01 01:00:00 | 70 | AlienVault Labs aortega@alienvault.com | |
| 1451 | KINS_dropper | Match protocol, process injects and windows exploit present in KINS dropper | http://goo.gl/arPhm3 | 1970-01-01 01:00:00 | 70 | AlienVault Labs aortega@alienvault.com | |
| 1452 | KR_Target_Malware_Aug17 | Detects malware that targeted South Korea in Aug 2017 - file MRDqsbuEqGxrgqtbXU.exe | https://twitter.com/eyalsela/status/900250203097354240 | 2017-08-23 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1453 | KasperMalware_Oct17_1 | Detects Kasper Backdoor | Internal Research | 2017-10-24 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1454 | KeeTheft_EXE | Detects component of KeeTheft - KeePass dump tool - file KeeTheft.exe | https://github.com/HarmJ0y/KeeThief | 2017-08-29 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 1455 | KeeTheft_Out_Shellcode | Detects component of KeeTheft - KeePass dump tool - file Out-Shellcode.ps1 | https://github.com/HarmJ0y/KeeThief | 2017-08-29 00:00:00 | 70 | Florian Roth | HKTL |
| 1456 | KeeThief_PS | Detects component of KeeTheft - KeePass dump tool - file KeeThief.ps1 | https://github.com/HarmJ0y/KeeThief | 2017-08-29 00:00:00 | 70 | Florian Roth | FILE,HKTL |
| 1457 | Kekeo_Hacktool | Detects Kekeo Hacktool | https://github.com/gentilkiwi/kekeo/releases | 2017-07-21 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 1458 | KeyBoy_876_0x4e20000 | Detects KeyBoy Backdoor | https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ | 2018-03-26 00:00:00 | 70 | Markus Neis, Florian Roth | EXE,FILE,MAL |
| 1459 | KeyBoy_InstallClient | Detects KeyBoy InstallClient | https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ | 2018-03-26 00:00:00 | 70 | Markus Neis, Florian Roth | EXE,FILE |
| 1460 | KeyBoy_rasauto | Detects KeyBoy ServiceClient | https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ | 2018-03-26 00:00:00 | 70 | Markus Neis, Florian Roth | EXE,FILE |
| 1461 | KeyBoy_wab32res | Detects KeyBoy Loader wab32res.dll | https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ | 2018-03-26 00:00:00 | 70 | Markus Neis, Florian Roth | EXE,FILE |
| 1462 | KeyBoys_malware_1 | Detects Keyboys malware | http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html | 2017-11-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1463 | Keylogger_CN_APT | Keylogger - generic rule for a Chinese variant | - | 2016-03-07 00:00:00 | 75 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1464 | KiwiTaskmgr_2 | Chinese Hacktool Set - file KiwiTaskmgr.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1465 | Korplug_FAST | Rule to detect Korplug/PlugX FAST variant | - | 2015-08-20 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1466 | Kraken_Bot_Sample | Kraken Bot Sample - file inf.bin | https://blog.gdatasoftware.com/blog/article/dissecting-the-kraken.html | 2015-05-07 00:00:00 | 90 | Florian Roth | EXE,FILE |
| 1467 | Kriskynote_Mar17_1 | Detects Kriskynote Malware | Internal Research | 2017-03-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1468 | Kriskynote_Mar17_2 | Detects Kriskynote Malware | Internal Research | 2017-03-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1469 | Kriskynote_Mar17_3 | Detects Kriskynote Malware | Internal Research | 2017-03-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1470 | LNK_Malicious_Nov1 | Detects a suspicious LNK file | https://www.virustotal.com/en/file/ee069edc46a18698fa99b6d2204895e6a516af1a306ea986a798b178f289ecd6/analysis/ | 2017-11-06 00:00:00 | 60 | Florian Roth | FILE |
| 1471 | Laudanum_Tools_Generic | Laudanum Injector Tools | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 1472 | Lazagne_PW_Dumper | Detects Lazagne PW Dumper | https://github.com/AlessandroZ/LaZagne/releases/ | 2018-03-22 00:00:00 | 70 | Markus Neis / Florian Roth | HKTL |
| 1473 | Lazarus_Dec_17_1 | Detects Lazarus malware from incident in Dec 2017 | https://goo.gl/8U6fY2 | 2017-12-20 00:00:00 | 70 | Florian Roth | FILE,NK |
| 1474 | Lazarus_Dec_17_2 | Detects Lazarus malware from incident in Dec 2017 | https://goo.gl/8U6fY2 | 2017-12-20 00:00:00 | 70 | Florian Roth | EXE,FILE,NK |
| 1475 | Lazarus_Dec_17_4 | Detects Lazarus malware from incident in Dec 2017ithumb.js | https://goo.gl/8U6fY2 | 2017-12-20 00:00:00 | 70 | Florian Roth | NK |
| 1476 | Lazarus_Dec_17_5 | Detects Lazarus malware from incident in Dec 2017 | https://goo.gl/8U6fY2 | 2017-12-20 00:00:00 | 70 | Florian Roth | NK |
| 1477 | Leviathan_CobaltStrike_Sample_1 | Detects Cobalt Strike sample from Leviathan report | https://goo.gl/MZ7dRg | 2017-10-18 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1478 | LightFTP_Config | Detects a light FTP server - config file | https://github.com/hfiref0x/LightFTP | 2015-05-14 00:00:00 | 70 | Florian Roth | FILE |
| 1479 | LightFTP_fftp_x86_64 | Detects a light FTP server | https://github.com/hfiref0x/LightFTP | 2015-05-14 00:00:00 | 50 | Florian Roth | EXE,FILE |
| 1480 | LinuxHacktool_eyes_a | Linux hack tools - file a | not set | 2015-01-19 00:00:00 | 70 | Florian Roth | HKTL,LINUX |
| 1481 | LinuxHacktool_eyes_mass | Linux hack tools - file mass | not set | 2015-01-19 00:00:00 | 70 | Florian Roth | HKTL,LINUX |
| 1482 | LinuxHacktool_eyes_pscan2 | Linux hack tools - file pscan2 | not set | 2015-01-19 00:00:00 | 70 | Florian Roth | HKTL,LINUX |
| 1483 | LinuxHacktool_eyes_pscan2_2 | Linux hack tools - file pscan2.c | not set | 2015-01-19 00:00:00 | 70 | Florian Roth | HKTL,LINUX |
| 1484 | LinuxHacktool_eyes_scanssh | Linux hack tools - file scanssh | not set | 2015-01-19 00:00:00 | 70 | Florian Roth | HKTL,LINUX |
| 1485 | Linux_Portscan_Shark_1 | Detects Linux Port Scanner Shark | Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35 | 2016-04-01 00:00:00 | 70 | Florian Roth | FILE,HKTL,LINUX |
| 1486 | Linux_Portscan_Shark_2 | Detects Linux Port Scanner Shark | Virustotal Research - see https://github.com/Neo23x0/Loki/issues/35 | 2016-04-01 00:00:00 | 70 | Florian Roth | HKTL,LINUX |
| 1487 | LiuDoor_Malware_1 | Liudoor Trojan used in Terracotta APT | https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/ | 2015-08-04 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 1488 | LiuDoor_Malware_2 | Liudoor Trojan used in Terracotta APT | https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/ | 2015-08-04 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 1489 | Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php | Semi-Auto-generated - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1490 | Locky_Ransomware | Detects Locky Ransomware (matches also on Win32/Kuluoz) | https://goo.gl/qScSrE | 2016-02-17 00:00:00 | 70 | Florian Roth (with the help of binar.ly) | CRIME,MAL,RANSOM |
| 1491 | LokiBot_Dropper_Packed_R11_Feb18 | Auto-generated rule - file scan copy.pdf.r11 | https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5 | 2018-02-14 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 1492 | LokiBot_Dropper_ScanCopyPDF_Feb18 | Auto-generated rule - file Scan Copy.pdf.com | https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5 | 2018-02-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1493 | MAL_AirdViper_Sample_Apr18_1 | Detects Arid Viper malware sample | Internal Research | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MIDDLE_EAST |
| 1494 | MAL_BackNet_Nov18_1 | Detects BackNet samples | https://github.com/valsov/BackNet | 2018-11-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1495 | MAL_BurningUmbrella_Sample_10 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1496 | MAL_BurningUmbrella_Sample_11 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | FILE |
| 1497 | MAL_BurningUmbrella_Sample_12 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1498 | MAL_BurningUmbrella_Sample_13 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1499 | MAL_BurningUmbrella_Sample_14 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1500 | MAL_BurningUmbrella_Sample_15 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1501 | MAL_BurningUmbrella_Sample_16 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1502 | MAL_BurningUmbrella_Sample_17 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1503 | MAL_BurningUmbrella_Sample_18 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1504 | MAL_BurningUmbrella_Sample_19 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1505 | MAL_BurningUmbrella_Sample_1 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1506 | MAL_BurningUmbrella_Sample_20 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1507 | MAL_BurningUmbrella_Sample_21 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1508 | MAL_BurningUmbrella_Sample_22 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1509 | MAL_BurningUmbrella_Sample_2 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1510 | MAL_BurningUmbrella_Sample_3 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1511 | MAL_BurningUmbrella_Sample_4 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1512 | MAL_BurningUmbrella_Sample_6 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1513 | MAL_BurningUmbrella_Sample_7 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1514 | MAL_BurningUmbrella_Sample_8 | Detects malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1515 | MAL_CN_FlyStudio_May18_1 | Detects malware / hacktool detected in May 2018 | Internal Research | 2018-05-11 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1516 | MAL_CrypRAT_Jan19_1 | Detects CrypRAT | Internal Research | 2019-01-07 00:00:00 | 90 | Florian Roth | EXE,FILE,MAL |
| 1517 | MAL_DNSPIONAGE_Malware_Nov18 | Detects DNSpionage Malware | https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html | 2018-11-30 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1518 | MAL_ELF_LNX_Mirai_Oct10_1 | Detects ELF Mirai variant | Internal Research | 2018-10-27 00:00:00 | 70 | Florian Roth | FILE,LINUX |
| 1519 | MAL_ELF_LNX_Mirai_Oct10_2 | Detects ELF malware Mirai related | Internal Research | 2018-10-27 00:00:00 | 70 | Florian Roth | FILE,LINUX |
| 1520 | MAL_ELF_VPNFilter_1 | Detects VPNFilter malware | Internal Research | 2018-05-24 00:00:00 | 70 | Florian Roth | FILE,LINUX |
| 1521 | MAL_ELF_VPNFilter_2 | Detects VPNFilter malware | Internal Research | 2018-05-24 00:00:00 | 70 | Florian Roth | FILE,LINUX |
| 1522 | MAL_ELF_VPNFilter_3 | Detects VPNFilter malware | Internal Research | 2018-05-24 00:00:00 | 70 | Florian Roth | FILE,LINUX |
| 1523 | MAL_Envrial_Jan18_1 | Detects Encrial credential stealer malware | https://twitter.com/malwrhunterteam/status/953313514629853184 | 2018-01-21 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1524 | MAL_ExileRAT_Feb19_1 | Detects Exile RAT | https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html | 2019-02-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1525 | MAL_Floxif_Generic | Detects Floxif Malware | Internal Research | 2018-05-11 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 1526 | MAL_GandCrab_Apr18_1 | Detects GandCrab malware | https://twitter.com/MarceloRivero/status/988455516094550017 | 2018-04-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1527 | MAL_HawkEye_Keylogger_Gen_Dec18 | Detects HawkEye Keylogger Reborn | https://twitter.com/James_inthe_box/status/1072116224652324870 | 2018-12-10 00:00:00 | 70 | Florian Roth | GEN,HKTL |
| 1528 | MAL_Hogfish_Report_Related_Sample | Detects APT10 / Hogfish related samples | https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf | 2018-05-01 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE |
| 1529 | MAL_JRAT_Oct18_1 | Detects JRAT malware | Internal Research | 2018-10-11 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 1530 | MAL_KHRAT_script | Rule derived from KHRAT script but can match on other malicious scripts as well | https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/ | 2017-08-31 00:00:00 | 70 | Florian Roth | MAL |
| 1531 | MAL_KHRAT_scritplet | Rule derived from KHRAT scriptlet | https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/ | 2017-08-31 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 1532 | MAL_Kwampirs_Apr18 | Kwampirs dropper and main payload components | https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia | 2018-04-23 00:00:00 | 70 | Symantec | |
| 1533 | MAL_LNX_SSHDOOR_Triton | Signature detecting | https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf | 2018-12-05 00:00:00 | 70 | Marc-Etienne M.Leveille, modified by Florian Roth | FILE,LINUX |
| 1534 | MAL_Metasploit_Framework_UA | Detects User Agent used in Metasploit Framework | https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7 | 2018-08-16 00:00:00 | 65 | Florian Roth | EXE,FILE,METASPLOIT |
| 1535 | MAL_MuddyWater_DroppedTask_Jun18_1 | Detects a dropped Windows task as used by MudyWater in June 2018 | https://app.any.run/tasks/719c94eb-0a00-47cc-b583-ad4f9e25ebdb | 2018-06-12 00:00:00 | 70 | Florian Roth | FILE |
| 1536 | MAL_Nitol_Malware_Jan19_1 | Detects Nitol Malware | https://twitter.com/shotgunner101/status/1084602413691166721 | 2019-01-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1537 | MAL_OSX_FancyBear_Agent_Jul18_1 | Detects FancyBear Agent for OSX | https://twitter.com/DrunkBinary/status/1018448895054098432 | 2018-07-15 00:00:00 | 70 | Florian Roth | FILE,MACOS,RUSSIA |
| 1538 | MAL_RTF_Embedded_OLE_PE | Detects a suspicious string often used in PE files in a hex encoded object stream | https://www.nextron-systems.com/2018/01/22/creating-yara-rules-detect-embedded-exe-files-ole-objects/ | 2018-01-22 00:00:00 | 70 | Florian Roth | FILE |
| 1539 | MAL_RedLeaves_Apr18_1 | Detects RedLeaves malware | https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf | 2018-05-01 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1540 | MAL_Ryuk_Ransomware | Detects strings known from Ryuk Ransomware | https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ | 2018-12-31 00:00:00 | 70 | Florian Roth | CRIME,EXE,FILE,MAL,RANSOM |
| 1541 | MAL_Sednit_DelphiDownloader_Apr18_2 | Detects malware from Sednit Delphi Downloader report | https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ | 2018-04-24 00:00:00 | 70 | Florian Roth | |
| 1542 | MAL_Sednit_DelphiDownloader_Apr18_3 | Detects malware from Sednit Delphi Downloader report | https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/ | 2018-04-24 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1543 | MAL_Turla_Agent_BTZ | Detects Turla Agent.BTZ | https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified | 2018-04-12 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 1544 | MAL_Turla_Sample_May18_1 | Detects Turla samples | https://twitter.com/omri9741/status/991942007701598208 | 2018-05-03 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 1545 | MAL_Unknown_PWDumper_Apr18_3 | Detects sample from unknown sample set - IL origin | Internal Research | 2018-04-06 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 1546 | MAL_Visel_Sample_May18_1 | Detects Visel malware sample from Burning Umbrella report | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1547 | MAL_WebMonitor_RAT | Detects WebMonitor RAT | https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/ | 2018-04-13 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1548 | MAL_Winnti_Sample_May18_1 | Detects malware sample from Burning Umbrella report - Generic Winnti Rule | https://401trg.pw/burning-umbrella/ | 2018-05-04 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,GEN |
| 1549 | MAL_Xbash_JS_Sep18 | Detects XBash malware | https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/ | 2018-09-18 00:00:00 | 70 | Florian Roth | FILE |
| 1550 | MAL_Xbash_PY_Sep18 | Detects Xbash malware | https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/ | 2018-09-18 00:00:00 | 70 | Florian Roth | FILE |
| 1551 | MAL_Xbash_SH_Sep18 | Detects Xbash malware | https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/ | 2018-09-18 00:00:00 | 70 | Florian Roth | FILE |
| 1552 | MAL_unspecified_Jan18_1 | Detects unspecified malware sample | Internal Research | 2018-01-19 00:00:00 | 70 | Florian Roth | MAL |
| 1553 | ME_Campaign_Malware_1 | Detects malware from Middle Eastern campaign reported by Talos | http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html | 2018-02-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1554 | ME_Campaign_Malware_2 | Detects malware from Middle Eastern campaign reported by Talos | http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html | 2018-02-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1555 | ME_Campaign_Malware_3 | Detects malware from Middle Eastern campaign reported by Talos | http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html | 2018-02-07 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 1556 | ME_Campaign_Malware_4 | Detects malware from Middle Eastern campaign reported by Talos | http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html | 2018-02-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1557 | ME_Campaign_Malware_5 | Detects malware from Middle Eastern campaign reported by Talos | http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html | 2018-02-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1558 | MS08_067_Exploit_Hacktools_CN | Disclosed hacktool set - file cs.exe | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1559 | MSBuild_Mimikatz_Execution_via_XML | Detects an XML that executes Mimikatz on an endpoint via MSBuild | https://gist.github.com/subTee/c98f7d005683e616560bda3286b6a0d8#file-katz-xml | 2016-10-07 00:00:00 | 70 | Florian Roth | HKTL |
| 1560 | MSSqlPass | Chinese Hacktool Set - file MSSqlPass.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1561 | Mal_Dropper_httpEXE_from_CAB | Detects a dropper from a CAB file mentioned in the article | https://goo.gl/13Wgy1 | 2016-05-25 00:00:00 | 60 | Florian Roth | EXE,FILE,MAL |
| 1562 | Mal_PotPlayer_DLL | Detects a malicious PotPlayer.dll | https://goo.gl/13Wgy1 | 2016-05-25 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1563 | Mal_http_EXE | Detects trojan from APT report named http.exe | https://goo.gl/13Wgy1 | 2016-05-25 00:00:00 | 80 | Florian Roth | APT,EXE,FILE |
| 1564 | Malicious_BAT_Strings | Detects a string also used in Netwire RAT auxilliary | https://pastebin.com/8qaiyPxs | 2018-01-05 00:00:00 | 60 | Florian Roth | MAL |
| 1565 | Malicious_SFX1 | SFX with voicemail content | http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950 | 2015-07-20 00:00:00 | 70 | Florian Roth | FILE |
| 1566 | Malicious_SFX2 | SFX with adobe.exe content | http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950 | 2015-07-20 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1567 | Malware_Floxif_mpsvc_dll | Malware - Floxif | Internal Research | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1568 | Malware_JS_powershell_obfuscated | Unspecified malware - file rechnung_3.js | Internal Research | 2017-03-24 00:00:00 | 70 | Florian Roth | |
| 1569 | Malware_MsUpdater_String_in_EXE | MSUpdater String in Executable | VT Analysis | 2015-06-03 00:00:00 | 50 | Florian Roth | EXE,FILE |
| 1570 | Malware_QA_1177 | VT Research QA uploaded malware - file 1177.vbs | VT Research QA | 2016-08-29 00:00:00 | 80 | Florian Roth | FILE,MAL |
| 1571 | Malware_QA_get_The_FucKinG_IP | VT Research QA uploaded malware - file get The FucKinG IP.exe | VT Research QA | 2016-08-29 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 1572 | Malware_QA_not_copy | VT Research QA uploaded malware - file not copy.exe | VT Research QA | 2016-08-29 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 1573 | Malware_QA_tls | VT Research QA uploaded malware - file tls.exe | VT Research QA | 2016-08-29 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 1574 | Malware_QA_update | VT Research QA uploaded malware - file update.exe | VT Research QA | 2016-08-29 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 1575 | Malware_QA_update_test | VT Research QA uploaded malware - file update_.exe | VT Research QA | 2016-08-29 00:00:00 | 80 | Florian Roth | EXE,EXTVAR,FILE |
| 1576 | Malware_QA_vqgk | VT Research QA uploaded malware - file vqgk.dll | VT Research QA | 2016-08-29 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 1577 | MarathonTool | Chinese Hacktool Set - file MarathonTool.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1578 | MarathonTool_2 | Chinese Hacktool Set - file MarathonTool.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1579 | Metasploit_Loader_RSMudge | Detects a Metasploit Loader by RSMudge - file loader.exe | https://github.com/rsmudge/metasploit-loader | 2016-04-20 00:00:00 | 70 | Florian Roth | EXE,FILE,METASPLOIT |
| 1580 | Miari_2_May17 | Detects Mirai Malware | Internal Research | 2017-05-12 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 1581 | Microcin_Sample_1 | Malware sample mentioned in Microcin technical report by Kaspersky | https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf | 2017-09-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1582 | Microcin_Sample_2 | Malware sample mentioned in Microcin technical report by Kaspersky | https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf | 2017-09-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1583 | Microcin_Sample_3 | Malware sample mentioned in Microcin technical report by Kaspersky | https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf | 2017-09-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1584 | Microcin_Sample_4 | Malware sample mentioned in Microcin technical report by Kaspersky | https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf | 2017-09-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1585 | Microcin_Sample_5 | Malware sample mentioned in Microcin technical report by Kaspersky | https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf | 2017-09-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1586 | Microcin_Sample_6 | Malware sample mentioned in Microcin technical report by Kaspersky | https://securelist.com/files/2017/09/Microcin_Technical-PDF_eng_final.pdf | 2017-09-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1587 | Mimikatz_Gen_Strings | Detects Mimikatz by using some special strings | Internal Research | 2017-06-19 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,HKTL |
| 1588 | Mimikatz_Logfile | Detects a log file generated by malicious hack tool mimikatz | - | 2015-03-31 00:00:00 | 80 | Florian Roth | HKTL |
| 1589 | Mimikatz_Memory_Rule_1 | Detects password dumper mimikatz in memory | - | 2014-12-22 00:00:00 | 70 | Florian Roth | HKTL |
| 1590 | Mimikatz_Memory_Rule_2 | Mimikatz Rule generated from a memory dump | - | 1970-01-01 01:00:00 | 80 | Florian Roth - Florian Roth | HKTL |
| 1591 | Mimikatz_Strings | Detects Mimikatz strings | not set | 2016-06-08 00:00:00 | 65 | Florian Roth | EXE,FILE,HKTL |
| 1592 | Mimipenguin_SH | Detects Mimipenguin Password Extractor - Linux | https://github.com/huntergregal/mimipenguin | 2017-04-01 00:00:00 | 70 | Florian Roth | LINUX |
| 1593 | MiniDionis_VBS_Dropped | Dropped File - 1.vbs | https://malwr.com/analysis/ZDc4ZmIyZDI4MTVjNGY5NWI0YzE3YjIzNGFjZTcyYTY/ | 2015-07-21 00:00:00 | 70 | Florian Roth | SCRIPT |
| 1594 | MiniDionis_readerView | MiniDionis Malware - file readerView.exe / adobe.exe | http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3950 | 2015-07-20 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1595 | MiniDumpTest_msdsc | Auto-generated rule - file msdsc.exe | https://github.com/giMini/RWMC/ | 2015-08-31 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1596 | MiniRAT_Gen_1 | Detects Mini RAT malware | https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news | 2018-01-22 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 1597 | Mirai_1_May17 | Detects Mirai Malware | Internal Research | 2017-05-12 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 1598 | Mirai_Botnet_Malware | Detects Mirai Botnet Malware | Internal Research | 2016-10-04 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 1599 | Mithozhan_Trojan | Mitozhan Trojan used in APT Terracotta | https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/ | 2015-08-04 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 1600 | Mithril_Mithril | Webshells Auto-generated - file Mithril.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1601 | Mithril_dllTest | Webshells Auto-generated - file dllTest.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1602 | Mithril_v1_45_Mithril | Webshells Auto-generated - file Mithril.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1603 | Mithril_v1_45_dllTest | Webshells Auto-generated - file dllTest.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1604 | MockDll_Gen | Detects MockDll - regsvr DLL loader | https://goo.gl/MZ7dRg | 2017-10-18 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1605 | Molerats_Jul17_Sample_1 | Detects Molerats sample - July 2017 | https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1606 | Molerats_Jul17_Sample_2 | Detects Molerats sample - July 2017 | https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1607 | Molerats_Jul17_Sample_3 | Detects Molerats sample - July 2017 | https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1608 | Molerats_Jul17_Sample_4 | Detects Molerats sample - July 2017 | https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html | 2017-07-07 00:00:00 | 70 | Florian Roth | |
| 1609 | Molerats_Jul17_Sample_5 | Detects Molerats sample - July 2017 | https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html | 2017-07-07 00:00:00 | 70 | Florian Roth | |
| 1610 | Molerats_Jul17_Sample_Dropper | Detects Molerats sample dropper SFX - July 2017 | https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1611 | Monsoon_APT_Malware_1 | Detects malware from Monsoon APT | http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2 | 2017-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 1612 | Monsoon_APT_Malware_2 | Detects malware from Monsoon APT | http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2 | 2017-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 1613 | MooreR_Port_Scanner | Auto-generated rule on file MooreR Port Scanner.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 1614 | Moroccan_Spamers_Ma_EditioN_By_GhOsT_php | Semi-Auto-generated - file Moroccan Spamers Ma-EditioN By GhOsT.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1615 | Ms_Viru_racle | Chinese Hacktool Set - file racle.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1616 | Ms_Viru_v | Chinese Hacktool Set - file v.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1617 | Msfpayloads_msf | Metasploit Payloads - file msf.sh | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | FILE,METASPLOIT |
| 1618 | Msfpayloads_msf_10 | Metasploit Payloads - file msf.exe | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | EXE,FILE,METASPLOIT |
| 1619 | Msfpayloads_msf_11 | Metasploit Payloads - file msf.hta | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1620 | Msfpayloads_msf_2 | Metasploit Payloads - file msf.asp | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1621 | Msfpayloads_msf_3 | Metasploit Payloads - file msf.psh | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1622 | Msfpayloads_msf_4 | Metasploit Payloads - file msf.aspx | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1623 | Msfpayloads_msf_5 | Metasploit Payloads - file msf.msi | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1624 | Msfpayloads_msf_6 | Metasploit Payloads - file msf.vbs | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1625 | Msfpayloads_msf_7 | Metasploit Payloads - file msf.vba | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1626 | Msfpayloads_msf_8 | Metasploit Payloads - file msf.ps1 | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1627 | Msfpayloads_msf_9 | Metasploit Payloads - file msf.war - contents | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1628 | Msfpayloads_msf_cmd | Metasploit Payloads - file msf-cmd.ps1 | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1629 | Msfpayloads_msf_exe | Metasploit Payloads - file msf-exe.vba | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1630 | Msfpayloads_msf_exe_2 | Metasploit Payloads - file msf-exe.aspx | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1631 | Msfpayloads_msf_psh | Metasploit Payloads - file msf-psh.vba | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1632 | Msfpayloads_msf_ref | Metasploit Payloads - file msf-ref.ps1 | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | METASPLOIT |
| 1633 | Msfpayloads_msf_svc | Metasploit Payloads - file msf-svc.exe | Internal Research | 2017-02-09 00:00:00 | 70 | Florian Roth | EXE,FILE,METASPLOIT |
| 1634 | MuddyWater_Mal_Doc_Feb18_1 | Detects malicious document used by MuddyWater | Internal Research - TI2T | 2018-02-26 00:00:00 | 70 | Florian Roth | FILE,MIDDLE_EAST |
| 1635 | MuddyWater_Mal_Doc_Feb18_2 | Detects malicious document used by MuddyWater | Internal Research - TI2T | 2018-02-26 00:00:00 | 70 | Florian Roth | FILE,MIDDLE_EAST |
| 1636 | MySQL_Web_Interface_Version_0_8_php | Semi-Auto-generated - file MySQL Web Interface Version 0.8.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1637 | MyWScript_CompiledScript | Detects a scripte with default name Mywscript compiled with Script2Exe (can also be a McAfee tool https://community.mcafee.com/docs/DOC-4124) | Internal Research | 2017-07-27 00:00:00 | 65 | Florian Roth | EXE,FILE |
| 1638 | NK_Miner_Malware_Jan18_1 | Detects Noth Korean Monero Miner mentioned in AlienVault report | https://goo.gl/PChE1z | 2018-01-09 00:00:00 | 70 | Florian Roth (original rule by Chris Doman) | EXE,FILE,MAL |
| 1639 | NTLM_Dump_Output | NTML Hash Dump output file - John/LC format | - | 2015-10-01 00:00:00 | 75 | Florian Roth | HKTL |
| 1640 | NT_Addy_asp | Semi-Auto-generated - file NT Addy.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1641 | Nanocore_RAT_Feb18_1 | Detects Nanocore RAT | Internal Research - T2T | 2018-02-19 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1642 | Nanocore_RAT_Feb18_2 | Detects Nanocore RAT | Internal Research - T2T | 2018-02-19 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1643 | Nanocore_RAT_Gen_1 | Detetcs the Nanocore RAT and similar malware | https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ | 2016-04-22 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 1644 | Nanocore_RAT_Gen_2 | Detetcs the Nanocore RAT | https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ | 2016-04-22 00:00:00 | 100 | Florian Roth | EXE,FILE,GEN,MAL |
| 1645 | Nanocore_RAT_Sample_1 | Detetcs a certain Nanocore RAT sample | https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ | 2016-04-22 00:00:00 | 75 | Florian Roth | EXE,FILE,MAL |
| 1646 | Nanocore_RAT_Sample_2 | Detetcs a certain Nanocore RAT sample | https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/ | 2016-04-22 00:00:00 | 75 | Florian Roth | EXE,FILE,MAL |
| 1647 | Nautilus_common_strings | Rule for detection of Nautilus based on common plaintext strings | https://www.ncsc.gov.uk/alerts/turla-group-malware | 2017-11-23 00:00:00 | 70 | NCSC UK | FILE |
| 1648 | Nautilus_forensic_artificats | Rule for detection of Nautilus related strings | https://www.ncsc.gov.uk/alerts/turla-group-malware | 2017-11-23 00:00:00 | 60 | NCSC UK / Florian Roth | |
| 1649 | Nautilus_modified_rc4_loop | Rule for detection of Nautilus based on assembly code for a modified RC4 loop | https://www.ncsc.gov.uk/alerts/turla-group-malware | 2017-11-23 00:00:00 | 70 | NCSC UK | FILE |
| 1650 | Nautilus_rc4_key | Rule for detection of Nautilus based on a hardcoded RC4 key | https://www.ncsc.gov.uk/alerts/turla-group-malware | 2017-11-23 00:00:00 | 70 | NCSC UK | FILE |
| 1651 | Ncat_Hacktools_CN | Disclosed hacktool set - file nc.exe | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 1652 | Ncrack | This signature detects the Ncrack brute force tool | - | 2014-07-07 00:00:00 | 60 | Florian Roth | HKTL |
| 1653 | NetBIOS_Name_Scanner | Auto-generated rule on file NetBIOS Name Scanner.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 1654 | Netview_Hacktool | Network domain enumeration tool - often used by attackers - file Nv.exe | https://github.com/mubix/netview | 2016-03-07 00:00:00 | 60 | Florian Roth | EXE,FILE,HKTL |
| 1655 | Netview_Hacktool_Output | Network domain enumeration tool output - often used by attackers - file filename.txt | https://github.com/mubix/netview | 2016-03-07 00:00:00 | 60 | Florian Roth | HKTL |
| 1656 | Neuron_common_strings | Rule for detection of Neuron based on commonly used strings | https://www.ncsc.gov.uk/alerts/turla-group-malware | 2017-11-23 00:00:00 | 70 | NCSC UK | FILE |
| 1657 | Neuron_standalone_signature | Rule for detection of Neuron based on a standalone signature from .NET metadata | https://www.ncsc.gov.uk/alerts/turla-group-malware | 2017-11-23 00:00:00 | 70 | NCSC UK | FILE |
| 1658 | Nirsoft_NetResView | Detects NirSoft NetResView - utility that displays the list of all network resources | https://goo.gl/Mr6M2J | 2016-06-04 00:00:00 | 40 | Florian Roth | EXE,FILE |
| 1659 | Nishang_Webshell | Detects a ASPX web shell | https://github.com/samratashok/nishang | 2016-09-11 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 1660 | No_PowerShell | Detects an C# executable used to circumvent PowerShell detection - file nps.exe | https://github.com/Ben0xA/nps | 2016-05-21 00:00:00 | 80 | Florian Roth | EXE,FILE,SCRIPT |
| 1661 | NotPetya_Ransomware_Jun17 | Detects new NotPetya Ransomware variant from June 2017 | https://goo.gl/h6iaGj | 2017-06-27 00:00:00 | 70 | Florian Roth | CRIME,EXE,FILE,MAL,RANSOM |
| 1662 | Nshell__1__php_php | Semi-Auto-generated - file Nshell (1).php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1663 | NtGodMode | Chinese Hacktool Set - file NtGodMode.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1664 | ONHAT_Proxy_Hacktool | Detects ONHAT Proxy - Htran like SOCKS hack tool used by Chinese APT groups | https://goo.gl/p32Ozf | 2016-05-12 00:00:00 | 100 | Florian Roth | APT,CHINA,EXE,FILE,HKTL |
| 1665 | OPCLEAVER_BackDoorLogger | Keylogger used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | HKTL |
| 1666 | OPCLEAVER_CCProxy_Config | CCProxy config known from Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Florian Roth | HKTL |
| 1667 | OPCLEAVER_Jasus | ARP cache poisoner used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1668 | OPCLEAVER_LoggerModule | Keylogger used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | HKTL |
| 1669 | OPCLEAVER_NetC | Net Crawler used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1670 | OPCLEAVER_Parviz_Developer | Parviz developer known from Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Florian Roth | |
| 1671 | OPCLEAVER_ShellCreator2 | Shell Creator used by attackers in Operation Cleaver to create ASPX web shells | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1672 | OPCLEAVER_SmartCopy2 | Malware or hack tool used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | MAL |
| 1673 | OPCLEAVER_SynFlooder | Malware or hack tool used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | MAL |
| 1674 | OPCLEAVER_TinyZBot | Tiny Bot used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1675 | OPCLEAVER_ZhoupinExploitCrew | Keywords used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1676 | OPCLEAVER_antivirusdetector | Hack tool used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1677 | OPCLEAVER_csext | Backdoor used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | MAL |
| 1678 | OPCLEAVER_kagent | Backdoor used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | MAL |
| 1679 | OPCLEAVER_mimikatzWrapper | Mimikatz Wrapper used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1680 | OPCLEAVER_pvz_in | Parviz tool used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1681 | OPCLEAVER_pvz_out | Parviz tool used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1682 | OPCLEAVER_wndTest | Backdoor used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | MAL |
| 1683 | OPCLEAVER_zhCat | Network tool used by Iranian hackers and used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1684 | OPCLEAVER_zhLookUp | Hack tool used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1685 | OPCLEAVER_zhmimikatz | Mimikatz wrapper used by attackers in Operation Cleaver | http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf | 2014-12-02 00:00:00 | 70 | Cylance Inc. | |
| 1686 | OSEditor | Chinese Hacktool Set - file OSEditor.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1687 | OSX_backdoor_Bella | Bella MacOS/OSX backdoor | https://twitter.com/JohnLaTwC/status/911998777182924801 | 2018-02-23 00:00:00 | 70 | John Lambert @JohnLaTwC | EXTVAR,MACOS,MAL |
| 1688 | OSX_backdoor_EvilOSX | EvilOSX MacOS/OSX backdoor | https://github.com/Marten4n6/EvilOSX, https://twitter.com/JohnLaTwC/status/966139336436498432 | 2018-02-23 00:00:00 | 70 | John Lambert @JohnLaTwC | MACOS,MAL |
| 1689 | Obfuscated_JS_April17 | Detects cloaked Mimikatz in JS obfuscation | Internal Research | 2017-04-21 00:00:00 | 70 | Florian Roth | OBFUS |
| 1690 | Obfuscated_VBS_April17 | Detects cloaked Mimikatz in VBS obfuscation | Internal Research | 2017-04-21 00:00:00 | 70 | Florian Roth | OBFUS,SCRIPT |
| 1691 | Office_AutoOpen_Macro | Detects an Microsoft Office file that contains the AutoOpen Macro function | - | 2015-05-28 00:00:00 | 40 | Florian Roth | FILE,OFFICE |
| 1692 | Office_OLE_DDE | Detects DDE in MS Office documents | https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/ | 2017-10-12 00:00:00 | 50 | NVISO Labs | FILE,OFFICE |
| 1693 | Office_OLE_DDEAUTO | Detects DDE in MS Office documents | https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/ | 2017-10-12 00:00:00 | 50 | NVISO Labs | FILE,OFFICE |
| 1694 | OilRig_Campaign_Reconnaissance | Detects Windows discovery commands - known from OilRig Campaign | https://goo.gl/QMRZ8K | 2016-10-12 00:00:00 | 70 | Florian Roth | MIDDLE_EAST |
| 1695 | OilRig_ISMAgent_Campaign_Samples1 | Detects OilRig malware from Unit 42 report in October 2017 | https://goo.gl/JQVfFP | 2017-10-18 00:00:00 | 70 | Florian Roth | FILE,MIDDLE_EAST |
| 1696 | OilRig_ISMAgent_Campaign_Samples2 | Detects OilRig malware from Unit 42 report in October 2017 | https://goo.gl/JQVfFP | 2017-10-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MIDDLE_EAST |
| 1697 | OilRig_ISMAgent_Campaign_Samples3 | Detects OilRig malware from Unit 42 report in October 2017 | https://goo.gl/JQVfFP | 2017-10-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MIDDLE_EAST |
| 1698 | OilRig_Malware_Campaign_Gen1 | Detects malware from OilRig Campaign | https://goo.gl/QMRZ8K | 2016-10-12 00:00:00 | 70 | Florian Roth | FILE,MAL,MIDDLE_EAST |
| 1699 | OilRig_Malware_Campaign_Gen2 | Detects malware from OilRig Campaign | https://goo.gl/QMRZ8K | 2016-10-12 00:00:00 | 70 | Florian Roth | FILE,MAL,MIDDLE_EAST |
| 1700 | OilRig_Malware_Campaign_Gen3 | Detects malware from OilRig Campaign | https://goo.gl/QMRZ8K | 2016-10-12 00:00:00 | 70 | Florian Roth | FILE,MAL,MIDDLE_EAST |
| 1701 | OilRig_Malware_Campaign_Mal1 | Detects malware from OilRig Campaign | https://goo.gl/QMRZ8K | 2016-10-12 00:00:00 | 70 | Florian Roth | FILE,MAL,MIDDLE_EAST |
| 1702 | OilRig_Malware_Campaign_Mal2 | Detects malware from OilRig Campaign | https://goo.gl/QMRZ8K | 2016-10-12 00:00:00 | 70 | Florian Roth | FILE,MAL,MIDDLE_EAST |
| 1703 | OilRig_Malware_Campaign_Mal3 | Detects malware from OilRig Campaign | https://goo.gl/QMRZ8K | 2016-10-12 00:00:00 | 70 | Florian Roth | MAL,MIDDLE_EAST |
| 1704 | OilRig_Malware_Nov17_13 | https://twitter.com/ClearskySec/status/933280188733018113 | 2017-11-22 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL | |
| 1705 | OilRig_RGDoor_Gen1 | Detects RGDoor backdoor used by OilRig group | https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ | 2018-01-27 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL,MIDDLE_EAST |
| 1706 | OilRig_Strings_Oct17 | Detects strings from OilRig malware and malicious scripts | https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/ | 2017-10-18 00:00:00 | 70 | Florian Roth | MIDDLE_EAST |
| 1707 | Oilrig_IntelSecurityManager | Detects OilRig malware | Internal Research | 2018-01-19 00:00:00 | 70 | Eyal Sela | MIDDLE_EAST |
| 1708 | Oilrig_IntelSecurityManager_macro | Detects OilRig malware | Internal Research | 2018-01-19 00:00:00 | 70 | Eyal Sela (slightly modified by Florian Roth) | MIDDLE_EAST |
| 1709 | Oilrig_Myrtille | Detects Oilrig Myrtille RDP Browser | https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf | 2018-03-22 00:00:00 | 70 | Markus Neis | EXE,FILE |
| 1710 | Oilrig_PS_CnC | Powershell CnC using DNS queries | https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf | 2018-03-22 00:00:00 | 70 | Markus Neis | |
| 1711 | OlympicDestroyer_Gen2 | Detects Olympic Destroyer malware | http://blog.talosintelligence.com/2018/02/olympic-destroyer.html | 2018-02-12 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1712 | OpCloudHopper_Cloaked_PSCP | Tool used in Operation Cloud Hopper - pscp.exe cloaked as rundll32.exe | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf | 2017-04-07 00:00:00 | 90 | Florian Roth | EXTVAR |
| 1713 | OpCloudHopper_Dropper_1 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 1714 | OpCloudHopper_Malware_10 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1715 | OpCloudHopper_Malware_11 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1716 | OpCloudHopper_Malware_1 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1717 | OpCloudHopper_Malware_2 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1718 | OpCloudHopper_Malware_3 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1719 | OpCloudHopper_Malware_4 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1720 | OpCloudHopper_Malware_5 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1721 | OpCloudHopper_Malware_6 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1722 | OpCloudHopper_Malware_7 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1723 | OpCloudHopper_Malware_8 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1724 | OpCloudHopper_Malware_9 | Detects malware from Operation Cloud Hopper | https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1725 | OpCloudHopper_WindowXarBot | Malware related to Operation Cloud Hopper | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1726 | OpCloudHopper_WmiDLL_inMemory | Malware related to Operation Cloud Hopper - Page 25 | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf | 2017-04-07 00:00:00 | 70 | Florian Roth | MAL |
| 1727 | OpCloudHopper_lockdown | Tools related to Operation Cloud Hopper | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1728 | OpHoneybee_Malware_1 | Detects malware from Operation Honeybee | https://goo.gl/JAHZVL | 2018-03-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1729 | OpHoneybee_MaoCheng_Dropper | Detects MaoCheng dropper from Operation Honeybee | https://goo.gl/JAHZVL | 2018-03-03 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1730 | OracleScan | Chinese Hacktool Set - file OracleScan.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1731 | OtherTools_servu | Chinese Hacktool Set - file svu.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL |
| 1732 | OtherTools_xiaoa | Chinese Hacktool Set - file xiaoa.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1733 | PAS_TOOL_PHP_WEB_KIT_mod | Detects PAS Tool PHP Web Kit | https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity | 2016-12-29 00:00:00 | 70 | US CERT - modified by Florian Roth due to performance reasons | |
| 1734 | PAS_Webshell_Encoded | Detects a PAS webshell | http://blog.talosintelligence.com/2017/07/the-medoc-connection.html | 2017-07-11 00:00:00 | 80 | Florian Roth | FILE,WEBSHELL |
| 1735 | PHANTASMA_php | Semi-Auto-generated - file PHANTASMA.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1736 | PHISH_02Dez2015_attach_P_ORD_C_10156_124658 | Phishing Wave - file P-ORD-C-10156-124658.xls | http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/ | 2015-12-02 00:00:00 | 70 | Florian Roth | FILE |
| 1737 | PHISH_02Dez2015_dropped_p0o6543f_1 | Phishing Wave - file p0o6543f.exe | http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/ | 2015-12-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1738 | PHISH_02Dez2015_dropped_p0o6543f_2 | Phishing Wave used MineExplorer Game by WangLei - file p0o6543f.exe.4 | http://myonlinesecurity.co.uk/purchase-order-124658-gina-harrowell-clinimed-limited-word-doc-or-excel-xls-spreadsheet-malware/ | 2015-12-03 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1739 | PHP_Backdoor_Connect_pl_php | Semi-Auto-generated - file PHP Backdoor Connect.pl.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | MAL,WEBSHELL |
| 1740 | PHP_Backdoor_v1 | Webshells Auto-generated - file PHP Backdoor v1.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 1741 | PHP_Cloaked_Webshell_SuperFetchExec | Looks like a webshell cloaked as GIF - http://goo.gl/xFvioC | http://goo.gl/xFvioC | 1970-01-01 01:00:00 | 50 | Florian Roth | WEBSHELL |
| 1742 | PHP_Shell_php_php | Semi-Auto-generated - file PHP Shell.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1743 | PHP_Shell_v1_7 | Webshells Auto-generated - file PHP_Shell_v1.7.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1744 | PHP_Webshell_1_Feb17 | Detects a simple cloaked PHP web shell | https://isc.sans.edu/diary/Analysis+of+a+Simple+PHP+Backdoor/22127 | 2017-02-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 1745 | PHP_sh | Webshells Auto-generated - file sh.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1746 | PHP_shell | Webshells Auto-generated - file shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1747 | PLEAD_Downloader_Jun18_1 | Detects PLEAD Downloader | https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html | 2018-06-16 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1748 | PLUGIN_AJunk | Chinese Hacktool Set - file AJunk.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1749 | PLUGIN_TracKid | Chinese Hacktool Set - file TracKid.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1750 | PLUGX_RedLeaves | Detects specific RedLeaves and PlugX binaries | https://www.us-cert.gov/ncas/alerts/TA17-117A | 1970-01-01 01:00:00 | 70 | US-CERT Code Analysis Team | |
| 1751 | POSHSPY_Malware | Detects | https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html | 2017-07-15 00:00:00 | 70 | Florian Roth | |
| 1752 | PP_CN_APT_ZeroT_1 | Detects malware from the Proofpoint CN APT ZeroT incident | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1753 | PP_CN_APT_ZeroT_2 | Detects malware from the Proofpoint CN APT ZeroT incident | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1754 | PP_CN_APT_ZeroT_3 | Detects malware from the Proofpoint CN APT ZeroT incident | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-03 00:00:00 | 70 | Florian Roth | APT,FILE |
| 1755 | PP_CN_APT_ZeroT_4 | Detects malware from the Proofpoint CN APT ZeroT incident | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1756 | PP_CN_APT_ZeroT_5 | Detects malware from the Proofpoint CN APT ZeroT incident | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-03 00:00:00 | 70 | Florian Roth | APT,FILE |
| 1757 | PP_CN_APT_ZeroT_6 | Detects malware from the Proofpoint CN APT ZeroT incident | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1758 | PP_CN_APT_ZeroT_7 | Detects malware from the Proofpoint CN APT ZeroT incident | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1759 | PP_CN_APT_ZeroT_8 | Detects malware from the Proofpoint CN APT ZeroT incident | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-03 00:00:00 | 70 | Florian Roth | APT,FILE |
| 1760 | PP_CN_APT_ZeroT_9 | Detects malware from the Proofpoint CN APT ZeroT incident | https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx | 2017-02-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1761 | PROMETHIUM_NEODYMIUM_Malware_1 | Detects PROMETHIUM and NEODYMIUM malware | https://goo.gl/8abDE6 | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1762 | PROMETHIUM_NEODYMIUM_Malware_2 | Detects PROMETHIUM and NEODYMIUM malware | https://goo.gl/8abDE6 | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1763 | PROMETHIUM_NEODYMIUM_Malware_3 | Detects PROMETHIUM and NEODYMIUM malware | https://goo.gl/8abDE6 | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1764 | PROMETHIUM_NEODYMIUM_Malware_4 | Detects PROMETHIUM and NEODYMIUM malware | https://goo.gl/8abDE6 | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1765 | PROMETHIUM_NEODYMIUM_Malware_5 | Detects PROMETHIUM and NEODYMIUM malware | https://goo.gl/8abDE6 | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1766 | PROMETHIUM_NEODYMIUM_Malware_6 | Detects PROMETHIUM and NEODYMIUM malware | https://goo.gl/8abDE6 | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1767 | PSAttack_EXE | PSAttack - Powershell attack tool - file PSAttack.exe | https://github.com/gdssecurity/PSAttack/releases/ | 2016-03-09 00:00:00 | 100 | Florian Roth | EXE,FILE,HKTL |
| 1768 | PSAttack_ZIP | PSAttack - Powershell attack tool - file PSAttack.zip | https://github.com/gdssecurity/PSAttack/releases/ | 2016-03-09 00:00:00 | 100 | Florian Roth | FILE,HKTL |
| 1769 | PS_AMSI_Bypass | Detects PowerShell AMSI Bypass | https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1 | 2017-07-19 00:00:00 | 65 | Florian Roth | SCRIPT,SCRIPTS |
| 1770 | PScan_Portscan_1 | PScan - Port Scanner | - | 1970-01-01 01:00:00 | 50 | F. Roth | HKTL |
| 1771 | PUA_CryptoMiner_Jan19_1 | Detects Crypto Miner strings | Internal Research | 2019-01-31 00:00:00 | 70 | Florian Roth | |
| 1772 | PUA_LNX_XMRIG_CryptoMiner | Detects XMRIG CryptoMiner software | Internal Research | 2018-06-28 00:00:00 | 70 | Florian Roth | FILE,LINUX |
| 1773 | PUP_FancyBear_ComputraceAgent | Absolute Computrace Agent Executable | https://asert.arbornetworks.com/lojack-becomes-a-double-agent/ | 2018-05-01 00:00:00 | 70 | ASERT - Arbor Networks (slightly modified by Florian Roth) | EXE,FILE |
| 1774 | PUP_InstallRex_AntiFWb | Malware InstallRex / AntiFW | - | 2015-05-13 00:00:00 | 55 | Florian Roth | EXE,FILE,MAL |
| 1775 | Pack_InjectT | Webshells Auto-generated - file InjectT.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 1776 | Partial_Implant_ID | Detects implant from NCSC report | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | EXE,FILE |
| 1777 | PassCV_Sabre_Malware_1 | PassCV Malware mentioned in Cylance Report | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies | 2016-10-20 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1778 | PassCV_Sabre_Malware_2 | PassCV Malware mentioned in Cylance Report | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies | 2016-10-20 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1779 | PassCV_Sabre_Malware_3 | PassCV Malware mentioned in Cylance Report | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies | 2016-10-20 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1780 | PassCV_Sabre_Malware_4 | PassCV Malware mentioned in Cylance Report | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies | 2016-10-20 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1781 | PassCV_Sabre_Malware_5 | PassCV Malware mentioned in Cylance Report | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies | 2016-10-20 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1782 | PassCV_Sabre_Malware_Excalibur_1 | PassCV Malware mentioned in Cylance Report | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies | 2016-10-20 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1783 | PassCV_Sabre_Malware_Signing_Cert | PassCV Malware mentioned in Cylance Report | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies | 2016-10-20 00:00:00 | 50 | Florian Roth | EXE,FILE,MAL |
| 1784 | PassCV_Sabre_Tool_NTScan | PassCV Malware mentioned in Cylance Report | https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies | 2016-10-20 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1785 | PassSniffer | Disclosed hacktool set (old stuff) - file PassSniffer.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 1786 | PassSniffer_zip_Folder_readme | Disclosed hacktool set (old stuff) - file readme.txt | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 1787 | PasswordPro_NTLM_DLL | Auto-generated rule - file NTLM.dll | PasswordPro | 2017-08-27 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 1788 | PasswordReminder | Webshells Auto-generated - file PasswordReminder.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1789 | PasswordsPro | Auto-generated rule - file PasswordsPro.exe | PasswordPro | 2017-08-27 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 1790 | Pastebin_Webshell | Detects a web shell that downloads content from pastebin.com http://goo.gl/7dbyZs | http://goo.gl/7dbyZs | 2015-01-13 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 1791 | Payload_Exe2Hex | Detects payload generated by exe2hex | https://github.com/g0tmi1k/exe2hex | 2016-01-15 00:00:00 | 70 | Florian Roth | |
| 1792 | Pc_pc2015 | Chinese Hacktool Set - file pc2015.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1793 | Pc_rejoice | Chinese Hacktool Set - file rejoice.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1794 | Pc_xai | Chinese Hacktool Set - file xai.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1795 | Persistence_Agent_MacOS | Detects a Python agent that establishes persistence on macOS | https://ghostbin.com/paste/mz5nf | 1970-01-01 01:00:00 | 70 | John Lambert @JohnLaTwC | MACOS,SCRIPT |
| 1796 | PhpShell | Webshells Auto-generated - file PhpShell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1797 | Phyton_Shell_py | Semi-Auto-generated - file Phyton Shell.py.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1798 | Ping_Command_in_EXE | Detects an suspicious ping command execution in an executable | Internal Research | 2016-11-03 00:00:00 | 60 | Florian Roth | EXE,FILE |
| 1799 | Pirpi_1609_A | Detects Pirpi Backdoor - and other malware (generic rule) | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1800 | Pirpi_1609_B | Detects Pirpi Backdoor | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1801 | PlugX_J16_Gen2 | Detects PlugX Malware Samples from June 2016 | VT Research | 2016-06-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1802 | PlugX_J16_Gen | Detects PlugX Malware samples from June 2016 | VT Research | 2016-06-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1803 | PlugX_NvSmartMax_Gen | Threat Group 3390 APT Sample - PlugX NvSmartMax Generic | http://snip.ly/giNB | 2015-08-06 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,GEN |
| 1804 | PoS_Malware_MalumPOS | Used to detect MalumPOS memory dumper | - | 2015-05-25 00:00:00 | 70 | Trend Micro, Inc. | MAL |
| 1805 | PoS_Malware_MalumPOS_Config | MalumPOS Config File | http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/ | 2015-06-25 00:00:00 | 70 | Florian Roth | EXTVAR,MAL |
| 1806 | PoisonIvy_Generic_3 | PoisonIvy RAT Generic Rule | - | 2015-05-14 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 1807 | PoisonIvy_RAT_ssMUIDLL | Detects PoisonIvy RAT DLL mentioned in Palo Alto Blog in April 2016 | http://goo.gl/WiwtYT | 2016-04-22 00:00:00 | 70 | Florian Roth (with the help of yarGen and Binarly) | EXE,FILE,MAL |
| 1808 | PoisonIvy_Sample_5 | Detects PoisonIvy RAT sample set | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1809 | PoisonIvy_Sample_6 | Detects PoisonIvy RAT sample set | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1810 | PoisonIvy_Sample_7 | Detects PoisonIvy RAT sample set | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1811 | PoisonIvy_Sample_APT | Detects a PoisonIvy APT malware group | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1812 | PoisonIvy_Sample_APT_2 | Detects a PoisonIvy Malware | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 1813 | PoisonIvy_Sample_APT_3 | Detects a PoisonIvy Malware | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 1814 | PoisonIvy_Sample_APT_4 | Detects a PoisonIvy Sample APT | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1815 | PortRacer | Auto-generated rule on file PortRacer.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 1816 | PortScanner | Auto-generated rule on file PortScanner.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 1817 | PoseidonGroup_MalDoc_1 | Detects Poseidon Group - Malicious Word Document | https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/ | 2016-02-09 00:00:00 | 80 | Florian Roth | FILE,OFFICE |
| 1818 | PoseidonGroup_MalDoc_2 | Detects Poseidon Group - Malicious Word Document | https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/ | 2016-02-09 00:00:00 | 70 | Florian Roth | FILE,OFFICE |
| 1819 | PoseidonGroup_Malware | Detects Poseidon Group Malware | https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/ | 2016-02-09 00:00:00 | 85 | Florian Roth | EXE,FILE,MAL |
| 1820 | PowerShdll | Detects hack tool PowerShdll | https://github.com/p3nt4/PowerShdll | 2017-08-03 00:00:00 | 70 | Florian Roth | |
| 1821 | PowerShell_Case_Anomaly | Detects obfuscated PowerShell hacktools | https://twitter.com/danielhbohannon/status/905096106924761088 | 2017-08-11 00:00:00 | 70 | Florian Roth | OBFUS,SCRIPT |
| 1822 | PowerShell_Emp_Eval_Jul17_A1 | Detects suspicious sample with PowerShell content | PowerShell Empire Eval | 2017-07-27 00:00:00 | 70 | Florian Roth | EXE,FILE,SCRIPT |
| 1823 | PowerShell_Emp_Eval_Jul17_A2 | Detects suspicious sample with PowerShell content | PowerShell Empire Eval | 2017-07-27 00:00:00 | 70 | Florian Roth | EXE,FILE,SCRIPT |
| 1824 | PowerShell_ISESteroids_Obfuscation | Detects PowerShell ISESteroids obfuscation | https://twitter.com/danielhbohannon/status/877953970437844993 | 2017-06-23 00:00:00 | 70 | Florian Roth | OBFUS,SCRIPT |
| 1825 | PowerShell_JAB_B64 | Detects base464 encoded $ sign at the beginning of a string | https://twitter.com/ItsReallyNick/status/980915287922040832 | 2018-04-02 00:00:00 | 60 | Florian Roth | |
| 1826 | PowerShell_Mal_HackTool_Gen | Detects PowerShell hack tool samples - generic PE loader | Internal Research | 2017-11-02 00:00:00 | 70 | Florian Roth | HKTL,SCRIPT |
| 1827 | PowerShell_Suite_Eidolon | Detects PowerShell Suite Eidolon script - file Start-Eidolon.ps1 | https://github.com/FuzzySecurity/PowerShell-Suite | 2017-12-27 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 1828 | PowerShell_Suite_Hacktools_Gen_Strings | Detects strings from scripts in the PowerShell-Suite repo | https://github.com/FuzzySecurity/PowerShell-Suite | 2017-12-27 00:00:00 | 70 | Florian Roth | GEN,SCRIPT |
| 1829 | PowerShell_Susp_Parameter_Combo | Detects PowerShell invocation with suspicious parameters | https://goo.gl/uAic1X | 2017-03-12 00:00:00 | 60 | Florian Roth | SCRIPT |
| 1830 | PowerShell_in_Word_Doc | Detects a powershell and bypass keyword in a Word document | Internal Research - ME | 2017-06-27 00:00:00 | 50 | Florian Roth | FILE,OFFICE |
| 1831 | Powerkatz_DLL_Generic | Detects Powerkatz - a Mimikatz version prepared to run in memory via Powershell (overlap with other Mimikatz versions is possible) | PowerKatz Analysis | 2016-02-05 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 1832 | Powershell_Attack_Scripts | Powershell Attack Scripts | - | 2016-03-09 00:00:00 | 70 | Florian Roth | HKTL |
| 1833 | Powershell_Netcat | Detects a Powershell version of the Netcat network hacking tool | - | 2014-10-10 00:00:00 | 60 | Florian Roth | HKTL |
| 1834 | Prikormka | Operation Groundbait | - | 1970-01-01 01:00:00 | 70 | Anton Cherepanov | EXTVAR |
| 1835 | ProPort_zip_Folder_ProPort | Auto-generated rule on file ProPort.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 1836 | ProcessInjector_Gen | Detects a process injection utility that can be used ofr good and bad purposes | https://github.com/cuckoosandbox/monitor/blob/master/bin/inject.c | 2018-04-23 00:00:00 | 60 | Florian Roth | EXE,FILE,HKTL |
| 1837 | Project1 | Chinese Hacktool Set - file Project1.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1838 | ProjectM_CrimsonDownloader | Detects ProjectM Malware - file dc8bd60695070152c94cbeb5f61eca6e4309b8966f1aa9fdc2dd0ab754ad3e4c | http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/ | 2016-03-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1839 | ProjectM_DarkComet_1 | Detects ProjectM Malware - file cc488690ce442e9f98bac651218f4075ca36c355d8cd83f7a9f5230970d24157 | http://researchcenter.paloaltonetworks.com/2016/03/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/ | 2016-03-26 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1840 | Pupy_Backdoor | Detects Pupy backdoor | https://github.com/n1nj4sec/pupy-binaries | 2017-08-11 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1841 | PwDump | PwDump 6 variant | - | 2014-04-24 00:00:00 | 70 | Marc Stroebel | HKTL |
| 1842 | PwDump_B | Detects a tool used by APT groups - file PwDump.exe | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,HKTL |
| 1843 | QQBrowser | Not malware but suspicious browser - file QQBrowser.exe | https://goo.gl/4pTkGQ | 2017-06-02 00:00:00 | 50 | Florian Roth | EXE,FILE |
| 1844 | QQ_zip_Folder_QQ | Disclosed hacktool set (old stuff) - file QQ.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 1845 | QuarksPwDump_Gen | Detects all QuarksPWDump versions | - | 2015-09-29 00:00:00 | 80 | Florian Roth | HKTL |
| 1846 | Quasar_RAT_1 | Detects Quasar RAT | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1847 | Quasar_RAT_2 | Detects Quasar RAT | https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1848 | Quasar_RAT_Jan18_1 | Detects Quasar RAT | https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/ | 2018-01-29 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1849 | Query_Javascript_Decode_Function | Detects malware mentioned in TA18-074A | - | 1970-01-01 01:00:00 | 70 | other | |
| 1850 | Query_XML_Code_MAL_DOC_PT_2 | Detects malware mentioned in TA18-074A | - | 1970-01-01 01:00:00 | 70 | other | FILE |
| 1851 | RAT_AAR | Detects AAR RAT | http://malwareconfig.com/stats/AAR | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1852 | RAT_Adzok | Detects Adzok RAT | http://malwareconfig.com/stats/Adzok | 2015-05-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1853 | RAT_Ap0calypse | Detects Ap0calypse RAT | http://malwareconfig.com/stats/Ap0calypse | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1854 | RAT_Arcom | Detects Arcom RAT | http://malwareconfig.com/stats/Arcom | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1855 | RAT_Bandook | Detects Bandook RAT | http://malwareconfig.com/stats/bandook | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1856 | RAT_BlackNix | Detects BlackNix RAT | http://malwareconfig.com/stats/BlackNix | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1857 | RAT_BlackShades | Detects BlackShades RAT | http://blog.cylance.com/a-study-in-bots-blackshades-net | 2014-04-07 00:00:00 | 70 | Brian Wallace (@botnet_hunter) | MAL |
| 1858 | RAT_BlueBanana | Detects BlueBanana RAT | http://malwareconfig.com/stats/BlueBanana | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1859 | RAT_Bozok | Detects Bozok RAT | http://malwareconfig.com/stats/Bozok | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1860 | RAT_ClientMesh | Detects ClientMesh RAT | http://malwareconfig.com/stats/ClientMesh | 2014-06-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> (slightly modified by Florian Roth to improve performance) | MAL |
| 1861 | RAT_CyberGate | Detects CyberGate RAT | http://malwareconfig.com/stats/CyberGate | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1862 | RAT_DarkComet | Detects DarkComet RAT | http://malwareconfig.com/stats/DarkComet | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1863 | RAT_DarkRAT | Detects DarkRAT | http://malwareconfig.com/stats/DarkRAT | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1864 | RAT_Greame | Detects Greame RAT | http://malwareconfig.com/stats/Greame | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1865 | RAT_HawkEye | Detects HawkEye RAT | http://malwareconfig.com/stats/HawkEye | 2015-06-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1866 | RAT_Imminent | Detects Imminent RAT | http://malwareconfig.com/stats/Imminent | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1867 | RAT_Infinity | Detects Infinity RAT | http://malwareconfig.com/stats/Infinity | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1868 | RAT_JavaDropper | Detects JavaDropper RAT | http://malwareconfig.com/stats/JavaDropper | 2015-10-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> (slightly modified by Florian Roth to improve performance) | MAL |
| 1869 | RAT_LostDoor | Detects LostDoor RAT | http://malwareconfig.com/stats/LostDoor | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1870 | RAT_LuminosityLink | Detects LuminosityLink RAT | http://malwareconfig.com/stats/LuminosityLink | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1871 | RAT_LuxNet | Detects LuxNet RAT | http://malwareconfig.com/stats/LuxNet | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1872 | RAT_NetWire | Detects NetWire RAT | http://malwareconfig.com/stats/NetWire | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> & David Cannings | MAL |
| 1873 | RAT_Pandora | Detects Pandora RAT | http://malwareconfig.com/stats/Pandora | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1874 | RAT_Paradox | Detects Paradox RAT | http://malwareconfig.com/stats/Paradox | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1875 | RAT_Plasma | Detects Plasma RAT | http://malwareconfig.com/stats/Plasma | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1876 | RAT_PoisonIvy | Detects PoisonIvy RAT | http://malwareconfig.com/stats/PoisonIvy | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1877 | RAT_PredatorPain | Detects PredatorPain RAT | http://malwareconfig.com/stats/PredatorPain | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1878 | RAT_Punisher | Detects Punisher RAT | http://malwareconfig.com/stats/Punisher | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1879 | RAT_PythoRAT | Detects Python RAT | http://malwareconfig.com/stats/PythoRAT | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL,SCRIPT |
| 1880 | RAT_QRat | Detects QRAT | http://malwareconfig.com | 2015-08-07 00:00:00 | 70 | Kevin Breen @KevTheHermit | MAL |
| 1881 | RAT_Sakula | Detects Sakula v1.0 RAT | http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara | 2015-10-13 00:00:00 | 70 | Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings | EXE,FILE,MAL |
| 1882 | RAT_ShadowTech | Detects ShadowTech RAT | http://malwareconfig.com/stats/ShadowTech | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1883 | RAT_SmallNet | Detects SmallNet RAT | http://malwareconfig.com/stats/SmallNet | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1884 | RAT_SpyGate | Detects SpyGate RAT | http://malwareconfig.com/stats/SpyGate | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1885 | RAT_Sub7Nation | Detects Sub7Nation RAT | http://malwareconfig.com/stats/Sub7Nation | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> (slightly modified by Florian Roth to improve performance) | MAL |
| 1886 | RAT_Vertex | Detects Vertex RAT | http://malwareconfig.com/stats/Vertex | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1887 | RAT_VirusRat | Detects VirusRAT | http://malwareconfig.com/stats/VirusRat | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1888 | RAT_Xtreme | Detects Xtreme RAT | http://malwareconfig.com/stats/Xtreme | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1889 | RAT_adWind | Detects Adwind RAT | http://malwareconfig.com/stats/adWind | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1890 | RAT_njRat | Detects njRAT | http://malwareconfig.com/stats/njRat | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1891 | RAT_unrecom | Detects unrecom RAT | http://malwareconfig.com/stats/unrecom | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1892 | RAT_xRAT | Detects xRAT | http://malwareconfig.com/stats/xRat | 2014-04-07 00:00:00 | 70 | Kevin Breen <kevin@techanarchy.net> | MAL |
| 1893 | RDP_Brute_Strings | Detects RDP brute forcer from NCSC report | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | |
| 1894 | REDLEAVES_CoreImplant_UniqueStrings | Strings identifying the core REDLEAVES RAT in its deobfuscated state | https://www.us-cert.gov/ncas/alerts/TA17-117A | 1970-01-01 01:00:00 | 70 | USG | MAL,OBFUS |
| 1895 | REDLEAVES_DroppedFile_ImplantLoader_Starburn | Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT | https://www.us-cert.gov/ncas/alerts/TA17-117A | 1970-01-01 01:00:00 | 70 | USG | MAL |
| 1896 | REDLEAVES_DroppedFile_ObfuscatedShellcodeAndRAT_handkerchief | Detect obfuscated .dat file containing shellcode and core REDLEAVES RAT | https://www.us-cert.gov/ncas/alerts/TA17-117A | 1970-01-01 01:00:00 | 70 | USG | MAL,OBFUS |
| 1897 | ROKRAT_Dropper_Nov17 | Detects dropper for ROKRAT malware | http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html | 2017-11-28 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1898 | ROKRAT_Malware | Detects ROKRAT Malware | http://blog.talosintelligence.com/2017/04/introducing-rokrat.html | 2017-04-03 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1899 | ROKRAT_Nov17_1 | Detects ROKRAT malware | Internal Research | 2017-11-28 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1900 | RUAG_Bot_Config_File | Detects a specific config file used by malware in RUAG APT case | https://goo.gl/N5MEj0 | 1970-01-01 01:00:00 | 60 | Florian Roth | APT |
| 1901 | RUAG_Cobra_Config_File | Detects a config text file used by malware Cobra in RUAG case | https://goo.gl/N5MEj0 | 1970-01-01 01:00:00 | 60 | Florian Roth | NK |
| 1902 | RUAG_Cobra_Malware | Detects a malware mentioned in the RUAG Case called Carbon/Cobra | https://goo.gl/N5MEj0 | 1970-01-01 01:00:00 | 60 | Florian Roth | EXE,FILE,NK |
| 1903 | RUAG_Exfil_Config_File | Detects a config text file used in data exfiltration in RUAG case | https://goo.gl/N5MEj0 | 1970-01-01 01:00:00 | 60 | Florian Roth | |
| 1904 | RUAG_Tavdig_Malformed_Executable | Detects an embedded executable with a malformed header - known from Tavdig malware | https://goo.gl/N5MEj0 | 1970-01-01 01:00:00 | 60 | Florian Roth | EXE,FILE |
| 1905 | Radmin_Hash | Chinese Hacktool Set - file Radmin_Hash.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1906 | RangeScan | Disclosed hacktool set (old stuff) - file RangeScan.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 1907 | ReactOS_cmd_valid | ReactOS cmd.exe with correct file name - maybe packed with software or part of hacker toolset | http://www.elifulkerson.com/articles/suzy-sells-cmd-shells.php | 2014-05-11 00:00:00 | 30 | Florian Roth | HKTL |
| 1908 | Reader_asp | Semi-Auto-generated - file Reader.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1909 | Reaver3_Malware_Nov17_1 | Detects Reaver malware mentioned in PaloAltoNetworks report | https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/ | 2017-11-11 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1910 | Reaver3_Malware_Nov17_2 | Detects Reaver malware mentioned in PaloAltoNetworks report | https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/ | 2017-11-11 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1911 | Reaver3_Malware_Nov17_3 | Detects Reaver malware mentioned in PaloAltoNetworks report | https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/ | 2017-11-11 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1912 | ReconCommands_in_File | Detects various recon commands in a single file | https://twitter.com/haroonmeer/status/939099379834658817 | 2017-12-11 00:00:00 | 40 | Florian Roth | |
| 1913 | Recon_Commands_Windows_Gen1 | Detects a set of reconnaissance commands on Windows systems | Internal Research, https://goo.gl/MSJCxP | 2017-07-10 00:00:00 | 60 | Florian Roth | KEYWORD |
| 1914 | ReflectiveLoader | Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended | Internal Research | 1970-01-01 01:00:00 | 60 | - | EXE,FILE |
| 1915 | Reflective_DLL_Loader_Aug17_1 | Detects Reflective DLL Loader | Internal Research | 2017-08-20 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1916 | Reflective_DLL_Loader_Aug17_2 | Detects Reflective DLL Loader - suspicious - Possible FP could be program crack | Internal Research | 2017-08-20 00:00:00 | 60 | Florian Roth | EXE,FILE |
| 1917 | Reflective_DLL_Loader_Aug17_3 | Detects Reflective DLL Loader | Internal Research | 2017-08-20 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1918 | Reflective_DLL_Loader_Aug17_4 | Detects Reflective DLL Loader | Internal Research | 2017-08-20 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1919 | Regin_APT_KernelDriver_Generic_A | Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2 | - | 2014-11-23 00:00:00 | 70 | @Malwrsignatures - included in APT Scanner THOR | APT,GEN,MAL |
| 1920 | Regin_APT_KernelDriver_Generic_B | Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2 | - | 2014-11-23 00:00:00 | 70 | @Malwrsignatures - included in APT Scanner THOR | APT,GEN,MAL |
| 1921 | Regin_APT_KernelDriver_Generic_C | Generic rule for Regin APT kernel driver Malware - Symantec http://t.co/qu53359Cb2 | - | 2014-11-23 00:00:00 | 70 | @Malwrsignatures - included in APT Scanner THOR | APT,GEN,MAL |
| 1922 | Regin_Related_Malware | Malware Sample - maybe Regin related | VT Analysis | 2015-06-03 00:00:00 | 70 | Florian Roth | MAL |
| 1923 | Regin_Sample_1 | Auto-generated rule - file-3665415_sys | - | 2014-11-26 00:00:00 | 70 | @MalwrSignatures | |
| 1924 | Regin_Sample_2 | Auto-generated rule - file hiddenmod_hookdisk_and_kdbg_8949d000.bin | - | 2014-11-26 00:00:00 | 70 | @MalwrSignatures | |
| 1925 | Regin_Sample_3 | Detects Regin Backdoor sample fe1419e9dde6d479bd7cda27edd39fafdab2668d498931931a2769b370727129 | - | 2014-11-27 00:00:00 | 70 | @Malwrsignatures | MAL |
| 1926 | Regin_Sample_Set_1 | Auto-generated rule - file SHF-000052 and ndisips.sys | - | 2014-11-26 00:00:00 | 70 | @MalwrSignatures | |
| 1927 | Regin_Sample_Set_2 | Detects Regin Backdoor sample | - | 2014-11-27 00:00:00 | 70 | @MalwrSignatures | MAL |
| 1928 | Regin_sig_svcsstat | Detects svcstat from Regin report - file svcsstat.exe_sample | - | 2014-11-26 00:00:00 | 70 | @MalwrSignatures | |
| 1929 | Rehashed_RAT_1 | Detects malware from Rehashed RAT incident | https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations | 2017-09-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1930 | Rehashed_RAT_2 | Detects malware from Rehashed RAT incident | https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations | 2017-09-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1931 | Rehashed_RAT_3 | Detects malware from Rehashed RAT incident | https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations | 2017-09-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1932 | Release_dllTest | Webshells Auto-generated - file dllTest.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1933 | RemCom_RemoteCommandExecution | Detects strings from RemCom tool | https://goo.gl/tezXZt | 2017-12-28 00:00:00 | 55 | Florian Roth | HKTL |
| 1934 | RemExp_asp | Semi-Auto-generated - file RemExp.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1935 | Rem_View_php_php | Semi-Auto-generated - file Rem View.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1936 | RemoteCmd | Detects a remote access tool used by APT groups - file RemoteCmd.exe | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1937 | RemoteExec_Tool | Remote Access Tool used in APT Terracotta | https://blogs.rsa.com/terracotta-vpn-enabler-of-advanced-threat-anonymity/ | 2015-08-04 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 1938 | Reveal_MemoryCredentials | Auto-generated rule - file Reveal-MemoryCredentials.ps1 | https://github.com/giMini/RWMC/ | 2015-08-31 00:00:00 | 70 | Florian Roth | |
| 1939 | RevengeRAT_Sep17 | Detects RevengeRAT malware | Internal Research | 2017-09-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1940 | RkNTLoad | Webshells Auto-generated - file RkNTLoad.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 1941 | RocketKitten_Keylogger | Detects Keylogger used in Rocket Kitten APT | https://goo.gl/SjQhlp | 2015-09-01 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,HKTL,MIDDLE_EAST |
| 1942 | Rombertik_CarbonGrabber | Detects CarbonGrabber alias Rombertik - file Copy#064046.scr | http://blogs.cisco.com/security/talos/rombertik | 2015-05-05 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1943 | Rombertik_CarbonGrabber_Builder | Detects CarbonGrabber alias Rombertik Builder - file Builder.exe | http://blogs.cisco.com/security/talos/rombertik | 2015-05-05 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1944 | Rombertik_CarbonGrabber_Builder_Server | Detects CarbonGrabber alias Rombertik Builder Server - file Server.exe | http://blogs.cisco.com/security/talos/rombertik | 2015-05-05 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1945 | Rombertik_CarbonGrabber_Panel | Detects CarbonGrabber alias Rombertik Panel - file index.php | http://blogs.cisco.com/security/talos/rombertik | 2015-05-05 00:00:00 | 70 | Florian Roth | |
| 1946 | Rombertik_CarbonGrabber_Panel_InstallScript | Detects CarbonGrabber alias Rombertik panel install script - file install.php | http://blogs.cisco.com/security/talos/rombertik | 2015-05-05 00:00:00 | 70 | Florian Roth | |
| 1947 | RottenPotato_Potato | Detects a component of privilege escalation tool Rotten Potato - file Potato.exe | https://github.com/foxglovesec/RottenPotato | 2017-02-07 00:00:00 | 90 | Florian Roth | EXE,FILE |
| 1948 | SAM_Hive_Backup | Detects a SAM hive backup file | https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump | 2015-03-31 00:00:00 | 60 | Florian Roth | EXTVAR,FILE |
| 1949 | SCT_Scriptlet_in_Temp_Inet_Files | Detects a scriptlet file in the temporary Internet files (see regsvr32 AppLocker bypass) | http://goo.gl/KAB8Jw | 2016-04-26 00:00:00 | 70 | Florian Roth | EXTVAR,FILE |
| 1950 | SFXRAR_Acrotray | Most likely a malicious file acrotray in SFX RAR / CloudDuke APT 5442.1.exe, 5442.2.exe | https://www.f-secure.com/weblog/archives/00002822.html | 2015-07-22 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,RUSSIA |
| 1951 | SHIFU_Banking_Trojan | Detects SHIFU Banking Trojan | http://goo.gl/52n8WE | 2015-10-31 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 1952 | SLServer_campaign_code | Searches for the related campaign code. | - | 2016-04-18 00:00:00 | 75 | Matt Brooks, @cmatthewbrooks | FILE |
| 1953 | SLServer_command_and_control | Searches for the C2 server. | - | 2016-04-18 00:00:00 | 75 | Matt Brooks, @cmatthewbrooks | FILE |
| 1954 | SLServer_dialog_remains | Searches for related dialog remnants. | - | 2016-04-18 00:00:00 | 75 | Matt Brooks, @cmatthewbrooks / modified by Florian Roth | FILE |
| 1955 | SLServer_mutex | Searches for the mutex. | - | 2016-04-18 00:00:00 | 75 | Matt Brooks, @cmatthewbrooks | FILE |
| 1956 | SLServer_unknown_string | Searches for a unique string. | - | 2016-04-18 00:00:00 | 75 | Matt Brooks, @cmatthewbrooks | FILE |
| 1957 | SNOWGLOBE_Babar_Malware | Detects the Babar Malware used in the SNOWGLOBE attacks - file babar.exe | http://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france | 2015-02-18 00:00:00 | 80 | Florian Roth | MAL |
| 1958 | SQLCracker | Chinese Hacktool Set - file SQLCracker.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1959 | SQLMap | This signature detects the SQLMap SQL injection tool | - | 2014-07-07 00:00:00 | 60 | Florian Roth | HKTL |
| 1960 | SQLTools | Chinese Hacktool Set - file SQLTools.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1961 | STNC_php_php | Semi-Auto-generated - file STNC.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 1962 | SUSP_Bad_PDF | Detects PDF that embeds code to steal NTLM hashes | Internal Research | 2018-05-03 00:00:00 | 70 | Florian Roth, Markus Neis | FILE |
| 1963 | SUSP_CMD_Var_Expansion | Detects Office droppers that include a variable expansion string | https://twitter.com/asfakian/status/1044859525675843585 | 2018-09-26 00:00:00 | 60 | Florian Roth | FILE,OFFICE |
| 1964 | SUSP_ELF_LNX_UPX_Compressed_File | Detects a suspicious ELF binary with UPX compression | Internal Research | 2018-12-12 00:00:00 | 40 | Florian Roth | FILE,LINUX |
| 1965 | SUSP_ELF_Tor_Client | Detects VPNFilter malware | Internal Research | 2018-05-24 00:00:00 | 70 | Florian Roth | FILE,LINUX |
| 1966 | SUSP_EnableContent_String | Detects strings in macro enabled malicious documents | Internal Research | 2018-11-19 00:00:00 | 60 | Florian Roth | FILE |
| 1967 | SUSP_Imphash_PassRevealer_PY_EXE | Detects an imphash used by password revealer and hack tools | Internal Research | 2018-04-06 00:00:00 | 40 | Florian Roth | EXE,FILE,HKTL |
| 1968 | SUSP_JAVA_Class_with_VBS_Content | Detects a JAVA class file with strings known from VBS files | https://www.menlosecurity.com/blog/a-jar-full-of-problems-for-financial-services-companies | 2019-01-03 00:00:00 | 60 | Florian Roth | FILE,SCRIPT |
| 1969 | SUSP_Katz_PDB | Detects suspicious PDB in file | Internal Research | 2019-02-04 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 1970 | SUSP_LNK_Big_Link_File | Detects a suspiciously big LNK file - maybe with embedded content | Internal Research | 2018-05-15 00:00:00 | 65 | Florian Roth | FILE |
| 1971 | SUSP_LNK_File_AppData_Roaming | Detects a suspicious link file that references to AppData Roaming | https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html | 2018-05-16 00:00:00 | 50 | Florian Roth | FILE |
| 1972 | SUSP_LNK_File_PathTraversal | Detects a suspicious link file that references a file multiple folders lower than the link itself | https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html | 2018-05-16 00:00:00 | 40 | Florian Roth | FILE |
| 1973 | SUSP_LNK_SuspiciousCommands | Detects LNK file with suspicious content | - | 2018-09-18 00:00:00 | 60 | Florian Roth | FILE |
| 1974 | SUSP_LNK_lnkfileoverRFC | detect APT lnk files that run double extraction and launch routines with autoruns | - | 2018-09-18 00:00:00 | 70 | @Grotezinfosec, modified by Florian Roth | APT,FILE |
| 1975 | SUSP_Microsoft_7z_SFX_Combo | Detects a suspicious file that has a Microsoft copyright and is a 7z SFX | Internal Research | 2018-09-16 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1976 | SUSP_Microsoft_Copyright_String_Anomaly_2 | Detects Floxif Malware | Internal Research | 2018-05-11 00:00:00 | 60 | Florian Roth | EXE,FILE,MAL |
| 1977 | SUSP_Microsoft_RAR_SFX_Combo | Detects a suspicious file that has a Microsoft copyright and is a RAR SFX | Internal Research | 2018-09-16 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1978 | SUSP_Modified_SystemExeFileName_in_File | Detecst a variant of a system file name often used by attackers to cloak their activity | https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group | 2018-12-11 00:00:00 | 65 | Florian Roth | EXE,FILE |
| 1979 | SUSP_Obfuscted_PowerShell_Code | Detects obfuscated PowerShell Code | https://twitter.com/silv0123/status/1073072691584880640 | 2018-12-13 00:00:00 | 70 | Florian Roth | OBFUS,SCRIPT |
| 1980 | SUSP_Office_Dropper_Strings | Detects Office droppers that include a notice to enable active content | Internal Research | 2018-09-13 00:00:00 | 70 | Florian Roth | FILE,MAL,OFFICE |
| 1981 | SUSP_PDB_Strings_Keylogger_Backdoor | Detects PDB strings used in backdoors or keyloggers | Internal Research | 2018-03-23 00:00:00 | 65 | Florian Roth | EXE,FILE,HKTL,MAL |
| 1982 | SUSP_PiratedOffice_2007 | Detects an Office document that was created with a pirated version of MS Office 2007 | https://twitter.com/pwnallthethings/status/743230570440826886?lang=en | 2018-12-04 00:00:00 | 40 | Florian Roth | FILE,OFFICE |
| 1983 | SUSP_PowerShell_IEX_Download_Combo | Detects strings found in sample from CN group repo leak in October 2018 | https://twitter.com/JaromirHorejsi/status/1047084277920411648 | 2018-10-04 00:00:00 | 70 | Florian Roth | SCRIPT |
| 1984 | SUSP_PowerShell_String_K32_RemProcess | Detects suspicious PowerShell code that uses Kernel32, RemoteProccess handles or shellcode | https://github.com/nccgroup/redsnarf | 2018-03-31 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 1985 | SUSP_Powershell_ShellCommand_May18_1 | Detects a supcicious powershell commandline | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1986 | SUSP_Putty_Unnormal_Size | Detects a putty version with a size different than the one provided by Simon Tatham (could be caused by an additional signature or malware) | Internal Research | 2019-01-07 00:00:00 | 50 | Florian Roth | EXE,FILE |
| 1987 | SUSP_RTF_Header_Anomaly | Detects malformed RTF header often used to trick mechanisms that check for a full RTF header | https://twitter.com/ItsReallyNick/status/975705759618158593 | 2019-01-20 00:00:00 | 70 | Florian Roth | FILE |
| 1988 | SUSP_Renamed_Dot1Xtray | Detects a legitimate renamed dot1ctray.exe, which is often used by PlugX for DLL side-loading | Internal Research | 2018-11-15 00:00:00 | 70 | Florian Roth | EXE,EXTVAR,FILE |
| 1989 | SUSP_SFX_RunProgram_WScript | Detects suspicious SFX as used by Gamaredon group | Internal Research | 2018-09-27 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1990 | SUSP_Scheduled_Task_BigSize | Detects suspiciously big scheduled task XML file as seen in combination with embedded base64 encoded PowerShell code | Internal Research | 2018-12-06 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 1991 | SUSP_Script_Obfuscation_Char_Concat | Detects strings found in sample from CN group repo leak in October 2018 | https://twitter.com/JaromirHorejsi/status/1047084277920411648 | 2018-10-04 00:00:00 | 70 | Florian Roth | OBFUS |
| 1992 | SUSP_Size_of_ASUS_TuningTool | Detects an ASUS tuning tool with a suspicious size | https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/ | 2018-10-17 00:00:00 | 60 | Florian Roth | EXE,FILE |
| 1993 | SUSP_Win32dll_String | Detects suspicious string in executables | https://medium.com/@Sebdraven/apt-sidewinder-changes-theirs-ttps-to-install-their-backdoor-f92604a2739 | 2018-10-24 00:00:00 | 70 | Florian Roth | |
| 1994 | SUSP_XMRIG_String | Detects a suspicious XMRIG crypto miner executable string in filr | Internal Research | 2018-12-28 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 1995 | SUSP_certificate_payload | Detects payloads that pretend to be certificates | https://blog.nviso.be/2018/08/02/powershell-inside-a-certificate-part-3/ | 2018-08-02 00:00:00 | 50 | Didier Stevens, Florian Roth | FILE |
| 1996 | SUSP_shellpop_Bash | Detects susupicious bash command | https://github.com/0x00-0x00/ShellPop | 2018-05-18 00:00:00 | 70 | Tobias Michalski | HKTL |
| 1997 | SVG_LoadURL | Detects a tiny SVG file that loads an URL (as seen in CryptoWall malware infections) | http://goo.gl/psjCCc | 2015-05-24 00:00:00 | 50 | Florian Roth | |
| 1998 | S_MultiFunction_Scanners_s | Chinese Hacktool Set - file s.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 1999 | Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php | Semi-Auto-generated - file Safe0ver Shell -Safe Mod Bypass By Evilc0der.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2000 | Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_php | Semi-Auto-generated - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2001 | Sality_Malware_Oct16 | Detects an unspecififed malware - October 2016 | Internal Research | 2016-10-08 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 2002 | Saudi_Phish_Trojan | Detects a trojan used in Saudi Aramco Phishing | https://goo.gl/Z3JUAA | 2017-10-12 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2003 | ScanBox_Malware_Generic | Scanbox Chinese Deep Panda APT Malware http://goo.gl/MUUfjv and http://goo.gl/WXUQcP | - | 2015-02-28 00:00:00 | 70 | Florian Roth | APT,CHINA,MAL |
| 2004 | Scarcruft_malware_Feb18_1 | Detects Scarcruft malware - February 2018 | https://twitter.com/craiu/status/959477129795731458 | 2018-02-03 00:00:00 | 90 | Florian rootpath | EXE,FILE |
| 2005 | SeDLL_Javascript_Decryptor | Detects SeDll - DLL is used for decrypting and executing another JavaScript backdoor such as Orz | https://goo.gl/MZ7dRg | 2017-10-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2006 | SeaDuke_Sample | SeaDuke Malware - file 3eb86b7b067c296ef53e4857a74e09f12c2b84b666fc130d1f58aec18bc74b0d | http://goo.gl/MJ0c2M | 2015-07-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,RUSSIA |
| 2007 | SecurityXploded_Producer_String | Detects hacktools by SecurityXploded | http://securityxploded.com/browser-password-dump.php | 2017-07-13 00:00:00 | 60 | Florian Roth | EXE,FILE,HKTL |
| 2008 | Servantshell | Detects Servantshell malware | https://tinyurl.com/jmp7nrs | 2017-02-02 00:00:00 | 70 | Arbor Networks ASERT Nov 2015 | EXE,FILE |
| 2009 | SetupBDoor | Webshells Auto-generated - file SetupBDoor.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 2010 | ShadowPad_nssock2 | Detects malicious nssock2.dll from ShadowPad incident - file nssock2.dll | https://securelist.com/shadowpad-in-corporate-networks/81432/ | 2017-08-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2011 | Shamoon2_ComComp | Detects Shamoon 2.0 Communication Components | https://goo.gl/jKIfGB | 2016-12-01 00:00:00 | 70 | Florian Roth (with Binar.ly) | EXE,FILE,MIDDLE_EAST |
| 2012 | Shamoon2_Wiper | Detects Shamoon 2.0 Wiper Component | https://goo.gl/jKIfGB | 2016-12-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MIDDLE_EAST |
| 2013 | Shamoon_Disttrack_Dropper | Detects Shamoon 2.0 Disttrack Dropper | https://goo.gl/jKIfGB | 2016-12-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,MIDDLE_EAST |
| 2014 | SharpCat | Detects command shell SharpCat - file SharpCat.exe | https://github.com/Cn33liz/SharpCat | 2016-06-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2015 | Sharpire | Auto-generated rule - file Sharpire.exe | https://github.com/0xbadjuju/Sharpire | 2017-09-23 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2016 | ShellCrew_StreamEx_1 | Auto-generated rule - file 81f411415aefa5ad7f7ed2365d9a18d0faf33738617afc19215b69c23f212c07 | https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar | 2017-02-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2017 | ShellCrew_StreamEx_1_msi | Auto-generated rule - file msi.dll | https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar | 2017-02-10 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2018 | ShellCrew_StreamEx_1_msi_dll | Auto-generated rule - file msi.dll.eng | https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar | 2017-02-10 00:00:00 | 70 | Florian Roth | FILE |
| 2019 | Shell_Asp | Chinese Hacktool Set Webshells - file Asp.html | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2020 | Shifu_Banking_Trojan | Detects Shifu Banking Trojan | https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/ | 2015-09-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2021 | Sig_RemoteAdmin_1 | Detects strings from well-known APT malware | Internal Research | 2017-12-03 00:00:00 | 45 | Florian Roth | APT,EXE,FILE,HKTL |
| 2022 | Silence_malware_1 | Detects malware sample mentioned in the Silence report on Securelist | https://securelist.com/the-silence/83009/ | 2017-11-01 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2023 | Silence_malware_2 | Detects malware sample mentioned in the Silence report on Securelist | https://securelist.com/the-silence/83009/ | 2017-11-01 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2024 | SimAttacker___Vrsion_1_0_0___priv8_4_My_friend_php | Semi-Auto-generated - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2025 | SimShell_1_0___Simorgh_Security_MGZ_php | Semi-Auto-generated - file SimShell 1.0 - Simorgh Security MGZ.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2026 | Simple_PHP_BackDooR | Webshells Auto-generated - file Simple_PHP_BackDooR.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2027 | Sincap_php_php | Semi-Auto-generated - file Sincap.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2028 | Sleep_Timer_Choice | Detects malware from NCSC report | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | EXE,FILE |
| 2029 | Slingshot_APT_Malware_1 | Detects malware from Slingshot APT | https://securelist.com/apt-slingshot/84312/ | 2018-03-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 2030 | Slingshot_APT_Malware_2 | Detects malware from Slingshot APT | https://securelist.com/apt-slingshot/84312/ | 2018-03-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 2031 | Slingshot_APT_Malware_3 | Detects malware from Slingshot APT | https://securelist.com/apt-slingshot/84312/ | 2018-03-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 2032 | Slingshot_APT_Malware_4 | Detects malware from Slingshot APT | https://securelist.com/apt-slingshot/84312/ | 2018-03-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 2033 | Slingshot_APT_Minisling | Detects malware from Slingshot APT | https://securelist.com/apt-slingshot/84312/ | 2018-03-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 2034 | Slingshot_APT_Ring0_Loader | Detects malware from Slingshot APT | https://securelist.com/apt-slingshot/84312/ | 2018-03-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 2035 | Slingshot_APT_Spork_Downloader | Detects malware from Slingshot APT | https://securelist.com/apt-slingshot/84312/ | 2018-03-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 2036 | Smartniff | Chinese Hacktool Set - file Smartniff.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2037 | SnakeTurla_Install_SH | Detects Snake / Turla Sample | https://goo.gl/QaOh4V | 2017-05-04 00:00:00 | 70 | Florian Roth | FILE,RUSSIA |
| 2038 | SnakeTurla_Installd_SH | Detects Snake / Turla Sample | https://goo.gl/QaOh4V | 2017-05-04 00:00:00 | 70 | Florian Roth | FILE,RUSSIA |
| 2039 | SnakeTurla_Malware_May17_1 | Detects Snake / Turla Sample | https://goo.gl/QaOh4V | 2017-05-04 00:00:00 | 70 | Florian Roth | FILE,MAL,RUSSIA |
| 2040 | SnakeTurla_Malware_May17_2 | Detects Snake / Turla Sample | https://goo.gl/QaOh4V | 2017-05-04 00:00:00 | 70 | Florian Roth | FILE,MAL,RUSSIA |
| 2041 | SnakeTurla_Malware_May17_3 | Detects Snake / Turla Sample | https://goo.gl/QaOh4V | 2017-05-04 00:00:00 | 70 | Florian Roth | FILE,MAL,RUSSIA |
| 2042 | SnakeTurla_Malware_May17_4 | Detects Snake / Turla Sample | https://goo.gl/QaOh4V | 2017-05-04 00:00:00 | 70 | Florian Roth | FILE,MAL,RUSSIA |
| 2043 | SndVol_ANOMALY | Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file SndVol.exe | not set | 2015-03-16 00:00:00 | 70 | Florian Roth | EXTVAR |
| 2044 | Sniffer_analyzer_SSClone_1210_full_version | Chinese Hacktool Set - file Sniffer analyzer SSClone 1210 full version.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2045 | SoakSoak_Infected_Wordpress | Detects a SoakSoak infected Wordpress site http://goo.gl/1GzWUX | http://goo.gl/1GzWUX | 2014-12-15 00:00:00 | 60 | Florian Roth | OFFICE,WEBSHELL |
| 2046 | Sofacy_AZZY_Backdoor_HelperDLL | Dropped C&C helper DLL for AZZY 4.3 | https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/ | 2015-12-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2047 | Sofacy_AZZY_Backdoor_Implant_1 | AZZY Backdoor Implant 4.3 - Sample 1 | https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/ | 2015-12-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2048 | Sofacy_Bundestag_Batch | Sofacy Bundestags APT Batch Script | http://dokumente.linksfraktion.de/inhalt/report-orig.pdf | 2015-06-19 00:00:00 | 70 | Florian Roth | APT,RUSSIA |
| 2049 | Sofacy_Campaign_Mal_Feb18_cdnver | Detects Sofacy malware | https://twitter.com/ClearskySec/status/960924755355369472 | 2018-02-07 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2050 | Sofacy_CollectorStealer_Gen1 | Generic rule to detect Sofacy Malware Collector Stealer | https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/ | 2015-12-04 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL,RUSSIA |
| 2051 | Sofacy_CollectorStealer_Gen2 | File collectors / USB stealers - Generic | https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/ | 2015-12-04 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN |
| 2052 | Sofacy_CollectorStealer_Gen3 | File collectors / USB stealers - Generic | https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/ | 2015-12-04 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN |
| 2053 | Sofacy_Fybis_ELF_Backdoor_Gen1 | Detects Sofacy Fysbis Linux Backdoor_Naikon_APT_Sample1 | http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ | 2016-02-13 00:00:00 | 80 | Florian Roth | APT,FILE,LINUX,MAL,RUSSIA |
| 2054 | Sofacy_Fysbis_ELF_Backdoor_Gen2 | Detects Sofacy Fysbis Linux Backdoor | http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/ | 2016-02-13 00:00:00 | 80 | Florian Roth | FILE,LINUX,MAL,RUSSIA |
| 2055 | Sofacy_Jun16_Sample1 | Detects Sofacy Malware mentioned in PaloAltoNetworks APT report | http://goo.gl/mzAa97 | 2016-06-14 00:00:00 | 85 | Florian Roth | APT,EXE,FILE,MAL,RUSSIA |
| 2056 | Sofacy_Jun16_Sample2 | Detects Sofacy Malware mentioned in PaloAltoNetworks APT report | http://goo.gl/mzAa97 | 2016-06-14 00:00:00 | 85 | Florian Roth | APT,EXE,FILE,MAL,RUSSIA |
| 2057 | Sofacy_Jun16_Sample3 | Detects Sofacy Malware mentioned in PaloAltoNetworks APT report | http://goo.gl/mzAa97 | 2016-06-14 00:00:00 | 85 | Florian Roth | APT,EXE,FILE,MAL,RUSSIA |
| 2058 | Sofacy_Mal2 | Sofacy Group Malware Sample 2 | http://dokumente.linksfraktion.de/inhalt/report-orig.pdf | 2015-06-19 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,RUSSIA |
| 2059 | Sofacy_Mal3 | Sofacy Group Malware Sample 3 | http://dokumente.linksfraktion.de/inhalt/report-orig.pdf | 2015-06-19 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,RUSSIA |
| 2060 | Sofacy_Malware_AZZY_Backdoor_1 | AZZY Backdoor - Sample 1 | https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/ | 2015-12-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2061 | Sofacy_Malware_StrangeSpaces | Detetcs strange strings from Sofacy malware with many spaces | https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/ | 2015-12-04 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,RUSSIA |
| 2062 | Sofacy_Oct17_1 | Detects Sofacy malware reported in October 2017 | http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html | 2017-10-23 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2063 | Sofacy_Oct17_2 | Detects Sofacy malware reported in October 2017 | http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html | 2017-10-23 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2064 | Sofacy_Trojan_Loader_Feb18_1 | Sofacy Activity Feb 2018 | https://www.reverse.it/sample/e3399d4802f9e6d6d539e3ae57e7ea9a54610a7c4155a6541df8e94d67af086e?environmentId=100 | 2018-03-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,RUSSIA |
| 2065 | Sphinx_Moth_cudacrt | sphinx moth threat group file cudacrt.dll | www.kudelskisecurity.com | 2015-08-06 00:00:00 | 70 | Kudelski Security - Nagravision SA | EXE,FILE |
| 2066 | Sphinx_Moth_h2t | sphinx moth threat group file h2t.dat | www.kudelskisecurity.com | 2015-08-06 00:00:00 | 70 | Kudelski Security - Nagravision SA (modified by Florian Roth) | EXE,FILE |
| 2067 | Sphinx_Moth_iastor32 | sphinx moth threat group file iastor32.exe | www.kudelskisecurity.com | 2015-08-06 00:00:00 | 70 | Kudelski Security - Nagravision SA | EXE,FILE |
| 2068 | Sphinx_Moth_kerberos32 | sphinx moth threat group file kerberos32.dll | www.kudelskisecurity.com | 2015-08-06 00:00:00 | 70 | Kudelski Security - Nagravision SA (modified by Florian Roth) | EXE,FILE |
| 2069 | Sphinx_Moth_kerberos64 | sphinx moth threat group file kerberos64.dll | www.kudelskisecurity.com | 2015-08-06 00:00:00 | 70 | Kudelski Security - Nagravision SA (modified by Florian Roth) | EXE,FILE |
| 2070 | Sphinx_Moth_nvcplex | sphinx moth threat group file nvcplex.dat | www.kudelskisecurity.com | 2015-08-06 00:00:00 | 70 | Kudelski Security - Nagravision SA | EXE,FILE |
| 2071 | SplitJoin_V1_3_3_rar_Folder_3 | Disclosed hacktool set (old stuff) - file splitjoin.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2072 | SqlDbx_zhs | Chinese Hacktool Set - file SqlDbx_zhs.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2073 | StealthWasp_s_Basic_PortScanner_v1_2 | Auto-generated rule on file StealthWasp's Basic PortScanner v1.2.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2074 | StegoKatz | Encoded Mimikatz in other file types | https://goo.gl/jWPBBY | 2015-09-11 00:00:00 | 70 | Florian Roth | |
| 2075 | StoneDrill | Detects malware from StoneDrill threat report | https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ | 2017-03-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MIDDLE_EAST |
| 2076 | StoneDrill_BAT_1 | Rule to detect Batch file from StoneDrill report | https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ | 1970-01-01 01:00:00 | 70 | Florian Roth | FILE,MIDDLE_EAST |
| 2077 | StoneDrill_Malware_2 | Detects malware from StoneDrill threat report | https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ | 2017-03-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,MIDDLE_EAST |
| 2078 | StoneDrill_Service_Install | Rule to detect Batch file from StoneDrill report | https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ | 1970-01-01 01:00:00 | 70 | Florian Roth | MIDDLE_EAST |
| 2079 | StoneDrill_VBS_1 | Detects malware from StoneDrill threat report | https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ | 2017-03-07 00:00:00 | 70 | Florian Roth | MIDDLE_EAST,SCRIPT |
| 2080 | StoneDrill_main_sub | Rule to detect StoneDrill (decrypted) samples | https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ | 1970-01-01 01:00:00 | 70 | Kaspersky Lab | FILE,MIDDLE_EAST |
| 2081 | StoneDrill_ntssrvr32 | Detects malware from StoneDrill threat report | https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ | 2017-03-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MIDDLE_EAST |
| 2082 | StreamEx_ShellCrew | Detects a | https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar | 2017-02-09 00:00:00 | 80 | Cylance | |
| 2083 | StuxNet_Malware_1 | Stuxnet Sample - file malware.exe | Internal Research | 2016-07-09 00:00:00 | 70 | Florian Roth | MAL |
| 2084 | StuxNet_dll | Stuxnet Sample - file dll.dll | Internal Research | 2016-07-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2085 | Stuxnet_Malware_2 | Stuxnet Sample - file 63e6b8136058d7a06dfff4034b4ab17a261cdf398e63868a601f77ddd1b32802 | Internal Research | 2016-07-09 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2086 | Stuxnet_Malware_3 | Stuxnet Sample - file ~WTR4141.tmp | Internal Research | 2016-07-09 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2087 | Stuxnet_Malware_4 | Stuxnet Sample - file 0d8c2bcb575378f6a88d17b5f6ce70e794a264cdc8556c8e812f0b5f9c709198 | Internal Research | 2016-07-09 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2088 | Stuxnet_Shortcut_to | Stuxnet Sample - file Copy of Shortcut to.lnk | Internal Research | 2016-07-09 00:00:00 | 70 | Florian Roth | FILE |
| 2089 | Stuxnet_maindll_decrypted_unpacked | Stuxnet Sample - file maindll.decrypted.unpacked.dll_ | Internal Research | 2016-07-09 00:00:00 | 70 | Florian Roth | |
| 2090 | Stuxnet_s7hkimdb | Stuxnet Sample - file s7hkimdb.dll | Internal Research | 2016-07-09 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2091 | Suckfly_Nidiran_Gen_1 | Detects Suckfly Nidiran Trojan | https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates | 2018-01-28 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 2092 | Suckfly_Nidiran_Gen_2 | Detects Suckfly Nidiran Trojan | https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates | 2018-01-28 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 2093 | Suckfly_Nidiran_Gen_3 | Detects Suckfly Nidiran Trojan | https://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates | 2018-01-28 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 2094 | SunOrcal_Malware_Nov17_1 | Detects Reaver malware mentioned in PaloAltoNetworks report | https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/ | 2017-11-11 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2095 | SuperScan4 | Auto-generated rule on file SuperScan4.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2096 | Susp_Indicators_EXE | Detects packed NullSoft Inst EXE with characteristics of NetWire RAT | https://pastebin.com/8qaiyPxs | 2018-01-05 00:00:00 | 60 | Florian Roth | FILE,MAL |
| 2097 | Susp_PowerShell_Sep17_1 | Detects suspicious PowerShell script in combo with VBS or JS | Internal Research | 2017-09-30 00:00:00 | 60 | Florian Roth | SCRIPT |
| 2098 | Susp_PowerShell_Sep17_2 | Detects suspicious PowerShell script in combo with VBS or JS | Internal Research | 2017-09-30 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 2099 | Suspicious_AutoIt_by_Microsoft | Detects a AutoIt script with Microsoft identification | Internal Research - VT | 2017-12-14 00:00:00 | 60 | Florian Roth | EXE,FILE |
| 2100 | Suspicious_BAT_Strings | Detects a string also used in Netwire RAT auxilliary | https://pastebin.com/8qaiyPxs | 2018-01-05 00:00:00 | 60 | Florian Roth | MAL |
| 2101 | Suspicious_JS_script_content | Detects suspicious statements in JavaScript files | Research on Leviathan https://goo.gl/MZ7dRg | 2017-12-02 00:00:00 | 70 | Florian Roth | SCRIPTS |
| 2102 | Suspicious_PowerShell_Code_1 | Detects suspicious PowerShell code | Internal Research | 2017-02-22 00:00:00 | 60 | Florian Roth | SCRIPT |
| 2103 | Suspicious_PowerShell_WebDownload_1 | Detects suspicious PowerShell code that downloads from web sites | Internal Research | 2017-02-22 00:00:00 | 60 | Florian Roth | SCRIPT |
| 2104 | Suspicious_Script_Running_from_HTTP | Detects a suspicious | https://www.hybrid-analysis.com/sample/a112274e109c5819d54aa8de89b0e707b243f4929a83e77439e3ff01ed218a35?environmentId=100 | 2017-08-20 00:00:00 | 50 | Florian Roth | |
| 2105 | Suspicious_Size_chrome_exe | Detects uncommon file size of chrome.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2106 | Suspicious_Size_csrss_exe | Detects uncommon file size of csrss.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2107 | Suspicious_Size_explorer_exe | Detects uncommon file size of explorer.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2108 | Suspicious_Size_firefox_exe | Detects uncommon file size of firefox.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2109 | Suspicious_Size_iexplore_exe | Detects uncommon file size of iexplore.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2110 | Suspicious_Size_igfxhk_exe | Detects uncommon file size of igfxhk.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2111 | Suspicious_Size_java_exe | Detects uncommon file size of java.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2112 | Suspicious_Size_lsass_exe | Detects uncommon file size of lsass.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2113 | Suspicious_Size_rundll32_exe | Detects uncommon file size of rundll32.exe | - | 2015-12-23 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2114 | Suspicious_Size_servicehost_dll | Detects uncommon file size of servicehost.dll | - | 2015-12-23 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2115 | Suspicious_Size_smss_exe | Detects uncommon file size of smss.exe | - | 2015-12-23 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2116 | Suspicious_Size_spoolsv_exe | Detects uncommon file size of spoolsv.exe | - | 2015-12-23 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2117 | Suspicious_Size_svchost_exe | Detects uncommon file size of svchost.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2118 | Suspicious_Size_taskhost_exe | Detects uncommon file size of taskhost.exe | - | 2015-12-23 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2119 | Suspicious_Size_wininit_exe | Detects uncommon file size of wininit.exe | - | 2015-12-23 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2120 | Suspicious_Size_winlogon_exe | Detects uncommon file size of winlogon.exe | - | 2015-12-21 00:00:00 | 60 | Florian Roth | EXE,EXTVAR,FILE |
| 2121 | SwitchSniffer | Chinese Hacktool Set - file SwitchSniffer.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2122 | Sword1_5 | Chinese Hacktool Set - file Sword1.5.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2123 | SysInterals_PipeList_NameChanged | Detects NirSoft PipeList | https://goo.gl/Mr6M2J | 2016-06-04 00:00:00 | 90 | Florian Roth | EXE,EXTVAR,FILE |
| 2124 | SysInternals_Tool_Anomaly | SysInternals Tool Anomaly - does not contain Mark Russinovich as author | Internal Research | 2016-12-06 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2125 | TA17_293A_Hacktool_Exploit_MS16_032 | Auto-generated rule - file 9b97290300abb68fb48480718e6318ee2cdd4f099aa6438010fb2f44803e0b58 | https://www.us-cert.gov/ncas/alerts/TA17-293A | 2017-10-21 00:00:00 | 70 | Florian Roth | HKTL |
| 2126 | TA17_293A_Hacktool_PS_1 | Auto-generated rule - file 72a28efb6e32e653b656ca32ccd44b3111145a695f6f6161965deebbdc437076 | https://www.us-cert.gov/ncas/alerts/TA17-293A | 2017-10-21 00:00:00 | 70 | Florian Roth | HKTL |
| 2127 | TA17_293A_Hacktool_Touch_MAC_modification | Auto-generated rule - file 070d7082a5abe1112615877214ec82241fd17e5bd465e24d794a470f699af88e | https://www.us-cert.gov/ncas/alerts/TA17-293A | 2017-10-21 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2128 | TA17_293A_Query_Javascript_Decode_Function | - | https://www.us-cert.gov/ncas/alerts/TA17-293A | 1970-01-01 01:00:00 | 70 | other (modified by Florian Roth) | |
| 2129 | TA17_293A_Query_XML_Code_MAL_DOC | - | https://www.us-cert.gov/ncas/alerts/TA17-293A | 1970-01-01 01:00:00 | 70 | other (modified by Florian Roth) | FILE |
| 2130 | TA17_293A_Query_XML_Code_MAL_DOC_PT_2 | - | https://www.us-cert.gov/ncas/alerts/TA17-293A | 1970-01-01 01:00:00 | 70 | other (modified by Florian Roth) | FILE |
| 2131 | TA17_293A_malware_1 | inveigh pen testing tools & related artifacts | https://www.us-cert.gov/ncas/alerts/TA17-293A | 2017-07-17 00:00:00 | 70 | US-CERT Code Analysis Team (modified by Florian Roth) | |
| 2132 | TA17_293A_malware_2 | rule detects malware | https://www.us-cert.gov/ncas/alerts/TA17-293A | 1970-01-01 01:00:00 | 70 | other | |
| 2133 | TA17_318A_rc4_stack_key_fallchill | HiddenCobra FallChill - rc4_stack_key | https://www.us-cert.gov/ncas/alerts/TA17-318B | 2017-11-15 00:00:00 | 70 | US CERT | FILE,NK |
| 2134 | TA17_318A_success_fail_codes_fallchill | HiddenCobra FallChill - success_fail_codes | https://www.us-cert.gov/ncas/alerts/TA17-318B | 2017-11-15 00:00:00 | 70 | US CERT | FILE,NK |
| 2135 | TA17_318B_volgmer | Malformed User Agent in Volgmer malware | https://www.us-cert.gov/ncas/alerts/TA17-318B | 2017-11-15 00:00:00 | 70 | US CERT | FILE |
| 2136 | TA18_074A_screen | Detects malware mentioned in TA18-074A | https://www.us-cert.gov/ncas/alerts/TA18-074A | 2018-03-16 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2137 | TA18_074A_scripts | Detects malware mentioned in TA18-074A | https://www.us-cert.gov/ncas/alerts/TA18-074A | 2018-03-16 00:00:00 | 70 | Florian Roth | |
| 2138 | TA459_Malware_May17_1 | Detects TA459 related malware | https://goo.gl/RLf9qU | 2017-05-31 00:00:00 | 70 | Florian Roth | FILE,MAL |
| 2139 | TA459_Malware_May17_2 | Detects TA459 related malware | https://goo.gl/RLf9qU | 2017-05-31 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2140 | TRITON_ICS_FRAMEWORK | TRITON framework recovered during Mandiant ICS incident response | https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html | 1970-01-01 01:00:00 | 70 | nicholas.carr @itsreallynick | |
| 2141 | TSCookie_RAT | Detects TSCookie RAT | http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html | 2018-03-06 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2142 | TeleBots_CredRaptor_Password_Stealer | Detects TeleBots malware - CredRaptor Password Stealer | https://goo.gl/4if3HG | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2143 | TeleBots_IntercepterNG | Detects TeleBots malware - IntercepterNG | https://goo.gl/4if3HG | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2144 | TeleBots_KillDisk_1 | Detects TeleBots malware - KillDisk | https://goo.gl/4if3HG | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2145 | TeleBots_KillDisk_2 | Detects TeleBots malware - KillDisk | https://goo.gl/4if3HG | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2146 | TeleBots_VBS_Backdoor_1 | Detects TeleBots malware - VBS Backdoor | https://goo.gl/4if3HG | 2016-12-14 00:00:00 | 70 | Florian Roth | FILE,MAL,SCRIPT |
| 2147 | TeleBots_VBS_Backdoor_2 | Detects TeleBots malware - VBS Backdoor | https://goo.gl/4if3HG | 2016-12-14 00:00:00 | 70 | Florian Roth | FILE,MAL,SCRIPT |
| 2148 | TeleBots_Win64_Spy_KeyLogger_G | Detects TeleBots malware - Win64 Spy KeyLogger G | https://goo.gl/4if3HG | 2016-12-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2149 | TeleDoor_Backdoor | Detects the TeleDoor Backdoor as used in Petya Attack in June 2017 | https://goo.gl/CpfJQQ | 2017-07-05 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL,RANSOM |
| 2150 | TempRacer | Detects privilege escalation tool - file TempRacer.exe | http://www.darknet.org.uk/2016/03/tempracer-windows-privilege-escalation-tool/ | 2016-03-30 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2151 | Test_php_php | Semi-Auto-generated - file Test.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2152 | ThreatGroup3390_C2 | Threat Group 3390 APT - C2 Server | http://snip.ly/giNB | 2015-08-06 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2153 | ThreatGroup3390_Strings | Threat Group 3390 APT - Strings | http://snip.ly/giNB | 2015-08-06 00:00:00 | 60 | Florian Roth | APT |
| 2154 | TidePool_Malware | Detects TidePool malware mentioned in Ke3chang report by Palo Alto Networks | http://goo.gl/m2CXWR | 2016-05-24 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2155 | Tiny_Network_Tool_Generic | Tiny tool with suspicious function imports. (Rule based on WinEggDrop Scanner samples) | - | 2014-08-10 00:00:00 | 40 | Florian Roth | HKTL |
| 2156 | Tofu_Backdoor | Detects Tofu Trojan | https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html | 2017-02-28 00:00:00 | 70 | Cylance | MAL |
| 2157 | Tool_asp | Semi-Auto-generated - file Tool.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2158 | Tools_2014 | Chinese Hacktool Set - file 2014.jsp | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2159 | Tools_2015 | Chinese Hacktool Set - file 2015.jsp | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2160 | Tools_cmd | Chinese Hacktool Set - file cmd.jSp | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2161 | Tools_scan | Chinese Hacktool Set - file scan.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2162 | Tools_unknown | Chinese Hacktool Set - file unknown.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2163 | Tools_xport | Chinese Hacktool Set - file xport.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2164 | TopHat_BAT | Auto-generated rule - file cgen.bat | https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix | 2018-01-29 00:00:00 | 70 | Florian Roth | |
| 2165 | TopHat_Malware_Jan18_1 | Detects malware from TopHat campaign | https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix | 2018-01-29 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2166 | TopHat_Malware_Jan18_2 | Auto-generated rule - file e.exe | https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/#appendix | 2018-01-29 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2167 | Triton_trilog | Detects Triton APT malware - file trilog.exe | https://goo.gl/vtQoCQ | 2017-12-14 00:00:00 | 70 | Florian Roth | APT,EXE,FILE |
| 2168 | TrojanDownloader | Trojan Downloader - Flash Exploit Feb15 | http://goo.gl/wJ8V1I | 2015-02-11 00:00:00 | 60 | Florian Roth | MAL |
| 2169 | Trojan_ISMRAT_gen | ISM RAT | https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/february/ism-rat/ | 1970-01-01 01:00:00 | 70 | Ahmed Zaki | FILE,MAL |
| 2170 | Trojan_Win32_Adupib | Adupib SSL Backdoor | - | 1970-01-01 01:00:00 | 70 | Microsoft | MAL |
| 2171 | Trojan_Win32_Dipsind_B | Dipsind Family | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2172 | Trojan_Win32_PlaKeylog_B | Keylogger component | - | 1970-01-01 01:00:00 | 70 | Microsoft | HKTL |
| 2173 | Trojan_Win32_PlaLsaLog | Loader / possible incomplete LSA Password Filter | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2174 | Trojan_Win32_PlaSrv | Hotpatching Injector | - | 1970-01-01 01:00:00 | 70 | Microsoft | HKTL |
| 2175 | Trojan_Win32_Plabit | Installer component | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2176 | Trojan_Win32_Placisc2 | Dipsind variant | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2177 | Trojan_Win32_Placisc3 | Dipsind variant | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2178 | Trojan_Win32_Placisc4 | Installer for Dipsind variant | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2179 | Trojan_Win32_Plagicom | Installer component | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2180 | Trojan_Win32_Plagon | Dipsind variant | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2181 | Trojan_Win32_Plainst2 | Zc tool | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2182 | Trojan_Win32_Plainst | Installer component | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2183 | Trojan_Win32_Plakelog | Raw-input based keylogger | - | 1970-01-01 01:00:00 | 70 | Microsoft | HKTL |
| 2184 | Trojan_Win32_Plaklog | Hook-based keylogger | - | 1970-01-01 01:00:00 | 70 | Microsoft | HKTL |
| 2185 | Trojan_Win32_Plakpeer | Zc tool v2 | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2186 | Trojan_Win32_Plakpers | Injector / loader component | - | 1970-01-01 01:00:00 | 70 | Microsoft | HKTL |
| 2187 | Trojan_Win32_Plapiio | JPin backdoor | - | 1970-01-01 01:00:00 | 70 | Microsoft | MAL |
| 2188 | Trojan_Win32_Plaplex | Variant of the JPin backdoor | - | 1970-01-01 01:00:00 | 70 | Microsoft | MAL |
| 2189 | Trojan_Win32_Platual | Installer component | - | 1970-01-01 01:00:00 | 70 | Microsoft | |
| 2190 | TurlaMosquito_Mal_1 | Detects malware sample from Turla Mosquito report | https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf | 2018-02-22 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2191 | TurlaMosquito_Mal_2 | Detects malware sample from Turla Mosquito report | https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf | 2018-02-22 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2192 | TurlaMosquito_Mal_3 | Detects malware sample from Turla Mosquito report | https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf | 2018-02-22 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2193 | TurlaMosquito_Mal_4 | Detects malware sample from Turla Mosquito report | https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf | 2018-02-22 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2194 | TurlaMosquito_Mal_5 | Detects malware sample from Turla Mosquito report | https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf | 2018-02-22 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2195 | TurlaMosquito_Mal_6 | Detects malware sample from Turla Mosquito report | https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf | 2018-02-22 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2196 | TurlaMosquito_Mal_7 | Detects malware sample from Turla Mosquito report | https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf | 2018-02-22 00:00:00 | 70 | Florian Roth | EXE,FILE,RUSSIA |
| 2197 | Turla_APT_Malware_Gen1 | Detects Turla malware (based on sample used in the RUAG APT case) | https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case | 2016-06-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL,RUSSIA |
| 2198 | Turla_APT_Malware_Gen2 | Detects Turla malware (based on sample used in the RUAG APT case) | https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case | 2016-06-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL,RUSSIA |
| 2199 | Turla_APT_Malware_Gen3 | Detects Turla malware (based on sample used in the RUAG APT case) | https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case | 2016-06-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL,RUSSIA |
| 2200 | Turla_APT_srsvc | Detects Turla malware (based on sample used in the RUAG APT case) | https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case | 2016-06-09 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,RUSSIA |
| 2201 | Turla_KazuarRAT | Detects Turla Kazuar RAT described by DrunkBinary | https://twitter.com/DrunkBinary/status/982969891975319553 | 2018-04-08 00:00:00 | 70 | Markus Neis / Florian Roth | EXE,FILE,MAL,RUSSIA |
| 2202 | Turla_Mal_Script_Jan18_1 | Detects Turla malicious script | https://ghostbin.com/paste/jsph7 | 2018-01-19 00:00:00 | 70 | Florian Roth | RUSSIA |
| 2203 | Txt_Sql | Chinese Hacktool Set - Webshells - file Sql.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2204 | Txt_asp1 | Chinese Hacktool Set - Webshells - file asp1.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2205 | Txt_asp | Chinese Hacktool Set - Webshells - file asp.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,FILE,HKTL,WEBSHELL |
| 2206 | Txt_aspx1 | Chinese Hacktool Set - Webshells - file aspx1.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2207 | Txt_aspx | Chinese Hacktool Set - Webshells - file aspx.jpg | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2208 | Txt_aspxlcx | Chinese Hacktool Set - Webshells - file aspxlcx.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,FILE,HKTL,WEBSHELL |
| 2209 | Txt_aspxtag | Chinese Hacktool Set - Webshells - file aspxtag.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2210 | Txt_ftp | Chinese Hacktool Set - Webshells - file ftp.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2211 | Txt_hello | Chinese Hacktool Set - Webshells - file hello.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2212 | Txt_jsp | Chinese Hacktool Set - Webshells - file jsp.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2213 | Txt_jspcmd | Chinese Hacktool Set - Webshells - file jspcmd.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2214 | Txt_lcx | Chinese Hacktool Set - Webshells - file lcx.c | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2215 | Txt_php | Chinese Hacktool Set - Webshells - file php.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2216 | Txt_php_2 | Chinese Hacktool Set - Webshells - file php.html | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2217 | Txt_shell | Chinese Hacktool Set - Webshells - file shell.c | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2218 | Txt_xiao | Chinese Hacktool Set - Webshells - file xiao.txt | http://tools.zjqhr.com/ | 2015-06-14 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2219 | Typical_Malware_String_Transforms | Detects typical strings in a reversed or otherwise modified form | Internal Research | 2016-07-31 00:00:00 | 60 | Florian Roth | EXE,FILE,MAL |
| 2220 | Tzddos_DDoS_Tool_CN | Disclosed hacktool set - file tzddos | - | 2014-11-17 00:00:00 | 60 | Florian Roth | HKTL |
| 2221 | UACElevator | UACElevator bypassing UAC - file UACElevator.exe | https://github.com/MalwareTech/UACElevator | 2015-05-14 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2222 | UACME_Akagi | Rule to detect UACMe - abusing built-in Windows AutoElevate backdoor | https://github.com/hfiref0x/UACME | 2015-05-14 00:00:00 | 60 | Florian Roth | MAL |
| 2223 | UACME_Akagi_2 | Detects Windows User Account Control Bypass - from files Akagi32.exe, Akagi64.exe | https://github.com/hfiref0x/UACME | 2017-02-03 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 2224 | UBoatRAT | Detects UBoat RAT Samples | https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/ | 2017-11-29 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2225 | UBoatRAT_Dropper | Detects UBoatRAT Dropper | https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/ | 2017-11-29 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2226 | URL_File_Local_EXE | Detects an .url file that points to a local executable | https://twitter.com/malwareforme/status/915300883012870144 | 2017-10-04 00:00:00 | 60 | Florian Roth | |
| 2227 | UnPack_rar_Folder_InjectT | Disclosed hacktool set (old stuff) - file InjectT.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2228 | UnPack_rar_Folder_TBack | Disclosed hacktool set (old stuff) - file TBack.DLL | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2229 | Unauthorized_Proxy_Server_RAT | - | https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity | 1970-01-01 01:00:00 | 70 | US-CERT Code Analysis Team | HKTL |
| 2230 | Unidentified_Malware_Two | Unidentified Implant by APT29 | https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE | 2017-02-10 00:00:00 | 85 | US CERT | APT,MAL,RUSSIA |
| 2231 | Unit78020_Malware_1 | Detects malware by Chinese APT PLA Unit 78020 - Specific Rule - msictl.exe | http://threatconnect.com/camerashy/?utm_campaign=CameraShy | 2015-09-24 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,MAL |
| 2232 | Unit78020_Malware_Gen1 | Detects malware by Chinese APT PLA Unit 78020 - Generic Rule | http://threatconnect.com/camerashy/?utm_campaign=CameraShy | 2015-09-24 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,GEN,MAL |
| 2233 | Unit78020_Malware_Gen2 | Detects malware by Chinese APT PLA Unit 78020 - Generic Rule | http://threatconnect.com/camerashy/?utm_campaign=CameraShy | 2015-09-24 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,GEN,MAL |
| 2234 | Unit78020_Malware_Gen3 | Detects malware by Chinese APT PLA Unit 78020 - Generic Rule - Chong | http://threatconnect.com/camerashy/?utm_campaign=CameraShy | 2015-09-24 00:00:00 | 70 | Florian Roth | APT,CHINA,EXE,FILE,GEN,MAL |
| 2235 | Universal_Exploit_Strings | Detects a group of strings often used in exploit codes | not set | 2017-12-02 00:00:00 | 50 | Florian Roth | SCRIPTS |
| 2236 | Unknown_0f06c5d1b32f4994c3b3abf8bb76d5468f105167 | Detects a web shell | https://github.com/bartblaze/PHP-backdoors | 2016-09-10 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 2237 | Unknown_8af033424f9590a15472a23cc3236e68070b952e | Detects a web shell | https://github.com/bartblaze/PHP-backdoors | 2016-09-10 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 2238 | Unknown_Malware_Sample_Jul17_2 | Detects unknown malware sample with pastebin RAW URL | https://goo.gl/iqH8CK | 2017-08-01 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2239 | Unpack_Injectt | Webshells Auto-generated - file Injectt.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2240 | Unpack_TBack | Webshells Auto-generated - file TBack.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2241 | Unspecified_Malware_Jul17_1A | Detects samples of an unspecified malware - July 2017 | Winnti HDRoot VT | 2017-07-07 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2242 | Unspecified_Malware_Jul17_2C | Unspecified Malware - CN relation | https://goo.gl/CX3KaY | 2017-07-18 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2243 | Unspecified_Malware_Oct16_A | Detects an unspecififed malware - October 2016 | Internal Research | 2016-10-08 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 2244 | Unspecified_Malware_Oct16_C | Detects an unspecififed malware - October 2016 | Internal Research | 2016-10-08 00:00:00 | 80 | Florian Roth | EXE,FILE,MAL |
| 2245 | Unspecified_Malware_Oct16_D | Detects unspecified malware - October 2016 | Internal Research | 2016-10-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2246 | Unspecified_Malware_Oct16_E | Detects unspecified Malware - October 2016 | Internal Research | 2016-10-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2247 | Unspecified_Malware_Sep1_A1 | Detects malware from DrqgonFly APT report | https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group | 2017-09-12 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,MAL |
| 2248 | Upatre_Hazgurut | Detects Upatre malware - file hazgurut.exe | https://weankor.vxstream-sandbox.com/sample/6b857ef314938d37997c178ea50687a281d8ff9925f0c4e70940754643e2c0e3?environmentId=7 | 2015-10-13 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2249 | UploadShell_98038f1efa4203432349badabad76d44337319a6 | Detects a web shell | https://github.com/bartblaze/PHP-backdoors | 2016-09-10 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 2250 | User_Function_String | Detects user function string from NCSC report | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | |
| 2251 | Utilman_ANOMALY | Abnormal utilman.exe - typical strings not found in file | - | 2014-01-06 00:00:00 | 70 | Florian Roth | EXTVAR |
| 2252 | VBS_Obfuscated_Mal_Feb18_1 | Detects malicious obfuscated VBS observed in February 2018 | https://goo.gl/zPsn83 | 2018-02-12 00:00:00 | 70 | Florian Roth | OBFUS,SCRIPT,SCRIPTS |
| 2253 | VBS_WMIExec_Tool_Apr17_1 | Tools related to Operation Cloud Hopper | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | |
| 2254 | VBS_dropper_script_Dec17_1 | Detects a supicious VBS script that drops an executable | Internal Research | 2018-01-01 00:00:00 | 80 | Florian Roth | SCRIPT |
| 2255 | VBScript_Favicon_File | VBScript cloaked as Favicon file used in Leviathan incident | https://goo.gl/MZ7dRg | 2017-10-18 00:00:00 | 70 | Florian Roth | FILE,SCRIPT |
| 2256 | VSSown_VBS | Detects VSSown.vbs script - used to export shadow copy elements like NTDS to take away and crack elsewhere | - | 2015-10-01 00:00:00 | 75 | Florian Roth | HKTL |
| 2257 | VUBrute_VUBrute | PoS Scammer Toolbox - http://goo.gl/xiIphp - file VUBrute.exe | - | 2014-11-22 00:00:00 | 70 | Florian Roth | HKTL |
| 2258 | VUBrute_config | PoS Scammer Toolbox - http://goo.gl/xiIphp - file config.ini | http://goo.gl/xiIphp | 2014-11-22 00:00:00 | 70 | Florian Roth | HKTL |
| 2259 | VUL_JQuery_FileUpload_CVE_2018_9206 | Detects JQuery File Upload vulnerability CVE-2018-9206 | https://www.zdnet.com/article/zero-day-in-popular-jquery-plugin-actively-exploited-for-at-least-three-years/ | 2018-10-19 00:00:00 | 70 | Florian Roth | EXPLOIT |
| 2260 | Venom_Rootkit | Venom Linux Rootkit | https://security.web.cern.ch/security/venom.shtml | 2017-01-12 00:00:00 | 70 | Florian Roth | LINUX,MAL |
| 2261 | Vermin_Keylogger_Jan18_1 | Detects Vermin Keylogger | https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/ | 2018-01-29 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2262 | VisualDiscovery_Lonovo_Superfish_SSL_Hijack | Lenovo Superfish SSL Interceptor - file VisualDiscovery.exe | https://twitter.com/4nc4p/status/568325493558272000 | 2015-02-19 00:00:00 | 70 | Florian Roth / improved by kbandla | |
| 2263 | Volgmer_Malware | Detects Volgmer malware as reported in US CERT TA17-318B | https://www.us-cert.gov/ncas/alerts/TA17-318B | 2017-11-15 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2264 | WAF_Bypass | Chinese Hacktool Set - file WAF-Bypass.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2265 | WCE_Modified_1_1014 | Modified (packed) version of Windows Credential Editor | - | 1970-01-01 01:00:00 | 70 | Florian Roth | HKTL |
| 2266 | WCE_in_memory | Detects Windows Credential Editor (WCE) in memory (and also on disk) | Internal Research | 2016-08-28 00:00:00 | 80 | Florian Roth | HKTL |
| 2267 | WEB_INF_web | Laudanum Injector Tools - file web.xml | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2268 | WINNTI_KingSoft_Moz_Confustion | Detects Barium sample with Copyright confusion | https://www.virustotal.com/en/file/070ee4a40852b26ec0cfd79e32176287a6b9d2b15e377281d8414550a83f6496/analysis/ | 2018-04-13 00:00:00 | 70 | Markus Neis | EXE,FILE |
| 2269 | WMI_vbs | WMI Tool - APT | - | 1970-01-01 01:00:00 | 70 | Florian Roth | APT,HKTL |
| 2270 | WMImplant | Auto-generated rule - file WMImplant.ps1 | https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html | 2017-03-24 00:00:00 | 70 | Florian Roth | |
| 2271 | WPR_Asterisk_Hook_Library | Windows Password Recovery - file ast64.dll | Internal Research | 2017-03-15 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2272 | WPR_Passscape_Loader | Windows Password Recovery - file ast.exe | Internal Research | 2017-03-15 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2273 | WPR_WindowsPasswordRecovery_EXE | Windows Password Recovery - file wpr.exe | Internal Research | 2017-03-15 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2274 | WPR_WindowsPasswordRecovery_EXE_64 | Windows Password Recovery - file ast64.exe | Internal Research | 2017-03-15 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2275 | WPR_loader_DLL | Windows Password Recovery - file loader64.dll | Internal Research | 2017-03-15 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2276 | WPR_loader_EXE | Windows Password Recovery - file loader.exe | Internal Research | 2017-03-15 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2277 | WSOShell_0bbebaf46f87718caba581163d4beed56ddf73a7 | Detects a web shell | https://github.com/bartblaze/PHP-backdoors | 2016-09-10 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 2278 | WScriptShell_Case_Anomaly | Detects obfuscated wscript.shell commands | Internal Research | 2017-09-11 00:00:00 | 60 | Florian Roth | OBFUS |
| 2279 | WScript_Shell_PowerShell_Combo | Detects malware from Middle Eastern campaign reported by Talos | http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html | 2018-02-07 00:00:00 | 50 | Florian Roth | SCRIPT |
| 2280 | WSockExpert | Chinese Hacktool Set - file WSockExpert.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2281 | WannCry_BAT | Detects WannaCry Ransomware BATCH File | https://goo.gl/HG2j5T | 2017-05-12 00:00:00 | 70 | Florian Roth | CRIME,FILE,MAL,RANSOM |
| 2282 | WannCry_m_vbs | Detects WannaCry Ransomware VBS | https://goo.gl/HG2j5T | 2017-05-12 00:00:00 | 70 | Florian Roth | CRIME,FILE,MAL,RANSOM,SCRIPT |
| 2283 | WannaCry_RansomNote | Detects WannaCry Ransomware Note | https://goo.gl/HG2j5T | 2017-05-12 00:00:00 | 70 | Florian Roth | CRIME,FILE,MAL,RANSOM |
| 2284 | WannaCry_Ransomware | Detects WannaCry Ransomware | https://goo.gl/HG2j5T | 2017-05-12 00:00:00 | 70 | Florian Roth (with the help of binar.ly) | CRIME,EXE,FILE,MAL,RANSOM |
| 2285 | WannaCry_Ransomware_Gen | Detects WannaCry Ransomware | https://www.us-cert.gov/ncas/alerts/TA17-132A | 2017-05-12 00:00:00 | 70 | Florian Roth (based on rule by US CERT) | CRIME,EXE,FILE,MAL,RANSOM |
| 2286 | WaterBug_fa_malware | Symantec Waterbug Attack - FA malware variant | http://t.co/rF35OaAXrl | 2015-01-22 00:00:00 | 70 | Symantec Security Response | |
| 2287 | WaterBug_sav | Symantec Waterbug Attack - SAV Malware | http://t.co/rF35OaAXrl | 2015-01-22 00:00:00 | 70 | Symantec Security Response | MAL |
| 2288 | WaterBug_turla_dropper | Symantec Waterbug Attack - Trojan Turla Dropper | http://t.co/rF35OaAXrl | 2015-01-22 00:00:00 | 70 | Symantec Security Response | MAL,RUSSIA |
| 2289 | WaterBug_wipbot_2013_core_PDF | Symantec Waterbug Attack - Trojan.Wipbot 2014 core PDF | http://t.co/rF35OaAXrl | 2015-01-22 00:00:00 | 70 | Symantec Security Response | MAL |
| 2290 | WaterBug_wipbot_2013_dll | Symantec Waterbug Attack - Trojan.Wipbot 2014 Down.dll component | http://t.co/rF35OaAXrl | 2015-01-22 00:00:00 | 70 | Symantec Security Response | MAL |
| 2291 | Waterbear_10_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2292 | Waterbear_11_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2293 | Waterbear_12_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2294 | Waterbear_13_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2295 | Waterbear_14_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2296 | Waterbear_1_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2297 | Waterbear_2_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2298 | Waterbear_4_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2299 | Waterbear_5_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | FILE |
| 2300 | Waterbear_6_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2301 | Waterbear_7_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2302 | Waterbear_8_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2303 | Waterbear_9_Jun17 | Detects malware from Operation Waterbear | https://goo.gl/L9g9eR | 2017-06-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2304 | WebCrack4_RouterPasswordCracking | Chinese Hacktool Set - file WebCrack4-RouterPasswordCracking.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2305 | WebShell_5786d7d9f4b0df731d79ed927fb5a124195fc901 | Detects a web shell | https://github.com/bartblaze/PHP-backdoors | 2016-09-10 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 2306 | WebShell_AK_74_Security_Team_Web_Shell_Beta_Version | PHP Webshells Github Archive - file AK-74 Security Team Web Shell Beta Version.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2307 | WebShell_Ayyildiz_Tim___AYT__Shell_v_2_1_Biz | PHP Webshells Github Archive - file Ayyildiz Tim -AYT- Shell v 2.1 Biz.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2308 | WebShell_C99madShell_v__2_0_madnet_edition | PHP Webshells Github Archive - file C99madShell v. 2.0 madnet edition.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2309 | WebShell_CasuS_1_5 | PHP Webshells Github Archive - file CasuS 1.5.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2310 | WebShell_CmdAsp_asp_php | PHP Webshells Github Archive - file CmdAsp.asp.php.txt | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2311 | WebShell_DTool_Pro | PHP Webshells Github Archive - file DTool Pro.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2312 | WebShell_GFS | PHP Webshells Github Archive - from files GFS web-shell ver 3.1.7 - PRiV8.php, Predator.php, GFS_web-shell_ver_3.1.7_-_PRiV8.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2313 | WebShell_Gamma_Web_Shell | PHP Webshells Github Archive - file Gamma Web Shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2314 | WebShell_Generic_1609_A | Auto-generated rule | https://github.com/bartblaze/PHP-backdoors | 2016-09-10 00:00:00 | 70 | Florian Roth | FILE,GEN,WEBSHELL |
| 2315 | WebShell_Generic_PHP_10 | PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php, PHPRemoteView.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2316 | WebShell_Generic_PHP_11 | PHP Webshells Github Archive - from files rootshell.php, Rootshell.v.1.0.php, s72 Shell v1.1 Coding.php, s72_Shell_v1.1_Coding.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2317 | WebShell_Generic_PHP_1 | PHP Webshells Github Archive - from files Dive Shell 1.0 | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2318 | WebShell_Generic_PHP_2 | PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, Loaderz WEB Shell.php, stres.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2319 | WebShell_Generic_PHP_3 | PHP Webshells Github Archive | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2320 | WebShell_Generic_PHP_4 | PHP Webshells Github Archive - from files CrystalShell v.1.php, load_shell.php, nshell.php, Loaderz WEB Shell.php, stres.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2321 | WebShell_Generic_PHP_6 | PHP Webshells Github Archive | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2322 | WebShell_Generic_PHP_7 | PHP Webshells Github Archive | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2323 | WebShell_Generic_PHP_8 | PHP Webshells Github Archive | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2324 | WebShell_Generic_PHP_9 | PHP Webshells Github Archive - from files KAdot Universal Shell v0.1.6.php, KAdot_Universal_Shell_v0.1.6.php, KA_uShell 0.1.6.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | GEN,WEBSHELL |
| 2325 | WebShell_JexBoss_JSP_1 | Detects JexBoss JSPs | Internal Research | 2018-11-08 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 2326 | WebShell_JexBoss_WAR_1 | Detects JexBoss versions in WAR form | Internal Research | 2018-11-08 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 2327 | WebShell_JspWebshell_1_2 | PHP Webshells Github Archive - file JspWebshell_1.2.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2328 | WebShell_JspWebshell_1_2_2 | PHP Webshells Github Archive - file JspWebshell 1.2.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2329 | WebShell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | PHP Webshells Github Archive - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2330 | WebShell_Moroccan_Spamers_Ma_EditioN_By_GhOsT | PHP Webshells Github Archive - file Moroccan Spamers Ma-EditioN By GhOsT.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2331 | WebShell_NCC_Shell | PHP Webshells Github Archive - file NCC-Shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2332 | WebShell_NTDaddy_v1_9 | PHP Webshells Github Archive - file NTDaddy v1.9.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2333 | WebShell_PHANTASMA | PHP Webshells Github Archive - file PHANTASMA.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2334 | WebShell_PHP_Web_Kit_v3 | Detects PAS Tool PHP Web Kit | https://github.com/wordfence/grizzly | 2016-01-01 00:00:00 | 70 | Florian Roth | |
| 2335 | WebShell_PHP_Web_Kit_v4 | Detects PAS Tool PHP Web Kit | https://github.com/wordfence/grizzly | 2016-01-01 00:00:00 | 70 | Florian Roth | |
| 2336 | WebShell_PhpSpy_Ver_2006 | PHP Webshells Github Archive - file PhpSpy Ver 2006.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2337 | WebShell_RemExp_asp_php | PHP Webshells Github Archive - file RemExp.asp.php.txt | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2338 | WebShell_STNC_WebShell_v0_8 | PHP Webshells Github Archive - file STNC WebShell v0.8.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2339 | WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 | PHP Webshells Github Archive - file Safe_Mode_Bypass_PHP_4.4.2_and_PHP_5.1.2.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2340 | WebShell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2_2 | PHP Webshells Github Archive - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2341 | WebShell_SimAttacker___Vrsion_1_0_0___priv8_4_My_friend | PHP Webshells Github Archive - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2342 | WebShell_Simple_PHP_backdoor_by_DK | PHP Webshells Github Archive - file Simple_PHP_backdoor_by_DK.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 2343 | WebShell_Sincap_1_0 | PHP Webshells Github Archive - file Sincap 1.0.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2344 | WebShell_Uploader | PHP Webshells Github Archive - file Uploader.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2345 | WebShell_Web_shell__c_ShAnKaR | PHP Webshells Github Archive - file Web-shell (c)ShAnKaR.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2346 | WebShell_WinX_Shell | PHP Webshells Github Archive - file WinX Shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2347 | WebShell_Worse_Linux_Shell | PHP Webshells Github Archive - file Worse Linux Shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | LINUX,WEBSHELL |
| 2348 | WebShell_ZyklonShell | PHP Webshells Github Archive - file ZyklonShell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2349 | WebShell__Ajax_PHP_Command_Shell_Ajax_PHP_Command_Shell_soldierofallah | PHP Webshells Github Archive - from files Ajax_PHP Command Shell.php, Ajax_PHP_Command_Shell.php, soldierofallah.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2350 | WebShell__CrystalShell_v_1_erne_stres | PHP Webshells Github Archive - from files CrystalShell v.1.php, erne.php, stres.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2351 | WebShell__CrystalShell_v_1_sosyete_stres | PHP Webshells Github Archive - from files CrystalShell v.1.php, sosyete.php, stres.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2352 | WebShell__Cyber_Shell_cybershell_Cyber_Shell__v_1_0_ | PHP Webshells Github Archive - from files Cyber Shell.php, cybershell.php, Cyber Shell (v 1.0).php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2353 | WebShell__PH_Vayv_PHVayv_PH_Vayv | PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2354 | WebShell__PH_Vayv_PHVayv_PH_Vayv_klasvayv_asp_php | PHP Webshells Github Archive - from files PH Vayv.php, PHVayv.php, PH_Vayv.php, klasvayv.asp.php.txt | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2355 | WebShell__Small_Web_Shell_by_ZaCo_small_zaco_zacosmall | PHP Webshells Github Archive - from files Small Web Shell by ZaCo.php, small.php, zaco.php, zacosmall.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2356 | WebShell__findsock_php_findsock_shell_php_reverse_shell | PHP Webshells Github Archive - from files findsock.c, php-findsock-shell.php, php-reverse-shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2357 | WebShell_aZRaiLPhp_v1_0 | PHP Webshells Github Archive - file aZRaiLPhp v1.0.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2358 | WebShell_accept_language | PHP Webshells Github Archive - file accept_language.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2359 | WebShell_b374k_mini_shell_php_php | PHP Webshells Github Archive - file b374k-mini-shell-php.php.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2360 | WebShell_b374k_php | PHP Webshells Github Archive - file b374k.php.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2361 | WebShell_backupsql | PHP Webshells Github Archive - file backupsql.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2362 | WebShell_c99_locus7s | PHP Webshells Github Archive - file c99_locus7s.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2363 | WebShell_c99_madnet | PHP Webshells Github Archive - file c99_madnet.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2364 | WebShell_cgi | Semi-Auto-generated - file WebShell.cgi.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2365 | WebShell_cgitelnet | PHP Webshells Github Archive - file cgitelnet.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2366 | WebShell_dC3_Security_Crew_Shell_PRiV | PHP Webshells Github Archive - file dC3_Security_Crew_Shell_PRiV.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2367 | WebShell_dC3_Security_Crew_Shell_PRiV_2 | PHP Webshells Github Archive - file dC3 Security Crew Shell PRiV.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2368 | WebShell_ftpsearch | PHP Webshells Github Archive - file ftpsearch.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2369 | WebShell_g00nshell_v1_3 | PHP Webshells Github Archive - file g00nshell-v1.3.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2370 | WebShell_go_shell | PHP Webshells Github Archive - file go-shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2371 | WebShell_h4ntu_shell__powered_by_tsoi_ | PHP Webshells Github Archive - file h4ntu shell [powered by tsoi].php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2372 | WebShell_hiddens_shell_v1 | PHP Webshells Github Archive - file hiddens shell v1.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2373 | WebShell_indexer_asp_php | PHP Webshells Github Archive - file indexer.asp.php.txt | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2374 | WebShell_ironshell | PHP Webshells Github Archive - file ironshell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2375 | WebShell_lamashell | PHP Webshells Github Archive - file lamashell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2376 | WebShell_mysql_tool | PHP Webshells Github Archive - file mysql_tool.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2377 | WebShell_php_backdoor | PHP Webshells Github Archive - file php-backdoor.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 2378 | WebShell_php_include_w_shell | PHP Webshells Github Archive - file php-include-w-shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2379 | WebShell_php_webshells_529 | PHP Webshells Github Archive - file 529.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2380 | WebShell_php_webshells_MyShell | PHP Webshells Github Archive - file MyShell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2381 | WebShell_php_webshells_NGH | PHP Webshells Github Archive - file NGH.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2382 | WebShell_php_webshells_README | PHP Webshells Github Archive - file README.md | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2383 | WebShell_php_webshells_aspydrv | PHP Webshells Github Archive - file aspydrv.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2384 | WebShell_php_webshells_cpanel | PHP Webshells Github Archive - file cpanel.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2385 | WebShell_php_webshells_cw | PHP Webshells Github Archive - file cw.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2386 | WebShell_php_webshells_kral | PHP Webshells Github Archive - file kral.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2387 | WebShell_php_webshells_lolipop | PHP Webshells Github Archive - file lolipop.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2388 | WebShell_php_webshells_lostDC | PHP Webshells Github Archive - file lostDC.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2389 | WebShell_php_webshells_matamu | PHP Webshells Github Archive - file matamu.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2390 | WebShell_php_webshells_myshell | PHP Webshells Github Archive - file myshell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2391 | WebShell_php_webshells_pHpINJ | PHP Webshells Github Archive - file pHpINJ.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2392 | WebShell_php_webshells_pws | PHP Webshells Github Archive - file pws.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2393 | WebShell_php_webshells_spygrup | PHP Webshells Github Archive - file spygrup.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2394 | WebShell_php_webshells_tryag | PHP Webshells Github Archive - file tryag.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2395 | WebShell_qsd_php_backdoor | PHP Webshells Github Archive - file qsd-php-backdoor.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 2396 | WebShell_reader_asp_php | PHP Webshells Github Archive - file reader.asp.php.txt | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2397 | WebShell_ru24_post_sh | PHP Webshells Github Archive - file ru24_post_sh.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2398 | WebShell_safe0ver | PHP Webshells Github Archive - file safe0ver.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2399 | WebShell_simattacker | PHP Webshells Github Archive - file simattacker.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2400 | WebShell_simple_backdoor | PHP Webshells Github Archive - file simple-backdoor.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 2401 | WebShell_simple_cmd | PHP Webshells Github Archive - file simple_cmd.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2402 | WebShell_toolaspshell | PHP Webshells Github Archive - file toolaspshell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2403 | WebShell_webshells_zehir4 | Webshells Github Archive - file zehir4 | - | 1970-01-01 01:00:00 | 55 | Florian Roth | WEBSHELL |
| 2404 | WebShell_zehir4_asp_php | PHP Webshells Github Archive - file zehir4.asp.php.txt | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2405 | Webshell_27_9_acid_c99_locus7s | Detects Webshell - rule generated from from files 27.9.txt, acid.php, c99_locus7s.txt | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2406 | Webshell_27_9_c66_c99 | Detects Webshell - rule generated from from files 27.9.txt, c66.php, c99-shadows-mod.php, c99.php ... | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2407 | Webshell_AcidPoison | Detects Poison Sh3ll - Webshell | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2408 | Webshell_Ayyildiz | Detects Webshell | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2409 | Webshell_Backdoor_PHP_Agent_r57_mod_bizzz_shell_r57 | Detects Webshell - rule generated from from files Backdoor.PHP.Agent.php, r57.mod-bizzz.shell.txt ... | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 2410 | Webshell_Caterpillar_ASPX | Volatile Cedar Webshell - from file caterpillar.aspx | http://goo.gl/emons5 | 2015-04-03 00:00:00 | 70 | Florian Roth | MIDDLE_EAST,WEBSHELL |
| 2411 | Webshell_FOPO_Obfuscation_APT_ON_Nov17_1 | Detects malware from NK APT incident DE | Internal Research - ON | 2017-11-17 00:00:00 | 70 | Florian Roth | APT,FILE,OBFUS,WEBSHELL |
| 2412 | Webshell_Insomnia | Insomnia Webshell - file InsomniaShell.aspx | http://www.darknet.org.uk/2014/12/insomniashell-asp-net-reverse-shell-bind-shell/ | 2014-12-09 00:00:00 | 80 | Florian Roth | WEBSHELL |
| 2413 | Webshell_Tiny_JSP_2 | Detects a tiny webshell - chine chopper | - | 2015-12-05 00:00:00 | 100 | Florian Roth | FILE,WEBSHELL |
| 2414 | Webshell_acid_AntiSecShell_3 | Detects Webshell Acid | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2415 | Webshell_acid_FaTaLisTiCz_Fx_fx_p0isoN_sh3ll_x0rg_byp4ss_256 | Detects Webshell | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2416 | Webshell_and_Exploit_CN_APT_HK | Webshell and Exploit Code in relation with APT against Honk Kong protesters | - | 2014-10-10 00:00:00 | 50 | Florian Roth | APT,WEBSHELL |
| 2417 | Webshell_c100 | Detects Webshell - rule generated from from files c100 v. 777shell | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2418 | Webshell_c99_4 | Detects C99 Webshell | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2419 | Webshell_r57shell_2 | Detects Webshell R57 | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2420 | Webshell_zehir | Detects Webshell - rule generated from from files elmaliseker.asp, zehir.asp, zehir.txt, zehir4.asp, zehir4.txt | https://github.com/nikicat/web-malware-collection | 2016-01-11 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2421 | Weevely_Webshell | Weevely Webshell - Generic Rule - heavily scrambled tiny web shell | http://www.ehacking.net/2014/12/weevely-php-stealth-web-backdoor-kali.html | 2014-12-14 00:00:00 | 60 | Florian Roth | GEN,WEBSHELL |
| 2422 | WildNeutron_Sample_10 | Wild Neutron APT Sample Rule - file 1d3bdabb350ba5a821849893dabe5d6056bf7ba1ed6042d93174ceeaa5d6dad7 | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2423 | WildNeutron_Sample_1 | Wild Neutron APT Sample Rule - file 2b5065a3d0e0b8252a987ef5f29d9e1935c5863f5718b83440e68dc53c21fa94 | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2424 | WildNeutron_Sample_2 | Wild Neutron APT Sample Rule - file 8d80f9ef55324212759f4b6070cb8fce18a008ae9dd8b9598553206654d13a6f | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2425 | WildNeutron_Sample_3 | Wild Neutron APT Sample Rule - file c2c761cde3175f6e40ed934f2e82c76602c81e2128187bab61793ddb3bc686d0 | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2426 | WildNeutron_Sample_4 | Wild Neutron APT Sample Rule - file b4005530193bc523d3e0193c3c53e2737ae3bf9f76d12c827c0b5cd0dcbaae45 | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2427 | WildNeutron_Sample_5 | Wild Neutron APT Sample Rule - file 1604e36ccef5fa221b101d7f043ad7f856b84bf1a80774aa33d91c2a9a226206 | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2428 | WildNeutron_Sample_6 | Wild Neutron APT Sample Rule - file 4bd548fe07b19178281edb1ee81c9711525dab03dc0b6676963019c44cc75865 | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2429 | WildNeutron_Sample_7 | Wild Neutron APT Sample Rule - file a14d31eb965ea8a37ebcc3b5635099f2ca08365646437c770212d534d504ff3c | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2430 | WildNeutron_Sample_9 | Wild Neutron APT Sample Rule - file 781eb1e17349009fbae46aea5c59d8e5b68ae0b42335cb035742f6b0f4e4087e | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2431 | WildNeutron_javacpl | Wild Neutron APT Sample Rule | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 60 | Florian Roth | APT,EXE,FILE |
| 2432 | WiltedTulip_Matryoshka_RAT | Detects Matryoshka RAT used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2433 | WiltedTulip_Netsrv_netsrvs | Detects sample from Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2434 | WiltedTulip_ReflectiveLoader | Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2435 | WiltedTulip_SilverlightMSI | Detects powershell tool call Get_AD_Users_Logon_History used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | |
| 2436 | WiltedTulip_Tools_back | Detects Chrome password dumper used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2437 | WiltedTulip_Tools_clrlg | Detects Windows eventlog cleaner used in Operation Wilted Tulip - file clrlg.bat | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | |
| 2438 | WiltedTulip_WindowsTask | Detects hack tool used in Operation Wilted Tulip - Windows Tasks | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | |
| 2439 | WiltedTulip_Windows_UM_Task | Detects a Windows scheduled task as used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | |
| 2440 | WiltedTulip_Zpp | Detects hack tool used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2441 | WiltedTulip_matryoshka_Injector | Detects hack tool used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2442 | WiltedTulip_powershell | Detects powershell script used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | |
| 2443 | WiltedTulip_tdtess | Detects malicious service used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2444 | WiltedTulip_vminst | Detects malware used in Operation Wilted Tulip | http://www.clearskysec.com/tulip | 2017-07-23 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2445 | Win32_Buzus_Softpulse | Trojan Buzus / Softpulse | - | 2015-05-13 00:00:00 | 75 | Florian Roth | EXE,FILE,MAL |
| 2446 | Win32_klock | Chinese Hacktool Set - file klock.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2447 | Win7Elevatev2 | Detects Win7Elevate - Windows UAC bypass utility | http://www.pretentiousname.com/misc/W7E_Source/Win7Elevate_Inject.cpp.html | 2015-05-14 00:00:00 | 60 | Florian Roth | EXE,FILE |
| 2448 | WinAgent_BadPatch_1 | Detects samples mentioned in BadPatch report | https://goo.gl/RvDwwA | 2017-10-20 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2449 | WinAgent_BadPatch_2 | Detects samples mentioned in BadPatch report | https://goo.gl/RvDwwA | 2017-10-20 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2450 | WinDivert_Driver | Detects WinDivert User-Mode packet capturing driver | https://www.reqrypt.org/windivert.html | 2017-10-02 00:00:00 | 40 | Florian Roth | EXE,FILE |
| 2451 | WinEggDropShellFinal_zip_Folder_InjectT | Disclosed hacktool set (old stuff) - file InjectT.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2452 | WinPayloads_Payload | Detects WinPayloads Payload | https://github.com/nccgroup/Winpayloads | 2017-07-11 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2453 | WinPayloads_PowerShell | Detects WinPayloads PowerShell Payload | https://github.com/nccgroup/Winpayloads | 2017-07-11 00:00:00 | 70 | Florian Roth | SCRIPT |
| 2454 | WinRAR_SFX_Anomaly | Detects WinRAR SFX content with the product name of major vendor's tools (sus) | - | 2016-03-24 00:00:00 | 30 | Florian Roth | EXE,FILE |
| 2455 | WinX_Shell_html | Semi-Auto-generated - file WinX Shell.html.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2456 | Win_PrivEsc_ADACLScan4_3 | Detects a tool that can be used for privilege escalation - file ADACLScan4.3.ps1 | https://adaclscan.codeplex.com/ | 2016-06-02 00:00:00 | 60 | Florian Roth | |
| 2457 | Win_PrivEsc_folderperm | Detects a tool that can be used for privilege escalation - file folderperm.ps1 | http://www.greyhathacker.net/?p=738 | 2016-06-02 00:00:00 | 80 | Florian Roth | |
| 2458 | Win_PrivEsc_gp3finder_v4_0 | Detects a tool that can be used for privilege escalation - file gp3finder_v4.0.exe | http://grimhacker.com/2015/04/10/gp3finder-group-policy-preference-password-finder/ | 2016-06-02 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 2459 | WindosShell_s1 | Detects simple Windows shell - file s1.exe | https://github.com/odzhan/shells/ | 2016-03-26 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2460 | WindowsCredentialEditor | Windows Credential Editor | - | 1970-01-01 01:00:00 | 90 | - | HKTL |
| 2461 | WindowsShell_Gen2 | Detects simple Windows shell - from files s3.exe, s4.exe | https://github.com/odzhan/shells/ | 2016-03-26 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2462 | WindowsShell_Gen | Detects simple Windows shell - from files keygen.exe, s1.exe, s2.exe, s3.exe, s4.exe | https://github.com/odzhan/shells/ | 2016-03-26 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2463 | WindowsShell_s3 | Detects simple Windows shell - file s3.exe | https://github.com/odzhan/shells/ | 2016-03-26 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2464 | WindowsShell_s4 | Detects simple Windows shell - file s4.exe | https://github.com/odzhan/shells/ | 2016-03-26 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2465 | Winexe_RemoteExecution | Winexe tool used by Sofacy group several APT cases | http://dokumente.linksfraktion.de/inhalt/report-orig.pdf | 2015-06-19 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,RUSSIA |
| 2466 | Winnti_NlaifSvc | Winnti sample - file NlaifSvc.dll | https://goo.gl/VbvJtL | 2017-01-25 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE |
| 2467 | Winnti_fonfig | Winnti sample - file fonfig.exe | https://goo.gl/VbvJtL | 2017-01-25 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE |
| 2468 | Winnti_malware_FWPK | Detects a Winnti malware - FWPKCLNT.SYS | VTI research | 2015-10-10 00:00:00 | 75 | Florian Roth | CHINA,EXE,FILE |
| 2469 | Winnti_malware_Nsiproxy | Detects a Winnti rootkit | - | 2015-10-10 00:00:00 | 75 | Florian Roth | CHINA,EXE,FILE |
| 2470 | Winnti_malware_StreamPortal_Gen | Detects a Winnti malware - Streamportal | VTI research | 2015-10-10 00:00:00 | 75 | Florian Roth | CHINA,EXE,FILE |
| 2471 | Winnti_malware_UpdateDLL | Detects a Winnti malware - Update.dll | VTI research | 2015-10-10 00:00:00 | 75 | Florian Roth | CHINA,EXE,FILE |
| 2472 | Winnti_signing_cert | Detects a signing certificate used by the Winnti APT group | https://securelist.com/analysis/publications/72275/i-am-hdroot-part-1/ | 2015-10-10 00:00:00 | 75 | Florian Roth | APT,CHINA,EXE,FILE |
| 2473 | WoolenGoldfish_Generic_1 | Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ | http://goo.gl/NpJpVZ | 2015-03-25 00:00:00 | 90 | Florian Roth | GEN |
| 2474 | WoolenGoldfish_Generic_2 | Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ | http://goo.gl/NpJpVZ | 2015-03-25 00:00:00 | 90 | Florian Roth | GEN |
| 2475 | WoolenGoldfish_Generic_3 | Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ | http://goo.gl/NpJpVZ | 2015-03-25 00:00:00 | 90 | Florian Roth | GEN |
| 2476 | WoolenGoldfish_Sample_1 | Detects a operation Woolen-Goldfish sample - http://goo.gl/NpJpVZ | http://goo.gl/NpJpVZ | 2015-03-25 00:00:00 | 60 | Florian Roth | |
| 2477 | WordDoc_PowerShell_URLDownloadToFile | Detects Word Document with PowerShell URLDownloadToFile | https://www.arbornetworks.com/blog/asert/additional-insights-shamoon2/ | 2017-02-23 00:00:00 | 70 | Florian Roth | FILE,OFFICE,SCRIPT |
| 2478 | Wordpress_Config_Webshell_Preprend | Webshell that uses standard Wordpress wp-config.php file and appends the malicious code in front of it | Internal Research | 2017-06-25 00:00:00 | 65 | Florian Roth | FILE,OFFICE,WEBSHELL |
| 2479 | Worse_Linux_Shell_php | Semi-Auto-generated - file Worse Linux Shell.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | LINUX,WEBSHELL |
| 2480 | XMRIG_Monero_Miner | Detects Monero mining software | https://github.com/xmrig/xmrig/releases | 2018-01-04 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2481 | XMRIG_Monero_Miner_Config | Auto-generated rule - from files config.json, config.json | https://github.com/xmrig/xmrig/releases | 2018-01-04 00:00:00 | 70 | Florian Roth | FILE |
| 2482 | XOR_4byte_Key | Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) | http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family | 2015-12-15 00:00:00 | 60 | Florian Roth | EXE,FILE,MAL |
| 2483 | XScanLib | Chinese Hacktool Set - file XScanLib.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2484 | XYZCmd_zip_Folder_Readme | Disclosed hacktool set (old stuff) - file Readme.txt | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2485 | XYZCmd_zip_Folder_XYZCmd | Disclosed hacktool set (old stuff) - file XYZCmd.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2486 | Xtreme_RAT_Gen_Imp | Detects XTREME sample analyzed in September 2017 | Internal Research | 2017-09-27 00:00:00 | 70 | Florian Roth | EXE,FILE,GEN,MAL |
| 2487 | Xtreme_Sep17_1 | Detects XTREME sample analyzed in September 2017 | Internal Research | 2017-09-27 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2488 | Xtreme_Sep17_2 | Detects XTREME sample analyzed in September 2017 | Internal Research | 2017-09-27 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2489 | Xtreme_Sep17_3 | Detects XTREME sample analyzed in September 2017 | Internal Research | 2017-09-27 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2490 | Ysoserial_Payload | Ysoserial Payloads | https://github.com/frohoff/ysoserial | 2017-02-04 00:00:00 | 70 | Florian Roth | FILE |
| 2491 | Ysoserial_Payload_3 | Ysoserial Payloads - from files JavassistWeld1.bin, JBossInterceptors.bin | https://github.com/frohoff/ysoserial | 2017-02-04 00:00:00 | 70 | Florian Roth | FILE |
| 2492 | Ysoserial_Payload_C3P0 | Ysoserial Payloads - file C3P0.bin | https://github.com/frohoff/ysoserial | 2017-02-04 00:00:00 | 70 | Florian Roth | FILE |
| 2493 | Ysoserial_Payload_MozillaRhino1 | Ysoserial Payloads - file MozillaRhino1.bin | https://github.com/frohoff/ysoserial | 2017-02-04 00:00:00 | 70 | Florian Roth | FILE |
| 2494 | Ysoserial_Payload_Spring1 | Ysoserial Payloads - file Spring1.bin | https://github.com/frohoff/ysoserial | 2017-02-04 00:00:00 | 70 | Florian Roth | |
| 2495 | ZXshell2_0_rar_Folder_ZXshell | Webshells Auto-generated - file ZXshell.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2496 | ZXshell2_0_rar_Folder_nc | Webshells Auto-generated - file nc.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2497 | ZXshell2_0_rar_Folder_zxrecv | Webshells Auto-generated - file zxrecv.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2498 | ZXshell_20171211_chrsben | Detects ZxShell variant surfaced in Dec 17 | https://goo.gl/snc85M | 2017-12-11 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2499 | Z_WebShell | Detects Z Webshell from NCSC report | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | WEBSHELL |
| 2500 | Zehir_4_asp | Semi-Auto-generated - file Zehir 4.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2501 | Zeus_Panda | Detects ZEUS Panda Malware | https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf | 2017-08-04 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,MAL |
| 2502 | ZxShell_Jul17 | Detects a ZxShell - CN threat group | https://blogs.rsa.com/cat-phishing/ | 2017-07-08 00:00:00 | 70 | Florian Roth | |
| 2503 | ZxShell_Related_Malware_CN_Group_Jul17_1 | Detects a ZxShell related sample from a CN threat group | https://blogs.rsa.com/cat-phishing/ | 2017-07-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2504 | ZxShell_Related_Malware_CN_Group_Jul17_2 | Detects a ZxShell related sample from a CN threat group | https://blogs.rsa.com/cat-phishing/ | 2017-07-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2505 | ZxShell_Related_Malware_CN_Group_Jul17_3 | Detects a ZxShell related sample from a CN threat group | https://blogs.rsa.com/cat-phishing/ | 2017-07-08 00:00:00 | 70 | Florian Roth | EXE,FILE,MAL |
| 2506 | _1_c2007_php_php_c100_php | Semi-Auto-generated - from files 1.txt, c2007.php.php.txt, c100.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2507 | _Bitchin_Threads_ | Auto-generated rule on file =Bitchin Threads=.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2508 | _Crystal_php_nshell_php_php_load_shell_php_php | Semi-Auto-generated - from files Crystal.php.txt, nshell.php.php.txt, load_shell.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2509 | _FsHttp_FsPop_FsSniffer | Disclosed hacktool set (old stuff) - from files FsHttp.exe, FsPop.exe, FsSniffer.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2510 | _GFS_web_shell_ver_3_1_7___PRiV8_php_nshell_php_php_gfs_sh_php_php | Semi-Auto-generated - from files GFS web-shell ver 3.1.7 - PRiV8.php.txt, nshell.php.php.txt, gfs_sh.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2511 | _Project1_Generate_rejoice | Chinese Hacktool Set - from files Project1.exe, Generate.exe, rejoice.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,GEN,HKTL |
| 2512 | _antichat_php_php_Fatalshell_php_php_a_gedit_php_php | Semi-Auto-generated - from files antichat.php.php.txt, Fatalshell.php.php.txt, a_gedit.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2513 | _c99shell_v1_0_php_php_c99php_1_c2007_php_php_c100_php | Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, 1.txt, c2007.php.php.txt, c100.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2514 | _c99shell_v1_0_php_php_c99php_SsEs_php_php | Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2515 | _c99shell_v1_0_php_php_c99php_SsEs_php_php_ctt_sh_php_php | Semi-Auto-generated - from files c99shell_v1.0.php.php.txt, c99php.txt, SsEs.php.php.txt, ctt_sh.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2516 | _hscan_hscan_hscangui | Chinese Hacktool Set - from files hscan.exe, hscan.exe, hscangui.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2517 | _iissample_nesscan_twwwscan | Disclosed hacktool set (old stuff) - from files iissample.exe, nesscan.exe, twwwscan.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2518 | _network_php_php_xinfo_php_php_nfm_php_php | Semi-Auto-generated - from files network.php.php.txt, xinfo.php.php.txt, nfm.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2519 | _nixrem_php_php_c99shell_v1_0_php_php_c99php_NIX_REMOTE_WEB_SHELL_v_0_5_alpha_Lite_Public_Version_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2520 | _nst_php_php_cybershell_php_php_img_php_php_nstview_php_php | Semi-Auto-generated - from files nst.php.php.txt, cybershell.php.php.txt, img.php.php.txt, nstview.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2521 | _nst_php_php_img_php_php_nstview_php_php | Semi-Auto-generated - from files nst.php.php.txt, img.php.php.txt, nstview.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2522 | _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php | Semi-Auto-generated - from files r577.php.php.txt, SnIpEr_SA Shell.php.txt, r57.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2523 | _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2524 | _r577_php_php_SnIpEr_SA_Shell_php_r57_php_php_spy_php_php_s_php_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2525 | _r577_php_php_r57_Shell_php_php_spy_php_php_s_php_php | Semi-Auto-generated - from files r577.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2526 | _r577_php_php_r57_php_php_r57_Shell_php_php_spy_php_php_s_php_php | Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, r57 Shell.php.php.txt, spy.php.php.txt, s.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2527 | _r577_php_php_r57_php_php_spy_php_php_s_php_php | Semi-Auto-generated - from files r577.php.php.txt, r57.php.php.txt, spy.php.php.txt, s.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2528 | _r577_php_php_spy_php_php_s_php_php | Semi-Auto-generated - from files r577.php.php.txt, spy.php.php.txt, s.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2529 | _root_040_zip_Folder_deploy | Webshells Auto-generated - file deploy.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2530 | _w_php_php_c99madshell_v2_1_php_php_wacking_php_php | Semi-Auto-generated - from files w.php.php.txt, c99madshell_v2.1.php.php.txt, wacking.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2531 | _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_1_SpecialShell_99_php_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2532 | _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SpecialShell_99_php_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2533 | _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2534 | _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_SpecialShell_99_php_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2535 | _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2536 | _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2537 | _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2538 | _w_php_php_wacking_php_php_SpecialShell_99_php_php | Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SpecialShell_99.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2539 | _w_php_php_wacking_php_php_SsEs_php_php_SpecialShell_99_php_php | Semi-Auto-generated - from files w.php.php.txt, wacking.php.php.txt, SsEs.php.php.txt, SpecialShell_99.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2540 | _w_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2541 | _wacking_php_php_1_SpecialShell_99_php_php_c100_php | Semi-Auto-generated - from files wacking.php.php.txt, 1.txt, SpecialShell_99.php.php.txt, c100.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2542 | aZRaiLPhp_v1_0_php | Semi-Auto-generated - file aZRaiLPhp v1.0.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2543 | adjustcr | Webshells Auto-generated - file adjustcr.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2544 | admin_ad | Webshells Auto-generated - file admin-ad.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2545 | ak74shell_php_php | Semi-Auto-generated - file ak74shell.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2546 | aolipsniffer | Auto-generated rule on file aolipsniffer.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2547 | apt28_win_zebrocy_golang_loader_modified | Detects unpacked modified APT28/Sofacy Zebrocy Golang. | https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html | 2018-12-25 00:00:00 | 70 | @VK_Intel | APT,EXE,FILE,RUSSIA |
| 2548 | apt_ProjectSauron_MyTrampoline | Rule to detect ProjectSauron MyTrampoline module | https://securelist.com/blog/ | 1970-01-01 01:00:00 | 70 | - | FILE |
| 2549 | apt_ProjectSauron_encrypted_LSA | Rule to detect ProjectSauron encrypted LSA samples | https://securelist.com/blog/ | 1970-01-01 01:00:00 | 70 | - | EXTVAR,FILE |
| 2550 | apt_ProjectSauron_encrypted_SSPI | Rule to detect encrypted ProjectSauron SSPI samples | https://securelist.com/blog/ | 1970-01-01 01:00:00 | 70 | - | EXTVAR,FILE |
| 2551 | apt_ProjectSauron_encrypted_container | Rule to detect ProjectSauron samples encrypted container | https://securelist.com/blog/ | 1970-01-01 01:00:00 | 70 | - | EXTVAR,FILE |
| 2552 | apt_ProjectSauron_encryption | Rule to detect ProjectSauron string encryption | https://securelist.com/blog/ | 1970-01-01 01:00:00 | 70 | - | |
| 2553 | apt_ProjectSauron_generic_pipe_backdoor | Rule to detect ProjectSauron generic pipe backdoors | https://securelist.com/blog/ | 1970-01-01 01:00:00 | 70 | - | FILE,MAL |
| 2554 | apt_ProjectSauron_pipe_backdoor | Rule to detect ProjectSauron pipe backdoors | https://securelist.com/blog/ | 1970-01-01 01:00:00 | 70 | - | FILE,MAL |
| 2555 | apt_RU_MoonlightMaze_IRIX_exploit_GEN | Rule to detect Irix exploits from David Hedley used by Moonlight Maze hackers | https://en.wikipedia.org/wiki/Moonlight_Maze | 2017-03-27 00:00:00 | 70 | Kaspersky Lab | FILE |
| 2556 | apt_RU_MoonlightMaze_cle_tool | Rule to detect Moonlight Maze 'cle' log cleaning tool | https://en.wikipedia.org/wiki/Moonlight_Maze | 2017-03-27 00:00:00 | 70 | Kaspersky Lab | |
| 2557 | apt_RU_MoonlightMaze_customlokitools | Rule to detect Moonlight Maze Loki samples by custom attacker-authored strings | https://en.wikipedia.org/wiki/Moonlight_Maze | 2017-03-15 00:00:00 | 70 | Kaspersky Lab | |
| 2558 | apt_RU_MoonlightMaze_customsniffer | Rule to detect Moonlight Maze sniffer tools | https://en.wikipedia.org/wiki/Moonlight_Maze | 2017-03-15 00:00:00 | 70 | Kaspersky Lab | |
| 2559 | apt_RU_MoonlightMaze_de_tool | Rule to detect Moonlight Maze 'de' and 'deg' tunnel tool | https://en.wikipedia.org/wiki/Moonlight_Maze | 2017-03-27 00:00:00 | 70 | Kaspersky Lab | |
| 2560 | apt_RU_MoonlightMaze_encrypted_keylog | Rule to detect Moonlight Maze encrypted keylogger logs | https://en.wikipedia.org/wiki/Moonlight_Maze | 2017-03-27 00:00:00 | 70 | Kaspersky Lab | HKTL |
| 2561 | apt_RU_MoonlightMaze_u_logcleaner | Rule to detect log cleaners based on utclean.c | https://en.wikipedia.org/wiki/Moonlight_Maze | 2017-03-27 00:00:00 | 70 | Kaspersky Lab | FILE |
| 2562 | apt_RU_MoonlightMaze_wipe | Rule to detect log cleaner based on wipe.c | https://en.wikipedia.org/wiki/Moonlight_Maze | 2017-03-27 00:00:00 | 70 | Kaspersky Lab | FILE |
| 2563 | apt_RU_MoonlightMaze_xk_keylogger | Rule to detect Moonlight Maze 'xk' keylogger | https://en.wikipedia.org/wiki/Moonlight_Maze | 2017-03-27 00:00:00 | 70 | Kaspersky Lab | HKTL |
| 2564 | apt_backspace | Detects APT backspace | - | 2015-05-14 00:00:00 | 70 | Bit Byte Bitten | APT,EXE,FILE |
| 2565 | apt_duqu2_drivers | Rule to detect Duqu 2.0 drivers | - | 1970-01-01 01:00:00 | 70 | - | FILE |
| 2566 | apt_duqu2_loaders | Rule to detect Duqu 2.0 samples | - | 1970-01-01 01:00:00 | 70 | - | EXE,FILE |
| 2567 | apt_equation_cryptotable | Rule to detect the crypto library used in Equation group malware | https://securelist.com/blog/ | 1970-01-01 01:00:00 | 70 | - | |
| 2568 | apt_equation_doublefantasy_genericresource | Rule to detect DoubleFantasy encoded config http://goo.gl/ivt8EW | http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ | 1970-01-01 01:00:00 | 70 | - | |
| 2569 | apt_equation_equationlaser_runtimeclasses | Rule to detect the EquationLaser malware | https://securelist.com/blog/ | 1970-01-01 01:00:00 | 70 | - | |
| 2570 | apt_equation_exploitlib_mutexes | Rule to detect Equation group's Exploitation library http://goo.gl/ivt8EW | http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ | 1970-01-01 01:00:00 | 70 | - | |
| 2571 | apt_equation_keyword | Rule to detect Equation group's keyword in executable file | http://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/ | 1970-01-01 01:00:00 | 70 | - | EXE,FILE |
| 2572 | apt_hellsing_implantstrings | detection for Hellsing implants | - | 2015-04-07 00:00:00 | 70 | Costin Raiu, Kaspersky Lab | |
| 2573 | apt_hellsing_installer | detection for Hellsing xweber/msger installers | - | 2015-04-07 00:00:00 | 70 | Costin Raiu, Kaspersky Lab | |
| 2574 | apt_hellsing_irene | detection for Hellsing msger irene installer | - | 2015-04-07 00:00:00 | 70 | Costin Raiu, Kaspersky Lab | |
| 2575 | apt_hellsing_msgertype2 | detection for Hellsing msger type 2 implants | - | 2015-04-07 00:00:00 | 70 | Costin Raiu, Kaspersky Lab | |
| 2576 | apt_hellsing_proxytool | detection for Hellsing proxy testing tool | - | 2015-04-07 00:00:00 | 70 | Costin Raiu, Kaspersky Lab | |
| 2577 | apt_hellsing_xkat | detection for Hellsing xKat tool | - | 2015-04-07 00:00:00 | 70 | Costin Raiu, Kaspersky Lab | |
| 2578 | apt_nix_elf_Derusbi_Linux_SharedMemCreation | Detects Derusbi Backdoor ELF Shared Memory Creation | https://github.com/fideliscyber/indicators/tree/master/FTA-1021 | 2016-02-29 00:00:00 | 70 | Fidelis Cybersecurity | FILE,LINUX,MAL |
| 2579 | apt_nix_elf_Derusbi_Linux_Strings | Detects Derusbi Backdoor ELF Strings | https://github.com/fideliscyber/indicators/tree/master/FTA-1021 | 2016-02-29 00:00:00 | 70 | Fidelis Cybersecurity | FILE,LINUX,MAL |
| 2580 | apt_nix_elf_derusbi | Detects Derusbi Backdoor ELF | https://github.com/fideliscyber/indicators/tree/master/FTA-1021 | 2016-02-29 00:00:00 | 70 | Fidelis Cybersecurity | FILE,LINUX,MAL |
| 2581 | apt_nix_elf_derusbi_kernelModule | Detects Derusbi Backdoor ELF Kernel Module | https://github.com/fideliscyber/indicators/tree/master/FTA-1021 | 2016-02-29 00:00:00 | 70 | Fidelis Cybersecurity | FILE,LINUX,MAL |
| 2582 | apt_regin_hopscotch | Rule to detect Regin's Hopscotch module | https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/ | 1970-01-01 01:00:00 | 70 | - | |
| 2583 | apt_regin_legspin | Rule to detect Regin's Legspin module | https://securelist.com/blog/research/68438/an-analysis-of-regins-hopscotch-and-legspin/ | 1970-01-01 01:00:00 | 70 | - | |
| 2584 | apt_sofacy_xtunnel | Sofacy Malware - German Bundestag | - | 1970-01-01 01:00:00 | 75 | Claudio Guarnieri | FILE,MAL,RUSSIA |
| 2585 | apt_win32_dll_rat_1a53b0cp32e46g0qio7 | Detects Inocnation Malware | https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf | 1970-01-01 01:00:00 | 75 | Fidelis Cybersecurity | FILE,MAL |
| 2586 | apt_win32_dll_rat_hiZorRAT | - | https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf | 1970-01-01 01:00:00 | 70 | - | FILE |
| 2587 | apt_win_exe_trojan_derusbi | Detects Derusbi Backdoor Win32 | https://github.com/fideliscyber/indicators/tree/master/FTA-1021 | 2016-02-29 00:00:00 | 70 | Fidelis Cybersecurity | FILE,MAL |
| 2588 | arpsniffer | Chinese Hacktool Set - file arpsniffer.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2589 | asp_dns | Laudanum Injector Tools - file dns.asp | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2590 | asp_file | Laudanum Injector Tools - file file.asp | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | FILE,HKTL,WEBSHELL |
| 2591 | asp_proxy | Laudanum Injector Tools - file proxy.asp | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2592 | asp_shell | Laudanum Injector Tools - file shell.asp | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2593 | aspbackdoor_EDIR | Disclosed hacktool set (old stuff) - file EDIR.ASP | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2594 | aspbackdoor_EDIT | Disclosed hacktool set (old stuff) - file EDIT.ASP | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2595 | aspbackdoor_asp1 | Disclosed hacktool set (old stuff) - file asp1.txt | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2596 | aspbackdoor_asp3 | Disclosed hacktool set (old stuff) - file asp3.txt | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2597 | aspbackdoor_asp4 | Disclosed hacktool set (old stuff) - file asp4.txt | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2598 | aspbackdoor_entice | Disclosed hacktool set (old stuff) - file entice.asp | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2599 | aspbackdoor_ipclear | Disclosed hacktool set (old stuff) - file ipclear.vbs | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2600 | aspbackdoor_regdll | Disclosed hacktool set (old stuff) - file regdll.asp | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2601 | aspfile1 | Disclosed hacktool set (old stuff) - file aspfile1.asp | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2602 | aspfile2 | Disclosed hacktool set (old stuff) - file aspfile2.asp | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2603 | aspx_shell | Laudanum Injector Tools - file shell.aspx | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2604 | aspydrv_asp | Semi-Auto-generated - file aspydrv.asp.txt | - | 1970-01-01 01:00:00 | 60 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2605 | b374k_back_connect | Detects privilege escalation tool | Internal Analysis | 2016-08-18 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 2606 | backdoor1_php | Semi-Auto-generated - file backdoor1.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | MAL,WEBSHELL |
| 2607 | backdoorfr_php | Semi-Auto-generated - file backdoorfr.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | MAL,WEBSHELL |
| 2608 | backup_php_often_with_c99shell | Semi-Auto-generated - file backup.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2609 | backupsql_php_often_with_c99shell | Semi-Auto-generated - file backupsql.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2610 | bdcli100 | Webshells Auto-generated - file bdcli100.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2611 | bin_Client | Webshells Auto-generated - file Client.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2612 | bin_ndisk | Hacking Team Disclosure Sample - file ndisk.sys | https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/ | 2015-07-07 00:00:00 | 100 | Florian Roth | EXE,FILE |
| 2613 | bin_wuaus | Webshells Auto-generated - file wuaus.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2614 | binder2_binder2 | Webshells Auto-generated - file binder2.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2615 | blackenergy3_installer | Matches unique code block for import name construction | https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf | 2015-05-29 00:00:00 | 70 | Mike Schladt | |
| 2616 | by063cli | Webshells Auto-generated - file by063cli.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2617 | by064cli | Webshells Auto-generated - file by064cli.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2618 | byloader | Webshells Auto-generated - file byloader.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2619 | byshell063_ntboot | Webshells Auto-generated - file ntboot.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2620 | byshell063_ntboot_2 | Webshells Auto-generated - file ntboot.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2621 | c99madshell_v2_0_php_php | Semi-Auto-generated - file c99madshell_v2.0.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2622 | c99shell | Webshells Auto-generated - file c99shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2623 | cachedump | Detects a tool used by APT groups - from files cachedump.exe, cachedump64.exe | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,HKTL |
| 2624 | carbon_metadata | Turla Carbon malware | https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ | 2017-03-30 00:00:00 | 70 | ESET Research | RUSSIA |
| 2625 | ce_enfal_cmstar_debug_msg | Detects the static debug strings within CMSTAR | http://goo.gl/JucrP9 | 2015-05-10 00:00:00 | 70 | rfalcone | EXE,FILE |
| 2626 | cfm_shell | Laudanum Injector Tools - file shell.cfm | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2627 | cgi_python_py | Semi-Auto-generated - file cgi-python.py.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2628 | cgis4_cgis4 | Auto-generated rule on file cgis4.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2629 | chrome_elf | Detects Fireball malware - file chrome_elf.dll | https://goo.gl/4pTkGQ | 2017-06-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2630 | churrasco | Chinese Hacktool Set - file churrasco.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2631 | clean_apt15_patchedcmd | This is a patched CMD. This is the CMD that RoyalCli uses. | - | 1970-01-01 01:00:00 | 70 | Ahmed Zaki | FILE |
| 2632 | clearlog | Detects Fireball malware - file clearlog.dll | https://goo.gl/4pTkGQ | 2017-06-02 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2633 | cmdShell | Webshells Auto-generated - file cmdShell.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2634 | cmd_asp_5_1_asp | Semi-Auto-generated - file cmd-asp-5.1.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2635 | cmdjsp_jsp | Semi-Auto-generated - file cmdjsp.jsp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2636 | cndcom_cndcom | Chinese Hacktool Set - file cndcom.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2637 | commands | Webshells Auto-generated - file commands.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2638 | conhost_ANOMALY | Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe | not set | 2015-03-16 00:00:00 | 70 | Florian Roth | EXTVAR |
| 2639 | connectback2_pl | Semi-Auto-generated - file connectback2.pl.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2640 | connector | Webshells Auto-generated - file connector.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2641 | crack_Loader | Auto-generated rule on file Loader.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2642 | crime_ole_loadswf_cve_2018_4878 | Detects CVE-2018-4878 | hxxps://www[.]krcert[.]or[.kr/data/secNoticeView.do?bulletin_writing_sequence=26998 | 1970-01-01 01:00:00 | 70 | Vitali Kremez, Flashpoint | EXPLOIT |
| 2643 | crime_win_rat_AlienSpy | Alien Spy Remote Access Trojan | - | 2015-04-04 00:00:00 | 70 | General Dynamics Fidelis Cybersecurity Solutions - Threat Research Team | FILE,MAL |
| 2644 | csh_php_php | Semi-Auto-generated - file csh.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2645 | csrss_ANOMALY | Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file csrss.exe | not set | 2015-03-16 00:00:00 | 70 | Florian Roth | EXTVAR |
| 2646 | custom_ssh_backdoor_server | Custome SSH backdoor based on python and paramiko - file server.py | https://goo.gl/S46L3o | 2015-05-14 00:00:00 | 70 | Florian Roth | MAL |
| 2647 | cyberlords_sql_php_php | Semi-Auto-generated - file cyberlords_sql.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2648 | cyclotron | Chinese Hacktool Set - file cyclotron.sys | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2649 | datPcShare | Chinese Hacktool Set - file datPcShare.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2650 | dat_NaslLib | Chinese Hacktool Set - file NaslLib.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2651 | dat_report | Chinese Hacktool Set - file report.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2652 | dat_xpf | Chinese Hacktool Set - file xpf.sys | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2653 | dbexpora | Chinese Hacktool Set - file dbexpora.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2654 | dbgiis6cli | Webshells Auto-generated - file dbgiis6cli.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2655 | dbgntboot | Webshells Auto-generated - file dbgntboot.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2656 | derusbi_kernel | Derusbi Driver version | - | 2015-12-09 00:00:00 | 70 | Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud | FILE |
| 2657 | derusbi_linux | Derusbi Server Linux version | - | 2015-12-09 00:00:00 | 70 | Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud | LINUX |
| 2658 | dll_PacketX | Chinese Hacktool Set - file PacketX.dll - ActiveX wrapper for WinPcap packet capture library | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 50 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2659 | dll_Reg | Chinese Hacktool Set - file Reg.bat | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,SCRIPTS |
| 2660 | dll_UnReg | Chinese Hacktool Set - file UnReg.bat | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,SCRIPTS |
| 2661 | dnscat2_Hacktool | Detects dnscat2 - from files dnscat, dnscat2.exe | https://downloads.skullsecurity.org/dnscat2/ | 2016-05-15 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2662 | doskey_ANOMALY | Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file doskey.exe | not set | 2015-03-16 00:00:00 | 70 | Florian Roth | EXTVAR |
| 2663 | down_rar_Folder_down | Webshells Auto-generated - file down.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2664 | dubseven_dropper_dialog_remains | Searches for related dialog remnants. How rude. | - | 2016-04-18 00:00:00 | 75 | Matt Brooks, @cmatthewbrooks | FILE |
| 2665 | dubseven_dropper_registry_checks | Searches for registry keys checked for by the dropper | - | 2016-04-18 00:00:00 | 75 | Matt Brooks, @cmatthewbrooks | FILE |
| 2666 | dubseven_file_set | Searches for service files loading UP007 | - | 2016-04-18 00:00:00 | 75 | Matt Brooks, @cmatthewbrooks | FILE |
| 2667 | eBayId_index3 | Webshells Auto-generated - file index3.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2668 | elmaliseker | Webshells Auto-generated - file elmaliseker.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2669 | elmaliseker_asp | Semi-Auto-generated - file elmaliseker.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2670 | epathobj_exp32 | Chinese Hacktool Set - file epathobj_exp32.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2671 | epathobj_exp64 | Chinese Hacktool Set - file epathobj_exp64.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2672 | exploit_ole_stdolelink | StdOleLink, potential 0day in April 2017 | - | 1970-01-01 01:00:00 | 55 | David Cannings | EXTVAR |
| 2673 | explorer_ANOMALY | Abnormal explorer.exe - typical strings not found in file | - | 2014-05-27 00:00:00 | 55 | Florian Roth | EXTVAR |
| 2674 | f3_diy | Chinese Hacktool Set - file diy.asp | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,FILE,HKTL,WEBSHELL |
| 2675 | fgexec | Detects a tool used by APT groups - file fgexec.exe | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,HKTL |
| 2676 | fmlibraryv3 | Webshells Auto-generated - file fmlibraryv3.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2677 | fuckphpshell_php | Semi-Auto-generated - file fuckphpshell.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2678 | gen_exploit_CVE_2017_10271_WebLogic | Exploit for CVE-2017-10271 (Oracle WebLogic) | https://github.com/c0mmand3rOpSec/CVE-2017-10271, https://www.fireeye.com/blog/threat-research/2018/02/cve-2017-10271-used-to-deliver-cryptominers.html | 2018-03-21 00:00:00 | 70 | John Lambert @JohnLaTwC | EXPLOIT,FILE |
| 2679 | gen_macro_ShellExecute_action | VBA macro technique to call ShellExecute to launch payload | https://twitter.com/StanHacked/status/1075088449768693762 | 2019-01-08 00:00:00 | 70 | John Lambert @JohnLaTwC | FILE,SCRIPT |
| 2680 | gen_malware_MacOS_plist_suspicious | Suspicious PLIST files in MacOS (possible malware persistence) | https://objective-see.com/blog/blog_0x3A.html | 2018-12-14 00:00:00 | 70 | John Lambert @JohnLaTwC | EXTVAR,MAL |
| 2681 | gen_python_reverse_shell | Python Base64 encoded reverse shell | https://www.virustotal.com/en/file/9ec5102bcbabc45f2aa7775464f33019cfbe9d766b1332ee675957c923a17efd/analysis/ | 2018-02-24 00:00:00 | 70 | John Lambert @JohnLaTwC | FILE,SCRIPT |
| 2682 | gen_unicorn_obfuscated_powershell | PowerShell payload obfuscated by Unicorn toolkit | https://github.com/trustedsec/unicorn/ | 2018-04-03 00:00:00 | 70 | John Lambert @JohnLaTwC | FILE,OBFUS,SCRIPT |
| 2683 | generic_carbon | Turla Carbon malware | https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ | 2017-03-30 00:00:00 | 70 | ESET Research | EXE,FILE,RUSSIA |
| 2684 | generic_shellcode_downloader_specific | Detects Doorshell from NCSC report | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | EXTVAR,FILE |
| 2685 | genhash_genhash | Auto-generated rule - file genhash.exe | http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit | 2015-07-10 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 2686 | gina_zip_Folder_gina | Disclosed hacktool set (old stuff) - file gina.dll | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2687 | git_CVE_2017_9800_poc | Detects a CVE-2017-9800 exploitation attempt | https://twitter.com/mzbat/status/895811803325898753 | 2017-08-11 00:00:00 | 60 | Florian Roth | EXPLOIT |
| 2688 | glassRAT | Detects GlassRAT by RSA (modified by Florian Roth - speed improvements) | - | 2015-11-03 00:00:00 | 70 | RSA RESEARCH | MAL |
| 2689 | h4ntu_shell__powered_by_tsoi_ | Semi-Auto-generated - file h4ntu shell [powered by tsoi].txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2690 | hatman | Matches the known samples of the HatMan malware. | https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware | 2017-12-19 00:00:00 | 70 | DHS/NCCIC/ICS-CERT | EXTVAR |
| 2691 | hatman_combined | Detects Hatman malware | https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware | 2017-12-19 00:00:00 | 70 | DHS/NCCIC/ICS-CERT | EXTVAR |
| 2692 | hatman_compiled_python | Detects Hatman malware | https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware | 2017-12-19 00:00:00 | 70 | DHS/NCCIC/ICS-CERT | EXTVAR |
| 2693 | hatman_injector | Detects Hatman malware | https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware | 2017-12-19 00:00:00 | 70 | DHS/NCCIC/ICS-CERT | EXTVAR |
| 2694 | hatman_payload | Detects Hatman malware | https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware | 2017-12-19 00:00:00 | 70 | DHS/NCCIC/ICS-CERT | EXTVAR |
| 2695 | hidshell_php_php | Semi-Auto-generated - file hidshell.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2696 | hkdoor_backdoor | Hacker's Door Backdoor | https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html | 1970-01-01 01:00:00 | 70 | Cylance Inc. | EXE,FILE,MAL |
| 2697 | hkdoor_backdoor_dll | Hacker's Door Backdoor DLL | https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html | 1970-01-01 01:00:00 | 70 | Cylance Inc. | EXE,FILE,MAL |
| 2698 | hkdoor_driver | Hacker's Door Driver | - | 1970-01-01 01:00:00 | 70 | - | EXE,FILE |
| 2699 | hkdoor_dropper | Hacker's Door Dropper | https://www.cylance.com/en_us/blog/threat-spotlight-opening-hackers-door.html | 1970-01-01 01:00:00 | 70 | Cylance Inc. | EXE,EXTVAR,FILE,MAL |
| 2700 | hkdoordll | Webshells Auto-generated - file hkdoordll.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2701 | hkmjjiis6 | Chinese Hacktool Set - file hkmjjiis6.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2702 | hkshell_hkrmv | Webshells Auto-generated - file hkrmv.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2703 | hkshell_hkshell | Webshells Auto-generated - file hkshell.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2704 | hscan_gui | Chinese Hacktool Set - file hscan-gui.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2705 | hscangui | Chinese Hacktool Set - file hscangui.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2706 | hxdef100 | Webshells Auto-generated - file hxdef100.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2707 | hxdef100_2 | Webshells Auto-generated - file hxdef100.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2708 | hydra_7_3_hydra | Chinese Hacktool Set - file hydra.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2709 | hydra_7_4_1_hydra | Chinese Hacktool Set - file hydra.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2710 | iKAT_Tool_Generic | Generic Rule for hack tool iKAT files gpdisable.exe, kitrap0d.exe, uacpoc.exe | http://ikat.ha.cked.net/Windows/functions/ikatfiles.html | 2014-05-11 00:00:00 | 55 | Florian Roth | GEN,HKTL |
| 2711 | iKAT_cmd_as_dll | iKAT toolset file cmd.dll ReactOS file cloaked | http://ikat.ha.cked.net/Windows/functions/ikatfiles.html | 2014-05-11 00:00:00 | 65 | Florian Roth | HKTL |
| 2712 | iKAT_command_lines_agent | iKAT hack tools set agent - file ikat.exe | http://ikat.ha.cked.net/Windows/functions/ikatfiles.html | 2014-05-11 00:00:00 | 75 | Florian Roth | HKTL |
| 2713 | iKAT_priv_esc_tasksch | Task Schedulder Local Exploit - Windows local priv-esc using Task Scheduler, published by webDevil. Supports Windows 7 and Vista. | http://ikat.ha.cked.net/Windows/functions/ikatfiles.html | 2014-05-11 00:00:00 | 75 | Florian Roth | HKTL |
| 2714 | iKAT_revelations | iKAT hack tool showing the content of password fields - file revelations.exe | http://ikat.ha.cked.net/Windows/functions/ikatfiles.html | 2014-05-11 00:00:00 | 75 | Florian Roth | HKTL |
| 2715 | iKAT_startbar | Tool to hide unhide the windows startbar from command line - iKAT hack tools - file startbar.exe | http://ikat.ha.cked.net/Windows/functions/ikatfiles.html | 2014-05-11 00:00:00 | 50 | Florian Roth | HKTL |
| 2716 | iKAT_tools_nmap | Generic rule for NMAP - based on NMAP 4 standalone | http://ikat.ha.cked.net/Windows/functions/ikatfiles.html | 2014-05-11 00:00:00 | 50 | Florian Roth | GEN,HKTL |
| 2717 | iKAT_wmi_rundll | This exe will attempt to use WMI to Call the Win32_Process event to spawn rundll - file wmi_rundll.exe | http://ikat.ha.cked.net/Windows/functions/ikatfiles.html | 2014-05-11 00:00:00 | 65 | Florian Roth | HKTL |
| 2718 | iMHaPFtp | Webshells Auto-generated - file iMHaPFtp.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2719 | iam_alt_iam_alt | Auto-generated rule - file iam-alt.exe | http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit | 2015-07-10 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 2720 | iam_iam | Auto-generated rule - file iam.exe | http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit | 2015-07-10 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 2721 | iam_iamdll | Auto-generated rule - file iamdll.dll | http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit | 2015-07-10 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 2722 | icyfox007v1_10_rar_Folder_asp | Webshells Auto-generated - file asp.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2723 | iexplore_ANOMALY | Abnormal iexplore.exe - typical strings not found in file | - | 2014-04-23 00:00:00 | 55 | Florian Roth | EXTVAR |
| 2724 | indexer_asp | Semi-Auto-generated - file indexer.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2725 | install_get_persistent_filenames | EQGRP Toolset Firewall - file install_get_persistent_filenames | Research | 2016-08-16 00:00:00 | 70 | Florian Roth | FILE |
| 2726 | installer | Webshells Auto-generated - file installer.cmd | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2727 | ipsearcher | Chinese Hacktool Set - file ipsearcher.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2728 | ironshell_php | Semi-Auto-generated - file ironshell.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2729 | item_301 | Chinese Hacktool Set - file item-301.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2730 | item_old | Chinese Hacktool Set - file item-old.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2731 | jsp_cmd | Laudanum Injector Tools - file cmd.war | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | FILE,HKTL,WEBSHELL |
| 2732 | jsp_reverse_jsp | Semi-Auto-generated - file jsp-reverse.jsp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2733 | jspshall_jsp | Semi-Auto-generated - file jspshall.jsp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2734 | kacak_asp | Semi-Auto-generated - file kacak.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2735 | kappfree | Chinese Hacktool Set - file kappfree.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2736 | kappfree_2 | Chinese Hacktool Set - file kappfree.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2737 | karmaSMB | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2738 | kelloworld_2 | Chinese Hacktool Set - file kelloworld.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2739 | kerberoast_PY | Auto-generated rule - file kerberoast.py | https://github.com/skelsec/PyKerberoast | 2016-05-21 00:00:00 | 70 | Florian Roth | |
| 2740 | kiwi_tools | Chinese Hacktool Set | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2741 | kiwi_tools_gentil_kiwi | Chinese Hacktool Set | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2742 | klasvayv_asp | Semi-Auto-generated - file klasvayv.asp.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2743 | lamashell_php | Semi-Auto-generated - file lamashell.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2744 | lamescan3 | Chinese Hacktool Set - file lamescan3.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2745 | laudanum | Laudanum Injector Tools - file laudanum.php | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2746 | lazaruswannacry | Rule based on shared code between Feb 2017 Wannacry sample and Lazarus backdoor from Feb 2015 discovered by Neel Mehta | https://twitter.com/neelmehta/status/864164081116225536 | 2017-05-15 00:00:00 | 70 | Costin G. Raiu, Kaspersky Lab | FILE,MAL,NK,RANSOM |
| 2747 | lnk_detect | Detects malicious LNK file from NCSC report | https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control | 2018-04-06 00:00:00 | 70 | NCSC | FILE |
| 2748 | lsadump | LSA dump programe (bootkey/syskey) - pwdump and others | - | 1970-01-01 01:00:00 | 80 | Benjamin DELPY (gentilkiwi) | EXE,EXTVAR,FILE |
| 2749 | lsass_ANOMALY | Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file lsass.exe | not set | 2015-03-16 00:00:00 | 70 | Florian Roth | EXTVAR |
| 2750 | lsremora | Detects a tool used by APT groups | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,HKTL |
| 2751 | lurm_safemod_on_cgi | Semi-Auto-generated - file lurm_safemod_on.cgi.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2752 | magnify_ANOMALY | Abnormal magnify.exe (Magnifier) - typical strings not found in file | - | 2014-01-06 00:00:00 | 55 | Florian Roth | EXTVAR |
| 2753 | maindll_mutex | Matches on the maindll mutex | - | 2016-04-18 00:00:00 | 75 | Matt Brooks, @cmatthewbrooks | FILE |
| 2754 | malrtf_ole2link | Detect weaponized RTF documents with OLE2Link exploit | - | 1970-01-01 01:00:00 | 70 | @h3x2b <tracker _AT h3x.eu> | FILE |
| 2755 | malware_apt15_exchange_tool | This is a an exchange enumeration/hijacking tool used by an APT 15 | - | 1970-01-01 01:00:00 | 70 | Ahmed Zaki | APT,FILE |
| 2756 | malware_apt15_generic | Find generic data potentially relating to AP15 tools | - | 1970-01-01 01:00:00 | 70 | David Cannings | |
| 2757 | malware_apt15_royalcli_1 | Generic strings found in the Royal CLI tool | - | 1970-01-01 01:00:00 | 70 | David Cannings | FILE,GEN |
| 2758 | malware_apt15_royalcli_2 | APT15 RoyalCli backdoor | - | 1970-01-01 01:00:00 | 70 | Nikolaos Pantazopoulos | APT,FILE,MAL |
| 2759 | malware_apt15_royaldll | DLL implant, originally rights.dll and runs as a service | - | 1970-01-01 01:00:00 | 70 | David Cannings | |
| 2760 | malware_apt15_royaldll_2 | DNS backdoor used by APT15 | - | 1970-01-01 01:00:00 | 70 | Ahmed Zaki | APT,FILE,MAL |
| 2761 | malware_sakula_memory | Sakula malware - strings after unpacking (memory rule) | - | 1970-01-01 01:00:00 | 70 | David Cannings | |
| 2762 | malware_sakula_shellcode | Sakula shellcode - taken from decoded setup.msi but may not be unique enough to identify Sakula | - | 1970-01-01 01:00:00 | 70 | David Cannings | |
| 2763 | malware_sakula_xorloop | XOR loops from Sakula malware | - | 1970-01-01 01:00:00 | 70 | David Cannings | |
| 2764 | merlinAgent | Detects Merlin agent | https://github.com/Ne0nd0g/merlin | 2017-12-26 00:00:00 | 70 | Hilko Bengen | |
| 2765 | mimikatz | mimikatz | - | 1970-01-01 01:00:00 | 70 | Benjamin DELPY (gentilkiwi) | HKTL |
| 2766 | mimikatz_kirbi_ticket | KiRBi ticket for mimikatz | - | 1970-01-01 01:00:00 | 70 | Benjamin DELPY (gentilkiwi) | |
| 2767 | mimikatz_lsass_mdmp | LSASS minidump file for mimikatz | - | 1970-01-01 01:00:00 | 70 | Benjamin DELPY (gentilkiwi) | EXTVAR,FILE |
| 2768 | mimipenguin_1 | Detects Mimipenguin hack tool | https://github.com/huntergregal/mimipenguin | 2017-07-08 00:00:00 | 70 | Florian Roth | FILE |
| 2769 | mimipenguin_2 | Detects Mimipenguin hack tool | https://github.com/huntergregal/mimipenguin | 2017-07-08 00:00:00 | 70 | Florian Roth | FILE |
| 2770 | ms10048_x64 | Chinese Hacktool Set - file ms10048-x64.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2771 | ms10048_x86 | Chinese Hacktool Set - file ms10048-x86.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2772 | ms11080_withcmd | Chinese Hacktool Set - file ms11080_withcmd.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2773 | msi_dll_Anomaly | Detetcs very small and supicious msi.dll | https://blog.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar | 2017-02-10 00:00:00 | 70 | Florian Roth | EXE,EXTVAR,FILE |
| 2774 | mswin_check_lm_group | Chinese Hacktool Set - file mswin_check_lm_group.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2775 | multiple_php_webshells | Semi-Auto-generated - from files multiple_php_webshells | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2776 | multiple_php_webshells_2 | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2777 | myshell_php_php | Semi-Auto-generated - file myshell.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2778 | mysql_php_php | Semi-Auto-generated - file mysql.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2779 | mysql_pwd_crack | Chinese Hacktool Set - file mysql_pwd_crack.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2780 | mysql_shell_php | Semi-Auto-generated - file mysql_shell.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2781 | mysql_tool_php_php | Semi-Auto-generated - file mysql_tool.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2782 | mysqlfast | Chinese Hacktool Set - file mysqlfast.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2783 | narrator_ANOMALY | Abnormal narrator.exe - typical strings not found in file | - | 2014-01-06 00:00:00 | 55 | Florian Roth | EXTVAR |
| 2784 | ngh_php_php | Semi-Auto-generated - file ngh.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2785 | notepad_ANOMALY | Abnormal notepad.exe - typical strings not found in file | - | 2014-01-06 00:00:00 | 55 | Florian Roth | EXTVAR |
| 2786 | nstview_nstview | Webshells Auto-generated - file nstview.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2787 | oracle_data | Chinese Hacktool Set - file oracle_data.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2788 | osk_ANOMALY | Abnormal osk.exe (On Screen Keyboard) - typical strings not found in file | - | 2014-01-06 00:00:00 | 55 | Florian Roth | EXTVAR |
| 2789 | p0wnedAmsiBypass | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedAmsiBypass.cs | https://github.com/Cn33liz/p0wnedShell | 2017-01-14 00:00:00 | 70 | Florian Roth | |
| 2790 | p0wnedBinaries | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedBinaries.cs | https://github.com/Cn33liz/p0wnedShell | 2017-01-14 00:00:00 | 70 | Florian Roth | |
| 2791 | p0wnedExploits | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedExploits.cs | https://github.com/Cn33liz/p0wnedShell | 2017-01-14 00:00:00 | 70 | Florian Roth | |
| 2792 | p0wnedListenerConsole | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedListenerConsole.cs | https://github.com/Cn33liz/p0wnedShell | 2017-01-14 00:00:00 | 70 | Florian Roth | |
| 2793 | p0wnedPotato | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs | https://github.com/Cn33liz/p0wnedShell | 2017-01-14 00:00:00 | 70 | Florian Roth | |
| 2794 | p0wnedPowerCat | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPowerCat.cs | https://github.com/Cn33liz/p0wnedShell | 2017-01-14 00:00:00 | 70 | Florian Roth | FILE |
| 2795 | p0wnedShell_outputs | p0wnedShell Runspace Post Exploitation Toolkit - from files p0wnedShell.cs, p0wnedShell.cs | https://github.com/Cn33liz/p0wnedShell | 2017-01-14 00:00:00 | 70 | Florian Roth | |
| 2796 | p0wnedShellx64 | p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShellx64.exe | https://github.com/Cn33liz/p0wnedShell | 2017-01-14 00:00:00 | 70 | Florian Roth | |
| 2797 | pHpINJ_php_php | Semi-Auto-generated - file pHpINJ.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2798 | packager_cve2017_11882 | Attempts to exploit CVE-2017-11882 using Packager | https://github.com/rxwx/CVE-2017-11882/blob/master/packager_exec_CVE-2017-11882.py | 1970-01-01 01:00:00 | 60 | Rich Warren | EXPLOIT,FILE |
| 2799 | peek_a_boo | Webshells Auto-generated - file peek-a-boo.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2800 | perlbot_pl | Semi-Auto-generated - file perlbot.pl.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2801 | perlcmd_zip_Folder_cmd | Disclosed hacktool set (old stuff) - file cmd.cgi | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2802 | php_backdoor_php | Semi-Auto-generated - file php-backdoor.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | MAL,WEBSHELL |
| 2803 | php_dns | Laudanum Injector Tools - file dns.php | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2804 | php_file | Laudanum Injector Tools - file file.php | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2805 | php_include_w_shell_php | Semi-Auto-generated - file php-include-w-shell.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2806 | php_killnc | Laudanum Injector Tools - file killnc.php | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2807 | php_reverse_shell | Laudanum Injector Tools - file php-reverse-shell.php | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2808 | php_reverse_shell_2 | Laudanum Injector Tools - file php-reverse-shell.php | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2809 | php_shell | Laudanum Injector Tools - file shell.php | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2810 | phpbackdoor15_php | Semi-Auto-generated - file phpbackdoor15.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | MAL,WEBSHELL |
| 2811 | phpjackal_php | Semi-Auto-generated - file phpjackal.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2812 | phpshell17_php | Semi-Auto-generated - file phpshell17.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2813 | phpshell | Webshells Auto-generated - file phpshell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2814 | phpshell_3 | Webshells Auto-generated - file phpshell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2815 | phpspy_2005_full | Webshells Auto-generated - file phpspy_2005_full.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2816 | phvayvv_php_php | Semi-Auto-generated - file phvayvv.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2817 | portlessinst | Webshells Auto-generated - file portlessinst.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2818 | portscan | Auto-generated rule on file portscan.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2819 | portscanner | Chinese Hacktool Set - file portscanner.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2820 | power_pe_injection | PowerShell with PE Reflective Injection | - | 1970-01-01 01:00:00 | 70 | Benjamin DELPY (gentilkiwi) | HKTL,SCRIPT |
| 2821 | ps1_toolkit_Inveigh_BruteForce | Auto-generated rule - file Inveigh-BruteForce.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE |
| 2822 | ps1_toolkit_Inveigh_BruteForce_2 | Auto-generated rule - from files Inveigh-BruteForce.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE |
| 2823 | ps1_toolkit_Inveigh_BruteForce_3 | Auto-generated rule - from files Inveigh-BruteForce.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE |
| 2824 | ps1_toolkit_Invoke_Mimikatz | Auto-generated rule - file Invoke-Mimikatz.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE |
| 2825 | ps1_toolkit_Invoke_Mimikatz_RelfectivePEInjection | Auto-generated rule - from files Invoke-Mimikatz.ps1, Invoke-RelfectivePEInjection.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE,HKTL |
| 2826 | ps1_toolkit_Invoke_RelfectivePEInjection | Auto-generated rule - file Invoke-RelfectivePEInjection.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE,HKTL |
| 2827 | ps1_toolkit_Invoke_Shellcode | Auto-generated rule - file Invoke-Shellcode.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE |
| 2828 | ps1_toolkit_Persistence | Auto-generated rule - file Persistence.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE |
| 2829 | ps1_toolkit_Persistence_2 | Auto-generated rule - from files Persistence.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE |
| 2830 | ps1_toolkit_PowerUp | Auto-generated rule - file PowerUp.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE |
| 2831 | ps1_toolkit_PowerUp_2 | Auto-generated rule - from files PowerUp.ps1 | https://github.com/vysec/ps1-toolkit | 2016-09-04 00:00:00 | 80 | Florian Roth | FILE |
| 2832 | pstgdump | Detects a tool used by APT groups - file pstgdump.exe | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,HKTL |
| 2833 | pw_inspector | Chinese Hacktool Set - file pw-inspector.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2834 | pw_inspector_2 | Chinese Hacktool Set - file pw-inspector.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2835 | pwreveal | Webshells Auto-generated - file pwreveal.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2836 | pws_php_php | Semi-Auto-generated - file pws.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2837 | r57shell | Webshells Auto-generated - file r57shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2838 | r57shell_2 | Webshells Auto-generated - file r57shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2839 | r57shell_3 | Webshells Auto-generated - file r57shell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2840 | r57shell_php_php | Semi-Auto-generated - file r57shell.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2841 | rdrbs084 | Webshells Auto-generated - file rdrbs084.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2842 | rdrbs100 | Webshells Auto-generated - file rdrbs100.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2843 | reDuhServers_reDuh | Chinese Hacktool Set - file reDuh.jsp | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2844 | reDuhServers_reDuh_2 | Chinese Hacktool Set - file reDuh.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2845 | reDuhServers_reDuh_3 | Chinese Hacktool Set - file reDuh.aspx | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2846 | redSails_EXE | Detects Red Sails Hacktool by WinDivert references | https://github.com/BeetleChunks/redsails | 2017-10-02 00:00:00 | 70 | Florian Roth | EXE,FILE,HKTL |
| 2847 | redSails_PY | Detects Red Sails Hacktool - Python | https://github.com/BeetleChunks/redsails | 2017-10-02 00:00:00 | 70 | Florian Roth | HKTL,SCRIPT |
| 2848 | remsec_encrypted_api | Detects malware from Symantec's Strider APT report | http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets | 2016-08-08 00:00:00 | 80 | - | APT |
| 2849 | remsec_executable_blob_32 | Detects malware from Symantec's Strider APT report | http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets | 2016-08-08 00:00:00 | 80 | - | APT |
| 2850 | remsec_executable_blob_64 | Detects malware from Symantec's Strider APT report | http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets | 2016-08-08 00:00:00 | 80 | - | APT |
| 2851 | remsec_executable_blob_parser | Detects malware from Symantec's Strider APT report | http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets | 2016-08-08 00:00:00 | 80 | - | APT |
| 2852 | remsec_packer_A | Detects malware from Symantec's Strider APT report | http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets | 2016-08-08 00:00:00 | 80 | - | APT |
| 2853 | remsec_packer_B | Detects malware from Symantec's Strider APT report | http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets | 2016-08-08 00:00:00 | 80 | - | APT |
| 2854 | remview_2003_04_22 | Webshells Auto-generated - file remview_2003_04_22.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2855 | rknt_zip_Folder_RkNT | Webshells Auto-generated - file RkNT.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2856 | rootshell_php | Semi-Auto-generated - file rootshell.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2857 | rst_sql_php_php | Semi-Auto-generated - file rst_sql.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2858 | rtf_CVE_2018_0802 | Attempts to exploit CVE-2018-0802 | http://www.freebuf.com/vuls/159789.html | 1970-01-01 01:00:00 | 70 | Rich Warren | EXPLOIT,FILE |
| 2859 | rtf_cve2017_11882 | Attempts to identify the exploit CVE 2017 11882 | https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about | 1970-01-01 01:00:00 | 60 | John Davison | EXPLOIT,EXTVAR |
| 2860 | rtf_cve2017_11882_ole | Attempts to identify the exploit CVE 2017 11882 | https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about | 1970-01-01 01:00:00 | 60 | John Davison | EXPLOIT,EXTVAR |
| 2861 | ru24_post_sh_php_php | Semi-Auto-generated - file ru24_post_sh.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2862 | s4u | Detects s4u executable which allows the creation of a cmd.exe with the context of any user without requiring the password. - file s4u.exe | https://github.com/aurel26/s-4-u-for-windows | 2015-06-05 00:00:00 | 50 | Florian Roth | EXE,FILE |
| 2863 | s72_Shell_v1_1_Coding_html | Semi-Auto-generated - file s72 Shell v1.1 Coding.html.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2864 | samrdump | Compiled Impacket Tools | https://github.com/maaaaz/impacket-examples-windows | 2017-04-07 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 2865 | saphpshell | Webshells Auto-generated - file saphpshell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2866 | sbin_squid | Chinese Hacktool Set - file squid.bat | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,SCRIPTS |
| 2867 | scanarator | Auto-generated rule on file scanarator.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2868 | scanarator_iis | Auto-generated rule on file iis.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2869 | scanms_scanms | Chinese Hacktool Set - file scanms.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2870 | screencap | Webshells Auto-generated - file screencap.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2871 | sekurlsa | Chinese Hacktool Set - file sekurlsa.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2872 | sendmail | Webshells Auto-generated - file sendmail.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2873 | servpw | Detects a tool used by APT groups - file servpw.exe | http://goo.gl/igxLyF | 2016-09-08 00:00:00 | 70 | Florian Roth | APT,EXE,FILE,HKTL |
| 2874 | sethc_ANOMALY | Sethc.exe has been replaced - Indicates Remote Access Hack RDP | http://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf | 2014-01-23 00:00:00 | 70 | F. Roth | EXTVAR |
| 2875 | settings | Laudanum Injector Tools - file settings.php | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2876 | sh_php_php | Semi-Auto-generated - file sh.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2877 | shankar_php_php | Semi-Auto-generated - file shankar.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2878 | shell_php_php | Semi-Auto-generated - file shell.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2879 | shellbot_pl | Semi-Auto-generated - file shellbot.pl.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2880 | shells_PHP_wso | Semi-Auto-generated - file wso.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2881 | shelltools_g0t_root_Fport | Webshells Auto-generated - file Fport.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2882 | shelltools_g0t_root_HideRun | Webshells Auto-generated - file HideRun.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2883 | shelltools_g0t_root_resolve | Webshells Auto-generated - file resolve.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2884 | shelltools_g0t_root_uptime | Webshells Auto-generated - file uptime.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2885 | shelltools_g0t_root_xwhois | Webshells Auto-generated - file xwhois.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2886 | shimrat | Detects ShimRat and the ShimRat loader | - | 2015-11-20 00:00:00 | 70 | Yonathan Klijnsma (yonathan.klijnsma@fox-it.com) | |
| 2887 | shimratreporter | Detects ShimRatReporter | - | 2015-11-20 00:00:00 | 70 | Yonathan Klijnsma (yonathan.klijnsma@fox-it.com) | |
| 2888 | sig_2005Gray | Webshells Auto-generated - file 2005Gray.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2889 | sig_2008_php_php | Semi-Auto-generated - file 2008.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2890 | sig_238_2323 | Disclosed hacktool set (old stuff) - file 2323.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2891 | sig_238_FPipe | Disclosed hacktool set (old stuff) - file FPipe.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2892 | sig_238_Glass2k | Disclosed hacktool set (old stuff) - file Glass2k.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2893 | sig_238_RunAsEx | Disclosed hacktool set (old stuff) - file RunAsEx.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2894 | sig_238_TELNET | Disclosed hacktool set (old stuff) - file TELNET.EXE from Windows ME | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2895 | sig_238_TFTPD32 | Disclosed hacktool set (old stuff) - file TFTPD32.EXE | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2896 | sig_238_cmd_2 | Disclosed hacktool set (old stuff) - file cmd.jsp | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2897 | sig_238_concon | Disclosed hacktool set (old stuff) - file concon.com | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2898 | sig_238_eee | Disclosed hacktool set (old stuff) - file eee.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2899 | sig_238_findoor | Disclosed hacktool set (old stuff) - file findoor.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2900 | sig_238_fscan | Disclosed hacktool set (old stuff) - file fscan.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2901 | sig_238_gina | Disclosed hacktool set (old stuff) - file gina.reg | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2902 | sig_238_hunt | Disclosed hacktool set (old stuff) - file hunt.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2903 | sig_238_iecv | Disclosed hacktool set (old stuff) - file iecv.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2904 | sig_238_letmein | Disclosed hacktool set (old stuff) - file letmein.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2905 | sig_238_listip | Disclosed hacktool set (old stuff) - file listip.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2906 | sig_238_nbtdump | Disclosed hacktool set (old stuff) - file nbtdump.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2907 | sig_238_sqlcmd | Disclosed hacktool set (old stuff) - file sqlcmd.exe | - | 2014-11-23 00:00:00 | 40 | Florian Roth | HKTL |
| 2908 | sig_238_token | Disclosed hacktool set (old stuff) - file token.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2909 | sig_238_webget | Disclosed hacktool set (old stuff) - file webget.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2910 | sig_238_xsniff | Disclosed hacktool set (old stuff) - file xsniff.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2911 | simple_backdoor_php | Semi-Auto-generated - file simple-backdoor.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | MAL,WEBSHELL |
| 2912 | simple_cmd_html | Semi-Auto-generated - file simple_cmd.html.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2913 | skeleton_key_injected_code | Skeleton Key injected Code http://goo.gl/aAk3lN | http://goo.gl/aAk3lN | 2015-01-13 00:00:00 | 70 | Dell SecureWorks Counter Threat Unit | |
| 2914 | skeleton_key_patcher | Skeleton Key Patcher from Dell SecureWorks Report http://goo.gl/aAk3lN | http://goo.gl/aAk3lN | 2015-01-13 00:00:00 | 70 | Dell SecureWorks Counter Threat Unit | |
| 2915 | small_php_php | Semi-Auto-generated - file small.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2916 | snifferport | Disclosed hacktool set (old stuff) - file snifferport.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2917 | splitjoin | Disclosed hacktool set (old stuff) - file splitjoin.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2918 | sql1433_SQL | Chinese Hacktool Set - file SQL.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2919 | sql1433_Start | Chinese Hacktool Set - file Start.bat | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,SCRIPTS |
| 2920 | sql1433_creck | Chinese Hacktool Set - file creck.bat | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,FILE,HKTL,SCRIPTS |
| 2921 | sql_php_php | Semi-Auto-generated - file sql.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2922 | sqlcheck | Disclosed hacktool set (old stuff) - file sqlcheck.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2923 | stealth_Stealth | Auto-generated rule on file Stealth.exe | - | 1970-01-01 01:00:00 | 70 | yarGen Yara Rule Generator by Florian Roth | HKTL |
| 2924 | subTee_nativecmd | NativeCmd - used by various threat groups | https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/ | 2015-07-10 00:00:00 | 40 | Florian Roth | EXE,FILE |
| 2925 | superscan3_0 | Disclosed hacktool set (old stuff) - file superscan3.0.exe | - | 2014-11-23 00:00:00 | 60 | Florian Roth | HKTL |
| 2926 | susp_file_enumerator_with_encrypted_resource_101 | Generic detection for samples that enumerate files with encrypted resource called 101 | https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ | 1970-01-01 01:00:00 | 70 | - | EXTVAR,FILE,GEN |
| 2927 | svchost_ANOMALY | Abnormal svchost.exe - typical strings not found in file | - | 2014-04-23 00:00:00 | 55 | Florian Roth | EXTVAR |
| 2928 | svchostdll | Webshells Auto-generated - file svchostdll.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2929 | taskmgr_ANOMALY | Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file taskmgr.exe | not set | 2015-03-16 00:00:00 | 70 | Florian Roth | EXTVAR |
| 2930 | telnet_cgi | Semi-Auto-generated - file telnet.cgi.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2931 | telnet_pl | Semi-Auto-generated - file telnet.pl.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2932 | telnetd_pl | Semi-Auto-generated - file telnetd.pl.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2933 | templatr | Chinese Hacktool Set - file templatr.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2934 | thelast_index3 | Webshells Auto-generated - file index3.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2935 | thelast_orice2 | Webshells Auto-generated - file orice2.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2936 | tools_NTCmd | Chinese Hacktool Set - file NTCmd.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2937 | tools_Sqlcmd | Chinese Hacktool Set - file Sqlcmd.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2938 | trigger_drop | Chinese Hacktool Set - file trigger_drop.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2939 | trigger_modify | Chinese Hacktool Set - file trigger_modify.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2940 | turla_png_dropper | Detects the PNG Dropper used by the Turla group | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ | 2018-11-23 00:00:00 | 70 | Ben Humphrey | FILE,MAL,RUSSIA |
| 2941 | turla_png_reg_enum_payload | Payload that has most recently been dropped by the Turla PNG Dropper | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ | 2018-11-23 00:00:00 | 70 | Ben Humphrey | FILE,MAL,RUSSIA |
| 2942 | u_uay | Webshells Auto-generated - file uay.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2943 | unknown2 | Chinese Hacktool Set - file unknown2.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2944 | update_PcInit | Chinese Hacktool Set - file PcInit.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2945 | update_PcMain | Chinese Hacktool Set - file PcMain.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2946 | uploader_php_php | Semi-Auto-generated - file uploader.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2947 | users_list | Chinese Hacktool Set - file users_list.php | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,HKTL,WEBSHELL |
| 2948 | ustrrefadd | Chinese Hacktool Set - file ustrrefadd.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 2949 | vanquish | Webshells Auto-generated - file vanquish.dll | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2950 | vanquish_2 | Webshells Auto-generated - file vanquish.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2951 | w3d_php_php | Semi-Auto-generated - file w3d.php.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 2952 | warfiles_cmd | Laudanum Injector Tools - file cmd.jsp | http://laudanum.inguardians.com/ | 2015-06-22 00:00:00 | 70 | Florian Roth | HKTL,WEBSHELL |
| 2953 | wce | wce | - | 1970-01-01 01:00:00 | 70 | Benjamin DELPY (gentilkiwi) | HKTL |
| 2954 | webadmin | Webshells Auto-generated - file webadmin.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2955 | webshell | Webshells Auto-generated - file webshell.php | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 2956 | webshell_000_403_807_a_c5_config_css_dm_he1p_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2957 | webshell_000_403_807_a_c5_config_css_dm_he1p_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2958 | webshell_000_403_c5_config_myxx_queryDong_spyjsp2010_zend | Web Shell - from files 000.jsp, 403.jsp, c5.jsp, config.jsp, myxx.jsp, queryDong.jsp, spyjsp2010.jsp, zend.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2959 | webshell_000_403_c5_queryDong_spyjsp2010 | Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2960 | webshell_000_403_c5_queryDong_spyjsp2010_t00ls | Web Shell - from files 000.jsp, 403.jsp, c5.jsp, queryDong.jsp, spyjsp2010.jsp, t00ls.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2961 | webshell_2008_2009lite_2009mssql | Web Shell - from files 2008.php, 2009lite.php, 2009mssql.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2962 | webshell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2963 | webshell_201_3_ma_download | Web Shell - from files 201.jsp, 3.jsp, ma.jsp, download.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2964 | webshell_2_520_icesword_job_ma1 | Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2965 | webshell_2_520_icesword_job_ma1_ma4_2 | Web Shell - from files 2.jsp, 520.jsp, icesword.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2966 | webshell_2_520_job_JspWebshell_1_2_ma1_ma4_2 | Web Shell - from files 2.jsp, 520.jsp, job.jsp, JspWebshell 1.2.jsp, ma1.jsp, ma4.jsp, 2.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2967 | webshell_2_520_job_ma1_ma4_2 | Web Shell - from files 2.jsp, 520.jsp, job.jsp, ma1.jsp, ma4.jsp, 2.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2968 | webshell_400_in_JFolder_jfolder01_jsp_leo_warn_webshell_nc | Web Shell - from files 400.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp, webshell-nc.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2969 | webshell_404_data_in_JFolder_jfolder01_jsp_suiyue_warn | Web Shell - from files 404.jsp, data.jsp, in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, suiyue.jsp, warn.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2970 | webshell_404_data_in_JFolder_jfolder01_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2971 | webshell_404_data_suiyue | Web Shell - from files 404.jsp, data.jsp, suiyue.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2972 | webshell_807_a_css_dm_he1p_JspSpy_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2973 | webshell_807_dm_JspSpyJDK5_m_cofigrue | Web Shell - from files 807.jsp, dm.jsp, JspSpyJDK5.jsp, m.jsp, cofigrue.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2974 | webshell_ASP_RemExp | Web Shell - file RemExp.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2975 | webshell_ASP_aspydrv | Web Shell - file aspydrv.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2976 | webshell_ASP_cmd | Web Shell - file cmd.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2977 | webshell_ASP_tool | Web Shell - file tool.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2978 | webshell_ASP_zehir4 | Web Shell - file zehir4.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2979 | webshell_ASP_zehir | Web Shell - file zehir.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2980 | webshell_Ani_Shell | Web Shell - file Ani-Shell.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2981 | webshell_Antichat_Shell_v1_3_2 | Web Shell - file Antichat Shell v1.3.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2982 | webshell_B374kPHP_B374k | Web Shell - file B374k.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2983 | webshell_C99madShell_v_3_0_smowu | Web Shell - file smowu.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2984 | webshell_Crystal_Crystal | Web Shell - file Crystal.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2985 | webshell_DarkBlade1_3_asp_indexx | Web Shell - file indexx.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2986 | webshell_Dive_Shell_1_0_Emperor_Hacking_Team_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2987 | webshell_Dx_Dx | Web Shell - file Dx.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2988 | webshell_ELMALISEKER_Backd00r | Web Shell - file ELMALISEKER Backd00r.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2989 | webshell_Expdoor_com_ASP | Web shells - generated from file Expdoor.com ASP.asp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2990 | webshell_GetPostpHp | Web shells - generated from file GetPostpHp.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2991 | webshell_Inderxer | Web Shell - file Inderxer.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2992 | webshell_Java_Shell | Web Shell - file Java Shell.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2993 | webshell_JspSpy_JspSpyJDK5_JspSpyJDK51_luci_jsp_spy2009_m_ma3_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2994 | webshell_Jspspyweb | Web Shell - file Jspspyweb.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2995 | webshell_Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit | Web Shell - file Liz0ziM Private Safe Mode Command Execuriton Bypass Exploit.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2996 | webshell_Macker_s_Private_PHPShell | Web Shell - file Macker's Private PHPShell.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2997 | webshell_MySQL_Web_Interface_Version_0_8 | Web Shell - file MySQL Web Interface Version 0.8.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2998 | webshell_Mysql_interface_v1_0 | Web Shell - file Mysql interface v1.0.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 2999 | webshell_NIX_REMOTE_WEB_SHELL_NIX_REMOTE_WEB_xxx1 | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3000 | webshell_NIX_REMOTE_WEB_SHELL_nstview_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3001 | webshell_NetworkFileManagerPHP | Web Shell - file NetworkFileManagerPHP.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3002 | webshell_PHPJackal_v1_5 | Web Shell - file PHPJackal v1.5.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | MIDDLE_EAST,WEBSHELL |
| 3003 | webshell_PHPRemoteView | Web Shell - file PHPRemoteView.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3004 | webshell_PHP_150 | Web Shell - file 150.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3005 | webshell_PHP_404 | Web Shell - file 404.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3006 | webshell_PHP_G5 | Web Shell - file G5.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3007 | webshell_PHP_Shell_x3 | Web Shell - file PHP Shell.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3008 | webshell_PHP_a | Web Shell - file a.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3009 | webshell_PHP_b37 | Web Shell - file b37.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3010 | webshell_PHP_bug_1_ | Web Shell - file bug (1).php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3011 | webshell_PHP_c37 | Web Shell - file c37.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3012 | webshell_PHP_co | Web Shell - file co.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3013 | webshell_PHP_g00nv13 | Web Shell - file g00nv13.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3014 | webshell_PHP_r57142 | Web Shell - file r57142.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3015 | webshell_PHP_redcod | Web Shell - file redcod.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3016 | webshell_PHP_sql | Web Shell - file sql.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3017 | webshell_PH_Vayv_PH_Vayv | Web Shell - file PH Vayv.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3018 | webshell_Private_i3lue | Web Shell - file Private-i3lue.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3019 | webshell_Safe_Mode_Bypass_PHP_4_4_2_and_PHP_5_1_2 | Web Shell - file Safe_Mode Bypass PHP 4.4.2 and PHP 5.1.2.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3020 | webshell_Safe_mode_breaker | Web Shell - file Safe mode breaker.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3021 | webshell_Server_Variables | Web Shell - file Server Variables.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3022 | webshell_Shell_ci_Biz_was_here_c100_v_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3023 | webshell_SimAttacker_Vrsion_1_0_0_priv8_4_My_friend | Web Shell - file SimAttacker - Vrsion 1.0.0 - priv8 4 My friend.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3024 | webshell_Sst_Sheller | Web Shell - file Sst-Sheller.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3025 | webshell_WinX_Shell | Web Shell - file WinX Shell.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3026 | webshell_Worse_Linux_Shell | Web Shell - file Worse Linux Shell.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | LINUX,WEBSHELL |
| 3027 | webshell_aZRaiLPhp_v1_0 | Web Shell - file aZRaiLPhp v1.0.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3028 | webshell_asp_01 | Web Shell - file 01.asp | - | 2014-01-28 00:00:00 | 50 | Florian Roth | WEBSHELL |
| 3029 | webshell_asp_1 | Web Shell - file 1.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3030 | webshell_asp_1d | Web Shell - file 1d.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3031 | webshell_asp_404 | Web Shell - file 404.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3032 | webshell_asp_Ajan | Web Shell - file Ajan.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3033 | webshell_asp_EFSO_2 | Web Shell - file EFSO_2.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3034 | webshell_asp_Rader | Web Shell - file Rader.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3035 | webshell_asp_ajn | Web Shell - file ajn.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3036 | webshell_asp_cmd | Web Shell - file cmd.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3037 | webshell_asp_cmdasp | Web Shell - file cmdasp.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3038 | webshell_asp_dabao | Web Shell - file dabao.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3039 | webshell_asp_ice | Web Shell - file ice.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3040 | webshell_asp_list | Web Shell - file list.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3041 | webshell_asp_ntdaddy | Web Shell - file ntdaddy.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3042 | webshell_asp_shell | Web Shell - file shell.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3043 | webshell_asp_up | Web Shell - file up.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3044 | webshell_browser_201_3_400_in_JFolder_jfolder01_jsp_leo_ma_warn_webshell_nc_download | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3045 | webshell_browser_201_3_ma_download | Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, download.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3046 | webshell_browser_201_3_ma_ma2_download | Web Shell - from files browser.jsp, 201.jsp, 3.jsp, ma.jsp, ma2.jsp, download.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3047 | webshell_bypass_iisuser_p | Web shells - generated from file bypass-iisuser-p.asp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3048 | webshell_c99_Shell_ci_Biz_was_here_c100_v_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3049 | webshell_c99_c66_c99_shadows_mod_c99shell | Web Shell - from files c99.php, c66.php, c99-shadows-mod.php, c99shell.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3050 | webshell_c99_c99shell_c99_c99shell | Web Shell - from files c99.php, c99shell.php, c99.php, c99shell.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3051 | webshell_c99_c99shell_c99_w4cking_Shell_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3052 | webshell_c99_generic | Semi-Auto-generated | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 3053 | webshell_c99_locus7s_c99_w4cking_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3054 | webshell_c99_madnet_smowu | Web Shell - file smowu.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3055 | webshell_caidao_shell_404 | Web Shell - file 404.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3056 | webshell_caidao_shell_guo | Web Shell - file guo.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3057 | webshell_caidao_shell_hkmjj | Web Shell - file hkmjj.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3058 | webshell_caidao_shell_ice | Web Shell - file ice.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3059 | webshell_caidao_shell_ice_2 | Web Shell - file ice.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3060 | webshell_caidao_shell_mdb | Web Shell - file mdb.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3061 | webshell_cihshell_fix | Web Shell - file cihshell_fix.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3062 | webshell_cmd_asp_5_1 | Web Shell - file cmd-asp-5.1.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3063 | webshell_cmd_win32 | Web Shell - file cmd_win32.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3064 | webshell_config_myxx_zend | Web Shell - from files config.jsp, myxx.jsp, zend.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3065 | webshell_cpg_143_incl_xpl | Web Shell - file cpg_143_incl_xpl.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3066 | webshell_customize | Web Shell - file customize.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3067 | webshell_dev_core | Web shells - generated from file dev_core.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3068 | webshell_drag_system | Web Shell - file system.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3069 | webshell_e8eaf8da94012e866e51547cd63bb996379690bf | Detects a web shell | https://github.com/bartblaze/PHP-backdoors | 2016-09-10 00:00:00 | 70 | Florian Roth | FILE,WEBSHELL |
| 3070 | webshell_elmaliseker_2 | Web Shell - file elmaliseker.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3071 | webshell_gfs_sh_r57shell_r57shell127_SnIpEr_SA_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3072 | webshell_ghost_source_icesword_silic | Web Shell - from files ghost_source.php, icesword.php, silic.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3073 | webshell_h4ntu_shell_powered_by_tsoi_ | Web Shell - file h4ntu shell [powered by tsoi].php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3074 | webshell_he1p_JspSpy_nogfw_ok_style_1_JspSpy1 | Web Shell - from files he1p.jsp, JspSpy.jsp, nogfw.jsp, ok.jsp, style.jsp, 1.jsp, JspSpy.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3075 | webshell_iMHaPFtp_2 | Web Shell - file iMHaPFtp.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3076 | webshell_in_JFolder_jfolder01_jsp_leo_warn | Web Shell - from files in.jsp, JFolder.jsp, jfolder01.jsp, jsp.jsp, leo.jsp, warn.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3077 | webshell_ironshell | Web Shell - file ironshell.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3078 | webshell_itsec_PHPJackal_itsecteam_shell_jHn | Web Shell - from files itsec.php, PHPJackal.php, itsecteam_shell.php, jHn.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | MIDDLE_EAST,WEBSHELL |
| 3079 | webshell_itsec_itsecteam_shell_jHn | Web Shell - from files itsec.php, itsecteam_shell.php, jHn.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3080 | webshell_jspShell | Web Shell - file jspShell.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3081 | webshell_jsp_12302 | Web Shell - file 12302.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3082 | webshell_jsp_123 | Web Shell - file 123.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3083 | webshell_jsp_IXRbE | Web Shell - file IXRbE.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3084 | webshell_jsp_action | Web Shell - file action.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3085 | webshell_jsp_asd | Web Shell - file asd.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3086 | webshell_jsp_cmd | Web Shell - file cmd.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3087 | webshell_jsp_cmdjsp | Web Shell - file cmdjsp.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3088 | webshell_jsp_cmdjsp_2 | Web Shell - file cmdjsp.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3089 | webshell_jsp_guige02 | Web Shell - file guige02.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3090 | webshell_jsp_guige | Web Shell - file guige.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3091 | webshell_jsp_hsxa1 | Web Shell - file hsxa1.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3092 | webshell_jsp_hsxa | Web Shell - file hsxa.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3093 | webshell_jsp_inback3 | Web Shell - file inback3.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3094 | webshell_jsp_jdbc | Web Shell - file jdbc.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3095 | webshell_jsp_jshell | Web Shell - file jshell.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3096 | webshell_jsp_k81 | Web Shell - file k81.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3097 | webshell_jsp_k8cmd | Web Shell - file k8cmd.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3098 | webshell_jsp_list1 | Web Shell - file list1.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3099 | webshell_jsp_list | Web Shell - file list.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3100 | webshell_jsp_reverse_jsp_reverse_jspbd | Web Shell - from files jsp-reverse.jsp, jsp-reverse.jsp, jspbd.jsp | - | 2014-01-28 00:00:00 | 50 | Florian Roth | WEBSHELL |
| 3101 | webshell_jsp_sys3 | Web Shell - file sys3.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3102 | webshell_jsp_tree | Web Shell - file tree.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3103 | webshell_jsp_up | Web Shell - file up.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3104 | webshell_jsp_utils | Web Shell - file utils.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3105 | webshell_jsp_web | Web Shell - file web.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3106 | webshell_jsp_zx | Web Shell - file zx.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3107 | webshell_metaslsoft | Web Shell - file metaslsoft.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3108 | webshell_minupload | Web Shell - file minupload.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3109 | webshell_mumaasp_com | Web Shell - file mumaasp.com.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3110 | webshell_mysqlwebsh | Web Shell - file mysqlwebsh.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3111 | webshell_php | Semi-Auto-generated - file webshell.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 3112 | webshell_php_2 | Web Shell - file 2.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3113 | webshell_php_404 | Web Shell - file 404.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3114 | webshell_php_backdoor | Web Shell - file php-backdoor.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 3115 | webshell_php_cmd | Web Shell - file cmd.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3116 | webshell_php_dodo_zip | Web Shell - file zip.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3117 | webshell_php_fbi | Web Shell - file fbi.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3118 | webshell_php_ghost | Web Shell - file ghost.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3119 | webshell_php_h6ss | Web Shell - file h6ss.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3120 | webshell_php_list | Web Shell - file list.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3121 | webshell_php_moon | Web Shell - file moon.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3122 | webshell_php_s_u | Web Shell - file s-u.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3123 | webshell_php_sh_server | Web Shell - file server.php | - | 2014-01-28 00:00:00 | 50 | Florian Roth | WEBSHELL |
| 3124 | webshell_php_up | Web Shell - file up.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3125 | webshell_phpkit_0_1a_odd | Web Shell - file odd.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3126 | webshell_phpkit_1_0_odd | Web Shell - file odd.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3127 | webshell_phpshell3 | Web Shell - file phpshell3.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3128 | webshell_phpshell_2_1_config | Web Shell - file config.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3129 | webshell_phpshell_2_1_pwhash | Web Shell - file pwhash.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3130 | webshell_phpspy2010 | Web Shell - file phpspy2010.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3131 | webshell_phpspy_2005_full_phpspy_2005_lite_PHPSPY | Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, PHPSPY.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3132 | webshell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_PHPSPY | Web Shell - from files phpspy_2005_full.php, phpspy_2005_lite.php, phpspy_2006.php, PHPSPY.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3133 | webshell_r57_1_4_0 | Web Shell - file r57.1.4.0.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3134 | webshell_r57shell127_r57_iFX_r57_kartal_r57_antichat | Web Shell - from files r57shell127.php, r57_iFX.php, r57_kartal.php, r57.php, antichat.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3135 | webshell_r57shell127_r57_kartal_r57 | Web Shell - from files r57shell127.php, r57_kartal.php, r57.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3136 | webshell_r57shell_r57shell127_SnIpEr_SA_Shell_EgY_SpIdEr_ShElL_V2_r57_xxx | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3137 | webshell_redirect | Web Shell - file redirect.asp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3138 | webshell_remview_fix | Web Shell - file remview_fix.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3139 | webshell_s72_Shell_v1_1_Coding | Web Shell - file s72 Shell v1.1 Coding.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3140 | webshell_shell_2008_2009mssql_phpspy_2005_full_phpspy_2006_arabicspy_hkrkoz | Web Shell | - | 2014-01-28 00:00:00 | 60 | Florian Roth | WEBSHELL |
| 3141 | webshell_shell_phpspy_2005_full_phpspy_2005_lite_phpspy_2006_arabicspy_PHPSPY_hkrkoz | Web Shell | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3142 | webshell_shell_phpspy_2006_arabicspy | Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3143 | webshell_shell_phpspy_2006_arabicspy_hkrkoz | Web Shell - from files shell.php, phpspy_2006.php, arabicspy.php, hkrkoz.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3144 | webshell_sig_404super | Web shells - generated from file 404super.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3145 | webshell_simple_backdoor | Web Shell - file simple-backdoor.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | MAL,WEBSHELL |
| 3146 | webshell_spjspshell | Web Shell - file spjspshell.jsp | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3147 | webshell_tinyasp | Detects 24 byte ASP webshell and variations | - | 2019-01-09 00:00:00 | 70 | Jeff Beley | FILE,WEBSHELL |
| 3148 | webshell_webshell_123 | Web shells - generated from file webshell-123.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3149 | webshell_webshell_cnseay02_1 | Web Shell - file webshell-cnseay02-1.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3150 | webshell_webshell_cnseay_x | Web Shell - file webshell-cnseay-x.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3151 | webshell_webshells_new_Asp | Web shells - generated from file Asp.asp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3152 | webshell_webshells_new_JJJsp2 | Web shells - generated from file JJJsp2.jsp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3153 | webshell_webshells_new_JJjsp3 | Web shells - generated from file JJjsp3.jsp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3154 | webshell_webshells_new_JSP | Web shells - generated from file JSP.jsp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3155 | webshell_webshells_new_PHP1 | Web shells - generated from file PHP1.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3156 | webshell_webshells_new_PHP | Web shells - generated from file PHP.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3157 | webshell_webshells_new_aaa | Web shells - generated from file aaa.asp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3158 | webshell_webshells_new_asp1 | Web shells - generated from file asp1.asp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3159 | webshell_webshells_new_code | Web shells - generated from file code.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3160 | webshell_webshells_new_con2 | Web shells - generated from file con2.asp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3161 | webshell_webshells_new_jspyyy | Web shells - generated from file jspyyy.jsp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3162 | webshell_webshells_new_make2 | Web shells - generated from file make2.php | - | 2014-03-28 00:00:00 | 50 | Florian Roth | WEBSHELL |
| 3163 | webshell_webshells_new_pHp | Web shells - generated from file pHp.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3164 | webshell_webshells_new_php2 | Web shells - generated from file php2.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3165 | webshell_webshells_new_php5 | Web shells - generated from file php5.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3166 | webshell_webshells_new_php6 | Web shells - generated from file php6.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3167 | webshell_webshells_new_pppp | Web shells - generated from file pppp.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3168 | webshell_webshells_new_radhat | Web shells - generated from file radhat.asp | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3169 | webshell_webshells_new_xxx | Web shells - generated from file xxx.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3170 | webshell_webshells_new_xxxx | Web shells - generated from file xxxx.php | - | 2014-03-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3171 | webshell_wsb_idc | Web Shell - file idc.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3172 | webshell_wso2_5_1_wso2_5_wso2 | Web Shell - from files wso2.5.1.php, wso2.5.php, wso2.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3173 | webshell_zacosmall | Web Shell - file zacosmall.php | - | 2014-01-28 00:00:00 | 70 | Florian Roth | WEBSHELL |
| 3174 | wh_bindshell_py | Semi-Auto-generated - file wh_bindshell.py.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |
| 3175 | whosthere | Auto-generated rule - file whosthere.exe | http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit | 2015-07-10 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 3176 | whosthere_alt | Auto-generated rule - file whosthere-alt.exe | http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit | 2015-07-10 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 3177 | whosthere_alt_pth | Auto-generated rule - file pth.dll | http://www.coresecurity.com/corelabs-research/open-source-tools/pass-hash-toolkit | 2015-07-10 00:00:00 | 80 | Florian Roth | EXE,FILE |
| 3178 | wininit_ANOMALY | Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file wininit.exe | not set | 2015-03-16 00:00:00 | 70 | Florian Roth | EXTVAR |
| 3179 | winlogon_ANOMALY | Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file winlogon.exe | not set | 2015-03-16 00:00:00 | 70 | Florian Roth | EXTVAR |
| 3180 | winshell | Webshells Auto-generated - file winshell.exe | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 3181 | x64_KiwiCmd | Chinese Hacktool Set - file KiwiCmd.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 3182 | x64_klock | Chinese Hacktool Set - file klock.dll | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 3183 | xDedic_SysScan_unpacked | Detects SysScan APT tool | https://securelist.com/blog/research/75027/xdedic-the-shady-world-of-hacked-servers-for-sale/ | 2016-03-14 00:00:00 | 70 | Kaspersky Lab | APT,FILE |
| 3184 | xRAT_1 | Detects Patchwork malware | https://goo.gl/Pg3P4W | 2017-12-11 00:00:00 | 70 | Florian Roth | EXE,FILE |
| 3185 | x_way2_5_X_way | Chinese Hacktool Set - file X-way.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 3186 | x_way2_5_sqlcmd | Chinese Hacktool Set - file sqlcmd.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 3187 | xdedic_packed_syscan | - | - | 1970-01-01 01:00:00 | 70 | Kaspersky Lab - modified by Florian Roth | FILE |
| 3188 | xscan_gui | Chinese Hacktool Set - file xscan_gui.exe | http://tools.zjqhr.com/ | 2015-06-13 00:00:00 | 70 | Florian Roth | CHINA,EXE,FILE,HKTL |
| 3189 | xssshell | Webshells Auto-generated - file xssshell.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 3190 | xssshell_db | Webshells Auto-generated - file db.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 3191 | xssshell_default | Webshells Auto-generated - file default.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 3192 | xssshell_save | Webshells Auto-generated - file save.asp | - | 1970-01-01 01:00:00 | 70 | Florian Roth | WEBSHELL |
| 3193 | z_webshell | Detection for the z_webshell | - | 2018-01-25 00:00:00 | 70 | DHS NCCIC Hunt and Incident Response Team | FILE |
| 3194 | zacosmall_php | Semi-Auto-generated - file zacosmall.php.txt | - | 1970-01-01 01:00:00 | 70 | Neo23x0 Yara BRG + customization by Stefan -dfate- Molls | WEBSHELL |