HackTool_MSIL_Rubeus_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public Rubeus project." md5 = "66e0681a500c726ed52e5ea9423d2654" rev = 4 author = "FireEye" Trojan_Raw_Generic_4 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "f41074be5b423afb02a74bc74222e35d" rev = 1 author = "FireEye" HackTool_Win32_AndrewSpecial_1 date_created = "2020-11-25" date_modified = "2020-11-25" md5 = "e89efa88e3fda86be48c0cc8f2ef7230" rev = 4 author = "FireEye" APT_Backdoor_Win_GORAT_3 description = "This rule uses the same logic as FE_APT_Trojan_Win_GORAT_1_FEBeta with the addition of one check, to look for strings that are known to be in the Gorat implant when a certain cleaning script is not run against it." md5 = "995120b35db9d2f36d7d0ae0bfc9c10d" rev = 5 author = "FireEye" CredTheft_Win_EXCAVATOR_1 description = "This rule looks for the binary signature of the 'Inject' method found in the main Excavator PE." md5 = "f7d9961463b5110a3d70ee2e97842ed3" rev = 4 author = "FireEye" APT_Loader_Win64_REDFLARE_1 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "f20824fa6e5c81e3804419f108445368" rev = 1 author = "FireEye" APT_Loader_Raw64_REDFLARE_1 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "5e14f77f85fd9a5be46e7f04b8a144f5" rev = 1 author = "FireEye" HackTool_MSIL_SHARPZEROLOGON_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public 'sharpzerologon' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" HackTool_MSIL_CoreHound_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'CoreHound' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" Loader_MSIL_NETAssemblyInject_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NET-Assembly-Inject' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" Hunting_GadgetToJScript_1 description = "This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling." md5 = "7af24305a409a2b8f83ece27bb0f7900" rev = 4 author = "FireEye" Trojan_MSIL_GORAT_Plugin_DOTNET_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Plugin - .NET' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" APT_Trojan_Win_REDFLARE_1 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "100d73b35f23b2fe84bf7cd37140bf4d,4e7e90c7147ee8aa01275894734f4492" rev = 3 author = "FireEye" APT_Dropper_Win64_MATRYOSHKA_1 date_created = "2020-12-02" date_modified = "2020-12-02" description = "matryoshka_dropper.rs" md5 = "edcd58ba5b1b87705e95089002312281" rev = 1 author = "FireEye" APT_HackTool_MSIL_SHARPGOPHER_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpgopher' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" HackTool_MSIL_KeeFarce_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'KeeFarce' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" APT_Backdoor_Win_GORAT_1 description = "This detects if a sample is less than 50KB and has a number of strings found in the Gorat shellcode (stage0 loader). The loader contains an embedded DLL (stage0.dll) that contains a number of unique strings. The 'Cookie' string found in this loader is important as this cookie is needed by the C2 server to download the Gorat implant (stage1 payload)." md5 = "66cdaa156e4d372cfa3dea0137850d20" rev = 4 author = "FireEye" APT_Dropper_Win_MATRYOSHKA_1 date_created = "2020-12-02" date_modified = "2020-12-02" description = "matryoshka_dropper.rs" md5 = "edcd58ba5b1b87705e95089002312281" rev = 1 author = "FireEye" Loader_Win_Generic_20 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "5125979110847d35a338caac6bff2aa8" rev = 1 author = "FireEye" APT_Loader_Win32_PGF_2 date_created = "2020-11-25" date_modified = "2020-11-25" description = "base dlls: /lib/payload/techniques/dllmain/" md5 = "04eb45f8546e052fe348fda2425b058c" rev = 1 author = "FireEye" APT_HackTool_MSIL_REDTEAMMATERIALS_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'red_team_materials' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" APT_Trojan_Win_REDFLARE_7 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "e7beece34bdf67cbb8297833c5953669, 8025bcbe3cc81fc19021ad0fbc11cf9b" rev = 1 author = "FireEye" APT_Trojan_Win_REDFLARE_8 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "9c8eb908b8c1cda46e844c24f65d9370, 9e85713d615bda23785faf660c1b872c" rev = 1 author = "FireEye" APT_Backdoor_Win_GORAT_5 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f" rev = 1 author = "FireEye" APT_HackTool_MSIL_GPOHUNT_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'gpohunt' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" APT_HackTool_MSIL_JUSTASK_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'justask' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" APT_Trojan_Win_REDFLARE_4 date_created = "2020-12-01" date_modified = "2020-12-01" md5 = "a8b5dcfea5e87bf0e95176daa243943d, 9dcb6424662941d746576e62712220aa" rev = 2 author = "FireEye" APT_HackTool_MSIL_TITOSPECIAL_1 date_created = "2020-11-25" date_modified = "2020-11-25" md5 = "4bf96a7040a683bd34c618431e571e26" rev = 5 author = "FireEye" Dropper_LNK_LNKSmasher_1 description = "The LNKSmasher project contains a prebuilt LNK file that has pieces added based on various configuration items. Because of this, several artifacts are present in every single LNK file generated by LNKSmasher, including the Drive Serial #, the File Droid GUID, and the GUID CLSID." md5 = "0a86d64c3b25aa45428e94b6e0be3e08" rev = 6 author = "FireEye" HackTool_MSIL_SharpSchtask_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpSchtask' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" APT_Controller_Linux_REDFLARE_1 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "79259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e" rev = 1 author = "FireEye" APT_HackTool_MSIL_WMISPY_2 description = "wql searches" md5 = "3651f252d53d2f46040652788499d65a" rev = 4 author = "FireEye" HackTool_MSIL_SharPersist_2 md5 = "98ecf58d48a3eae43899b45cec0fc6b7" rev = 1 author = "FireEye" APT_Loader_Win_MATRYOSHKA_1 date_created = "2020-12-02" date_modified = "2020-12-02" description = "matryoshka_process_hollow.rs" md5 = "44887551a47ae272d7873a354d24042d" rev = 1 author = "FireEye" Builder_MSIL_SinfulOffice_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SinfulOffice' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" Loader_MSIL_SharPy_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharPy' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" APT_Loader_MSIL_WILDCHILD_1 date_created = "2020-12-01" date_modified = "2020-12-01" md5 = "6f04a93753ae3ae043203437832363c4" rev = 1 author = "FireEye" Loader_Win_Generic_18 date_created = "2020-11-25" date_modified = "2020-11-25" md5 = "c74ebb6c238bbfaefd5b32d2bf7c7fcc" rev = 3 author = "FireEye" HackTool_MSIL_HOLSTER_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the a customized version of the 'DUEDLLIGENCE' project." md5 = "a91bf61cc18705be2288a0f6f125068f" rev = 2 author = "FireEye" APT_Loader_MSIL_TRIMBISHOP_1 date_created = "2020-12-03" date_modified = "2020-12-03" md5 = "e91670423930cbbd3dbf5eac1f1a7cb6" rev = 1 author = "FireEye" APT_Loader_MSIL_TRIMBISHOP_2 date_created = "2020-12-03" date_modified = "2020-12-03" md5 = "c0598321d4ad4cf1219cc4f84bad4094" rev = 1 author = "FireEye" APT_Backdoor_Win_DShell_3 description = "This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell" md5 = "cf752e9cd2eccbda5b8e4c29ab5554b6" rev = 3 author = "FireEye" APT_HackTool_MSIL_SHARPSTOMP_1 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "83ed748cd94576700268d35666bf3e01" rev = 3 author = "FireEye" APT_HackTool_MSIL_SHARPPATCHCHECK_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharppatchcheck' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" HackTool_MSIL_SAFETYKATZ_4 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SafetyKatz project." md5 = "45736deb14f3a68e88b038183c23e597" rev = 3 author = "FireEye" APT_Backdoor_MacOS_GORAT_1 description = "This rule is looking for specific strings associated with network activity found within the MacOS generated variant of GORAT" md5 = "68acf11f5e456744262ff31beae58526" rev = 3 author = "FireEye" CredTheft_MSIL_ADPassHunt_2 md5 = "6efb58cf54d1bb45c057efcfbbd68a93" rev = 1 author = "FireEye" APT_Loader_Win64_PGF_4 date_created = "2020-11-26" date_modified = "2020-11-26" md5 = "3bb34ebd93b8ab5799f4843e8cc829fa" rev = 1 author = "FireEye" APT_Loader_Win32_PGF_4 date_created = "2020-11-26" date_modified = "2020-11-26" md5 = "4414953fa397a41156f6fa4f9462d207" rev = 1 author = "FireEye" CredTheft_MSIL_ADPassHunt_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public ADPassHunt project." md5 = "6efb58cf54d1bb45c057efcfbbd68a93" rev = 4 author = "FireEye" HackTool_MSIL_GETDOMAINPASSWORDPOLICY_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the recon utility 'getdomainpasswordpolicy' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 4 author = "FireEye" HackTool_MSIL_SharPivot_1 date_created = "2020-11-25" date_modified = "2020-11-25" md5 = "e4efa759d425e2f26fbc29943a30f5bd" rev = 3 author = "FireEye" APT_Loader_Win32_PGF_3 description = "PGF payload, generated rule based on symfunc/c02594972dbab6d489b46c5dee059e66. Identifies dllmain_hook x86 payloads." md5 = "4414953fa397a41156f6fa4f9462d207" rev = 4 author = "FireEye" APT_Loader_Win32_REDFLARE_2 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "4e7e90c7147ee8aa01275894734f4492" rev = 1 author = "FireEye" APT_HackTool_MSIL_SHARPSTOMP_2 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "83ed748cd94576700268d35666bf3e01" rev = 3 author = "FireEye" Loader_MSIL_NetshShellCodeRunner_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'NetshShellCodeRunner' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" HackTool_MSIL_SharPivot_4 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharPivot project." md5 = "e4efa759d425e2f26fbc29943a30f5bd" rev = 3 author = "FireEye" APT_Backdoor_Win_GoRat_Memory description = "Identifies GoRat malware in memory based on strings." md5 = "3b926b5762e13ceec7ac3a61e85c93bb" rev = 1 author = "FireEye" Loader_MSIL_AllTheThings_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'AllTheThings' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" APT_Loader_Win64_PGF_1 date_created = "2020-11-25" date_modified = "2020-11-25" description = "base dlls: /lib/payload/techniques/unmanaged_exports/" md5 = "2b686a8b83f8e1d8b455976ae70dab6e" rev = 1 author = "FireEye" APT_Trojan_Win_REDFLARE_5 date_created = "2020-12-01" date_modified = "2020-12-01" md5 = "dfbb1b988c239ade4c23856e42d4127b, 3322fba40c4de7e3de0fda1123b0bf5d" rev = 3 author = "FireEye" CredTheft_MSIL_TitoSpecial_1 description = "This rule looks for .NET PE files that have the strings of various method names in the TitoSpecial code." md5 = "4bf96a7040a683bd34c618431e571e26" rev = 4 author = "FireEye" Builder_MSIL_G2JS_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the Gadget2JScript project." md5 = "fa255fdc88ab656ad9bc383f9b322a76" rev = 2 author = "FireEye" APT_Loader_Win32_DShell_2 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "590d98bb74879b52b97d8a158af912af" rev = 2 author = "FireEye" HackTool_MSIL_SharPivot_3 description = "This rule looks for .NET PE files that have the strings of various method names in the SharPivot code." md5 = "e4efa759d425e2f26fbc29943a30f5bd" rev = 3 author = "FireEye" APT_HackTool_MSIL_FLUFFY_2 date_created = "2020-12-04" date_modified = "2020-12-04" md5 = "11b5aceb428c3e8c61ed24a8ca50553e" rev = 1 author = "FireEye" APT_HackTool_MSIL_FLUFFY_1 date_created = "2020-12-04" date_modified = "2020-12-04" md5 = "11b5aceb428c3e8c61ed24a8ca50553e" rev = 1 author = "FireEye" HackTool_MSIL_SEATBELT_1 description = "This rule looks for .NET PE files that have regex and format strings found in the public tool SeatBelt. Due to the nature of the regex and format strings used for detection, this rule should detect custom variants of the SeatBelt project." md5 = "848837b83865f3854801be1f25cb9f4d" rev = 3 author = "FireEye" HackTool_MSIL_INVEIGHZERO_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'inveighzero' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" Loader_MSIL_RURALBISHOP_1 date_created = "2020-12-03" date_modified = "2020-12-03" md5 = "e91670423930cbbd3dbf5eac1f1a7cb6" rev = 1 author = "FireEye" Loader_MSIL_RURALBISHOP_2 date_created = "2020-12-03" date_modified = "2020-12-03" md5 = "e91670423930cbbd3dbf5eac1f1a7cb6" rev = 1 author = "FireEye" HackTool_MSIL_PrepShellcode_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'PrepShellcode' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" APT_Downloader_Win32_REDFLARE_1 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "05b99d438dac63a5a993cea37c036673" rev = 1 author = "FireEye" Loader_MSIL_WMIRunner_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMIRunner' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" HackTool_MSIL_SharpStomp_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharpStomp project." md5 = "83ed748cd94576700268d35666bf3e01" rev = 4 author = "FireEye" Tool_MSIL_SharpGrep_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpGrep' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" Dropper_HTA_WildChild_1 description = "This rule looks for strings present in unobfuscated HTAs generated by the WildChild builder." md5 = "3e61ca5057633459e96897f79970a46d" rev = 5 author = "FireEye" APT_Builder_PY_REDFLARE_2 date_created = "2020-12-01" date_modified = "2020-12-01" md5 = "4410e95de247d7f1ab649aa640ee86fb" rev = 1 author = "FireEye" APT_Loader_Win32_DShell_3 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "12c3566761495b8353f67298f15b882c" rev = 1 author = "FireEye" APT_Trojan_Linux_REDFLARE_1 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "79259451ff47b864d71fb3f94b1774f3, 82773afa0860d668d7fe40e3f22b0f3e" rev = 1 author = "FireEye" Loader_MSIL_WildChild_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the WildChild project." md5 = "7e6bc0ed11c2532b2ae7060327457812" rev = 4 author = "FireEye" MSIL_Launcher_DUEDLLIGENCE_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'DUEDLLIGENCE' project." md5 = "a91bf61cc18705be2288a0f6f125068f" rev = 1 author = "FireEye" APT_Backdoor_Win_GORAT_2 description = "Verifies that the sample is a Windows PE that is less than 10MB in size and has the Go build ID strings. Then checks for various strings known to be in the Gorat implant including strings used in C2 json, names of methods, and the unique string 'murica' used in C2 comms. A check is done to ensure the string 'rat' appears in the binary over 1000 times as it is the name of the project used by the implant and is present well over 2000 times." md5 = "f59095f0ab15f26a1ead7eed8cdb4902" rev = 7 author = "FireEye" APT_Loader_Win64_REDFLARE_2 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "100d73b35f23b2fe84bf7cd37140bf4d" rev = 1 author = "FireEye" HackTool_MSIL_SharPersist_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the SharPersist project." md5 = "98ecf58d48a3eae43899b45cec0fc6b7" rev = 1 author = "FireEye" APT_Backdoor_Win_DShell_1 description = "This rule is looking for sections of an integer array which contains the encoded payload along with a selection of Windows functions that are present within a DShell payload" md5 = "152fc2320790aa16ef9b6126f47c3cca" rev = 4 author = "FireEye" APT_Backdoor_Win_GORAT_4 description = "Verifies that the sample is a Windows PE that is less than 10MB in size and exports numerous functions that are known to be exported by the Gorat implant. This is done in an effort to provide detection for packed samples that may not have other strings but will need to replicate exports to maintain functionality." md5 = "f59095f0ab15f26a1ead7eed8cdb4902" rev = 8 author = "FireEye" APT_HackTool_MSIL_SHARPNFS_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpnfs' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" CredTheft_MSIL_CredSnatcher_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'CredSnatcher' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" HackTool_MSIL_SEATBELT_2 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SeatBelt project." md5 = "9f401176a9dd18fa2b5b90b4a2aa1356" rev = 3 author = "FireEye" APT_Loader_Win32_DShell_1 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "12c3566761495b8353f67298f15b882c" rev = 1 author = "FireEye" APT_Loader_Win32_PGF_1 date_created = "2020-11-25" date_modified = "2020-11-25" description = "base dlls: /lib/payload/techniques/unmanaged_exports/" md5 = "383161e4deaf7eb2ebeda2c5e9c3204c" rev = 1 author = "FireEye" APT_HackTool_MSIL_SHARPDACL_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpdacl' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" APT_HackTool_MSIL_SHARPZIPLIBZIPPER_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpziplibzipper' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" APT_Downloader_Win64_REDFLARE_1 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "9529c4c9773392893a8a0ab8ce8f8ce1" rev = 2 author = "FireEye" APT_Loader_Win64_MATRYOSHKA_1 date_created = "2020-12-02" date_modified = "2020-12-02" description = "matryoshka_process_hollow.rs" md5 = "44887551a47ae272d7873a354d24042d" rev = 1 author = "FireEye" HackTool_MSIL_WMIspy_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMIspy' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" APT_Trojan_Win_REDFLARE_3 date_created = "2020-12-01" date_modified = "2020-12-01" md5 = "9ccda4d7511009d5572ef2f8597fba4e,ece07daca53dd0a7c23dacabf50f56f1" rev = 1 author = "FireEye" APT_Loader_Win_PGF_1 description = "PDB string used in some PGF DLL samples" md5 = "013c7708f1343d684e3571453261b586" rev = 6 author = "FireEye" APT_HackTool_MSIL_SHARPDNS_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpdns' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" Loader_MSIL_TrimBishop_1 description = "This rule looks for .NET PE files that have the string 'msg' more than 60 times as well as numerous function names unique to or used by the TrimBishop tool. All strings found in RuralBishop are reversed in TrimBishop and stored in a variable with the format 'msg##'. With the exception of 'msg', 'DTrim', and 'ReverseString' the other strings referenced in this rule may be shared with RuralBishop." md5 = "09bdbad8358b04994e2c04bb26a160ef" rev = 3 author = "FireEye" Loader_Win_Generic_17 date_created = "2020-11-25" date_modified = "2020-11-25" md5 = "562ecbba043552d59a0f23f61cea0983" rev = 3 author = "FireEye" APT_Loader_Win64_PGF_3 description = "PGF payload, generated rule based on symfunc/8a2f2236fdfaa3583ab89076025c6269. Identifies dllmain_hook x64 payloads." md5 = "3bb34ebd93b8ab5799f4843e8cc829fa" rev = 4 author = "FireEye" HackTool_PY_ImpacketObfuscation_1 date_created = "2020-12-01" date_modified = "2020-12-01" description = "smbexec" md5 = "0b1e512afe24c31531d6db6b47bac8ee" rev = 1 author = "FireEye" APT_HackTool_Win64_EXCAVATOR_2 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "4fd62068e591cbd6f413e1c2b8f75442" rev = 1 author = "FireEye" APT_Loader_Raw32_REDFLARE_1 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "4022baddfda3858a57c9cbb0d49f6f86" rev = 1 author = "FireEye" APT_Loader_Win64_PGF_2 date_created = "2020-11-25" date_modified = "2020-11-25" description = "base dlls: /lib/payload/techniques/dllmain/" md5 = "4326a7e863928ffbb5f6bdf63bb9126e" rev = 2 author = "FireEye" APT_HackTool_MSIL_SHARPTEMPLATE_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharptemplate' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" APT_HackTool_MSIL_MODIFIEDSHARPVIEW_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'modifiedsharpview' project." md5 = "db0eaad52465d5a2b86fdd6a6aa869a5" rev = 3 author = "FireEye" APT_Loader_Win32_PGF_5 description = "PGF payload, generated rule based on symfunc/a86b004b5005c0bcdbd48177b5bac7b8" md5 = "8c91a27bbdbe9fb0877daccd28bd7bb5" rev = 3 author = "FireEye" APT_HackTool_MSIL_DNSOVERHTTPS_C2_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public 'DoHC2' External C2 project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" APT_HackTool_MSIL_LUALOADER_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'lualoader' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" HackTool_MSIL_PXELOOT_2 description = "This rule looks for .NET PE files that have the strings of various method names in the PXE And Loot code." md5 = "d93100fe60c342e9e3b13150fd91c7d8" rev = 5 author = "FireEye" APT_HackTool_MSIL_PRAT_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'prat' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" APT_HackTool_MSIL_SHARPNATIVEZIPPER_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpnativezipper' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 3 author = "FireEye" APT_Loader_Win32_REDFLARE_1 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "01d68343ac46db6065f888a094edfe4f" rev = 1 author = "FireEye" APT_Loader_MSIL_PGF_1 date_created = "2020-11-24" date_modified = "2020-11-24" description = "base.cs" md5 = "a495c6d11ff3f525915345fb762f8047" rev = 1 author = "FireEye" APT_Backdoor_Win_DShell_2 description = "This rule looks for strings specific to the D programming language in combination with a selection of Windows functions that are present within a DShell payload" md5 = "e0683f8ee787313cfd2c61cd0995a830" rev = 4 author = "FireEye" CredTheft_Win_EXCAVATOR_2 description = "This rule looks for the binary signature of the routine that calls PssFreeSnapshot found in the Excavator-Reflector DLL." md5 = "6a9a114928554c26675884eeb40cc01b" rev = 3 author = "FireEye" Builder_MSIL_SharpGenerator_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'SharpGenerator' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" APT_Trojan_Win_REDFLARE_6 date_created = "2020-12-01" date_modified = "2020-12-01" md5 = "294b1e229c3b1efce29b162e7b3be0ab, 6902862bd81da402e7ac70856afbe6a2" rev = 2 author = "FireEye" HackTool_Win64_AndrewSpecial_1 date_created = "2020-11-25" date_modified = "2020-11-25" md5 = "4456e52f6f8543c3ba76cb25ea3e9bd2" rev = 5 author = "FireEye" Loader_MSIL_Generic_1 md5 = "b8415b4056c10c15da5bba4826a44ffd" rev = 5 author = "FireEye" APT_Keylogger_Win32_REDFLARE_1 date_created = "2020-12-01" date_modified = "2020-12-01" md5 = "d7cfb9fbcf19ce881180f757aeec77dd" rev = 2 author = "FireEye" Loader_MSIL_InMemoryCompilation_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'In-MemoryCompilation' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" HackTool_MSIL_WMISharp_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WMISharp' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" APT_Loader_Win_PGF_2 description = "PE rich header matches PGF backdoor" md5 = "226b1ac427eb5a4dc2a00cc72c163214" md5_2 = "2398ed2d5b830d226af26dedaf30f64a" md5_3 = "24a7c99da9eef1c58f09cf09b9744d7b" md5_4 = "aeb0e1d0e71ce2a08db9b1e5fb98e0aa" rev = 4 author = "FireEye" Trojan_Win_Generic_101 date_created = "2020-11-25" date_modified = "2020-11-25" md5 = "2e67c62bd0307c04af469ee8dcb220f2" rev = 3 author = "FireEye" Trojan_Macro_RESUMEPLEASE_1 date_created = "2020-12-01" date_modified = "2020-12-01" md5 = "d5d3d23c8573d999f1c48d3e211b1066" rev = 1 author = "FireEye" Loader_MSIL_CSharpSectionInjection_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'C_Sharp_SectionInjection' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" APT_HackTool_MSIL_SHARPWEBCRAWLER_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpwebcrawler' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" Trojan_Win64_Generic_22 date_created = "2020-11-26" date_modified = "2020-11-26" md5 = "f7d9961463b5110a3d70ee2e97842ed3" rev = 2 author = "FireEye" Loader_Win_Generic_19 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "3fb9341fb11eca439b50121c6f7c59c7" rev = 1 author = "FireEye" APT_Builder_PY_REDFLARE_1 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "d0a830403e56ebaa4bfbe87dbfdee44f" rev = 1 author = "FireEye" HackTool_PY_ImpacketObfuscation_2 date_created = "2020-12-01" date_modified = "2020-12-01" description = "wmiexec" md5 = "f3dd8aa567a01098a8a610529d892485" rev = 2 author = "FireEye" APT_Loader_MSIL_PGF_2 date_created = "2020-11-25" date_modified = "2020-11-25" description = "base.js, ./lib/payload/techniques/jscriptdotnet/jscriptdotnet_payload.py" md5 = "7c2a06ceb29cdb25f24c06f2a8892fba" rev = 1 author = "FireEye" APT_HackTool_MSIL_SHARPSQLCLIENT_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpsqlclient' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" Methodology_OLE_CHARENCODING_2 description = "Looking for suspicious char encoding" md5 = "41b70737fa8dda75d5e95c82699c2e9b" rev = 4 author = "FireEye" HackTool_MSIL_SharpHound_3 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project." md5 = "eeedc09570324767a3de8205f66a5295" rev = 4 author = "FireEye" CredTheft_MSIL_TitoSpecial_2 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the TitoSpecial project. There are 2 GUIDs in this rule as the x86 and x64 versions of this tool use a different ProjectGuid." md5 = "4bf96a7040a683bd34c618431e571e26" rev = 4 author = "FireEye" CredTheft_MSIL_WCMDump_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'WCMDump' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" APT_Builder_Win64_MATRYOSHKA_1 date_created = "2020-12-02" date_modified = "2020-12-02" description = "matryoshka_pe_to_shellcode.rs" md5 = "8d949c34def898f0f32544e43117c057" rev = 1 author = "FireEye" Trojan_Win64_Generic_23 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "b66347ef110e60b064474ae746701d4a" rev = 1 author = "FireEye" HackTool_MSIL_KeePersist_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'KeePersist' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" Tool_MSIL_CSharpUtils_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'CSharpUtils' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" Trojan_MSIL_GORAT_Module_PowerShell_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'RedFlare - Module - PowerShell' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 1 author = "FireEye" HackTool_MSIL_PuppyHound_1 description = "This is a modification of an existing FireEye detection for SharpHound. However, it looks for the string 'PuppyHound' instead of 'SharpHound' as this is all that was needed to detect the PuppyHound variant of SharpHound." md5 = "eeedc09570324767a3de8205f66a5295" rev = 6 author = "FireEye" APT_Builder_PY_MATRYOSHKA_1 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "25a97f6dba87ef9906a62c1a305ee1dd" rev = 1 author = "FireEye" Loader_MSIL_RuralBishop_3 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public RuralBishop project." md5 = "09bdbad8358b04994e2c04bb26a160ef" rev = 3 author = "FireEye" APT_HackTool_MSIL_NOAMCI_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'noamci' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 4 author = "FireEye" HackTool_MSIL_PXELOOT_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the PXE And Loot project." md5 = "82e33011ac34adfcced6cddc8ea56a81" rev = 7 author = "FireEye" APT_HackTool_MSIL_ADPassHunt_2 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "6efb58cf54d1bb45c057efcfbbd68a93" rev = 1 author = "FireEye" APT_HackTool_MSIL_ADPassHunt_1 date_created = "2020-12-02" date_modified = "2020-12-02" md5 = "6efb58cf54d1bb45c057efcfbbd68a93" rev = 2 author = "FireEye" APT_HackTool_MSIL_SHARPSACK_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'sharpsack' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" APT_Loader_Win64_PGF_5 description = "PGF payload, generated rule based on symfunc/8167a6d94baca72bac554299d7c7f83c" md5 = "150224a0ccabce79f963795bf29ec75b" rev = 3 author = "FireEye" APT_Trojan_Win_REDFLARE_2 date_created = "2020-11-27" date_modified = "2020-11-27" md5 = "9529c4c9773392893a8a0ab8ce8f8ce1,05b99d438dac63a5a993cea37c036673" rev = 2 author = "FireEye" APT_HackTool_MSIL_DTRIM_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'dtrim' project, which is a modified version of SharpSploit." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" HackTool_MSIL_SharPivot_2 md5 = "e4efa759d425e2f26fbc29943a30f5bd" rev = 3 author = "FireEye" APT_HackTool_MSIL_REVOLVER_1 description = "The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the '.csproj' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the 'revolver' project." md5 = "dd8805d0e470e59b829d98397507d8c2" rev = 2 author = "FireEye" APT_Keylogger_Win64_REDFLARE_1 date_created = "2020-12-01" date_modified = "2020-12-01" md5 = "fbefb4074f1672a3c29c1a47595ea261" rev = 1 author = "FireEye" APT_HackTool_Win64_EXCAVATOR_1 date_created = "2020-11-30" date_modified = "2020-11-30" md5 = "6a9a114928554c26675884eeb40cc01b" rev = 3 author = "FireEye" APT_Loader_Win64_MATRYOSHKA_2 date_created = "2020-12-02" date_modified = "2020-12-02" description = "matryoshka.rs" md5 = "7f8102b789303b7861a03290c79feba0" rev = 1 author = "FireEye"