From 4ca4e8fa9f7851c99e9ed0426368f4b17509bd94 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mehmet=20Ali=20KER=C4=B0MO=C4=9ELU?=
 <42123683+CYB3RMX@users.noreply.github.com>
Date: Wed, 5 Apr 2023 17:08:07 +0000
Subject: [PATCH] Added rule: dotnet_binary_file

This rule is for detecting possible .NET binary files
---
 capabilities/capabilities.yar | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/capabilities/capabilities.yar b/capabilities/capabilities.yar
index 1f47a1fb..88a99a9f 100644
--- a/capabilities/capabilities.yar
+++ b/capabilities/capabilities.yar
@@ -929,3 +929,18 @@ rule mysql_database_presence
     condition:
         (any of ($db*))
 }
+
+rule dotnet_binary_file
+{
+    meta:
+        author = "CYB3RMX"
+        description = "Detects possible .NET binary files."
+    strings:
+        $dot1 = "mscoree.dll" wide ascii
+        $dot2 = "_CorExeMain" wide ascii
+        $dot3 = "_CorDllMain" wide ascii
+        $dot4 = "mscorlib" wide ascii
+        $dot5 = ".NETFramework" wide ascii
+    condition:
+        ((2 of ($dot*)) or (all of ($dot*)))
+}