Valhalla Logo
currently serving 20637 YARA rules and 3650 Sigma rules
API Key

New Rules per Day

Newest YARA Rules

This table shows the newest additions to the YARA rule set

Rule
Description
Date
Ref
HKTL_PS1_Cmloot_Mar24
Detects CMLoot, a hacktool to find interesting files stored on (System Center) Configuration Manager (SCCM/CM) SMB shares
22.04.2024
HKTL_DavRelayUp_Apr24
Detects DavRelayUp, a universal no-fix local privilege escalation in domain-joined Windows workstations where LDAP signing is not enforced (the default settings).
22.04.2024
HKTL_SharpVeeamDecryptor_Apr24
Detects SharpVeeamDecryptor, a hacktool to decrypt Veeam database passwords
22.04.2024
PUA_ROADtools_Apr24
Detects ROADTools, a collection of Azure AD/Entra tools for offensive and defensive security purposes
22.04.2024
MAL_DuneQuixote_Dropper_Apr24
Detects DuneQuixote dropper that drops the CR4T implant. It is designed with the primary goal of granting attackers command line execution on the victim's machine
19.04.2024
MAL_Rawdoor_Dropper_Apr24
Detects Rawdoor backdoor dropper related to APT31
19.04.2024
SUSP_LNX_Base64_Download_Exec_Apr24
Detects suspicious base64 encoded shell commands used for downloading and executing further stages
18.04.2024
SUSP_LNX_Base64_Exec_Apr24
Detects suspicious base64 encoded shell commands (as seen in Palo Alto CVE-2024-3400 exploitation)
18.04.2024
MAL_PY_Upstyle_Backdoor_Apr24_2
Detects UPSTYLE backdoor written in Python (and used in attacks against Palo Alto devices exploiting CVE-2024-3400)
15.04.2024
MAL_PY_Upstyle_Backdoor_Apr24_1
Detects UPSTYLE backdoor written in Python (and used in attacks against Palo Alto devices exploiting CVE-2024-3400)
15.04.2024
MAL_PY_Upstyle_Backdoor_Apr24_3
Detects UPSTYLE backdoor written in Python (and used in attacks against Palo Alto devices exploiting CVE-2024-3400)
15.04.2024
SUSP_Bash_Downloading_Payload_Apr24
Detects characteristics found in a bash script that downloads and executes a payload in /tmp
15.04.2024
SUSP_PY_Reverse_Shell_Apr24
Detects characteristics found in a one-liner reverse shell written in Python
15.04.2024
APT_UTA028_ForensicArtefacts_PaloAlto_CVE_2024_3400_Apr24_1
Detects forensic artefacts of APT UTA028 as found in a campaign exploiting the Palo Alto CVE-2024-3400 vulnerability
15.04.2024
SUSP_PY_Import_Statement_Apr24_1
Detects suspicious Python import statement and socket usage often found in Python reverse shells
15.04.2024
SUSP_LNX_Shell_Indicators_Apr24_1
Detects suspicious shell commands often found in malicious downloader / persistence scripts for Linux
15.04.2024
SUSP_LNX_Shell_Indicators_Apr24_2
Detects suspicious shell commands often found in malicious downloader / persistence scripts for Linux
15.04.2024
SUSP_LNX_NCat_Indicators_Apr24_2
Detects suspicious Netcat command flag combinations often found in malicious reverse shell / persistence scripts for Linux
15.04.2024
APT_SUSP_MacOS_APT28_XAgent_Apr24_1
Detects similarities with XAgent samples for macOS as used by APT28
15.04.2024
EXPL_PaloAlto_CVE_2024_3400_Apr24_1
Detects characteristics of the exploit code used in attacks against Palo Alto GlobalProtect CVE-2024-3400
15.04.2024
HKTL_Go_ReverseSSH_Apr24
Detects Golang based SSH server reverse shell
15.04.2024
MAL_Rawdoor_Backdoor_Apr24
Detects Rawdoor backdoor related to APT31
15.04.2024
HKTL_NativeDump_Apr24_1
Detects NativeDump - a tool that dumps LSASS using only native APIs by hand-crafting Minidump files (without MinidumpWriteDump)
08.04.2024
SUSP_OBFUSC_SH_Indicators_Mar24_1
Detects characteristics found in obfuscated script (used in the backdoored XZ package, but could match on others, too)
06.04.2024
MAL_Latrodectus_Apr24
Detects Latrodectus - a new variant of IcedID loader
05.04.2024
MAL_JS_Downloading_Executing_Payload_Apr24
Detects JavaScript code that downloads and executes the next stage payload
05.04.2024
MAL_XClient_Stealer_Apr24
Detects XClient stealer that targets social media accounts
05.04.2024
MAL_ChaiLdr_Apr24
Detects ChaiLdr - a payload loader that evades AV
04.04.2024
MAL_RANSOM_Babuk_Apr24
Detects babuk ransomware
04.04.2024
MAL_LeprechaunHvnc_Apr24
Detects LeprechaunHvnc loader
03.04.2024

Successful YARA Rules in Set

This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)

Rule
Average AV Detection Rate
Sample Count
Info
VT
MAL_GuLoader_Shellcode_Oct22_3
0.0
20
SUSP_MAL_EXFIL_Stealer_Output_Characteristics_Sep22_1
0.04
180
SUSP_PY_OBFUSC_Berserker_Indicators_Dec22_1
0.21
14
SUSP_BAT_OBFUSC_Apr23_2
0.59
64
SUSP_Encrypted_ZIP_Suspicious_Contents_Jul23_1_File
0.64
11
SUSP_PUA_RustDesk_Apr23_1
0.68
22
SUSP_BAT_PS1_Combo_Jan23_2
0.71
45
SUSP_JS_OBFUSC_Feb23_2
1.04
1736
SUSP_WEvtUtil_ClearLogs_Sep22_1
1.12
43
SUSP_CryptBase_PE_Info_NOT_Cryptbase_Feb23
1.19
21
SUSP_OBFUSC_PY_Loader_Jun23_1
1.48
21
SUSP_Webshell_OBFUSC_Indicators_Aug22_1
2.07
14
SUSP_URL_Split_Jun23
2.5
18
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23
2.69
13
PUA_RuskDesk_Remote_Desktop_Jun23_1
2.78
18
SUSP_JS_Redirector_Mar23
2.81
108
SUSP_JS_Executing_Powershell_Apr23
3.14
274
SUSP_PY_Reverse_Shell_Indicators_Jan23_1
3.25
16
SUSP_OBFUSC_JS_Execute_Base64_Mar23
3.26
34
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3.39
64
SUSP_PE_OK_RU_URL_Jun23
3.59
17
HKTL_Clash_Tunneling_Tool_Aug22_2
3.75
16
SUSP_PY_OBFUSC_Hyperion_Aug22_1
4.0
13
SUSP_BAT_OBFUSC_Apr23_1
4.0
16
SUSP_RANSOM_Note_Aug22
4.01
171
SUSP_OBFUSC_JS_Atob_Anomalies_Feb23_2
4.52
67
SUSP_BAT_PS1_Contents_Jan23_1
5.11
18
SUSP_OBFUSC_PS1_FormatStrings_Dec22_1
5.33
12
SUSP_BAT_OBFUSC_Apr23_4
5.35
26
SUSP_OBFUSC_BAT_Dec22_1
5.84
31

Latest YARA Matches with Low AV Detection Rate

This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)

Rule
AVs
Hash
VT
SUSP_MSIL_NET_ConfuserEx_Module_Encryption_Sep23
8
7c3ae4d8e72d0f3c0db928ee6e1057186ba70ffaca4564e88b2f2bf9a42a7d98
SUSP_RARSFX_Packed_EXE_with_Microsoft_Copyright
4
bdb0d91cfcc1d0bc2fe7572cf6944cb51b7bccb9540d079e61420e4d00096154
SUSP_XOR_Routine_Indicator_Jul22
9
cab84ccd354ff84a60b870ed2d6753594a98734179c7d11e55d882f0a57038ff
HKTL_PELoad_Jan23_7
9
aa010897f7a7bed41051dabb2fecf334c1eefcd903434d0408ef589ebcda372f
SUSP_Encoded_DisableRealtimeMonitoring_Mar20
3
30f5a82fc1c7bbe4d89678d625e6d94626b6c511459372194a88d268d4c048ee
SUSP_Defense_Evasion_Known_System_UUID_Jun23
3
30f5a82fc1c7bbe4d89678d625e6d94626b6c511459372194a88d268d4c048ee
SUSP_OBFUSC_PS1_Encoded_PowerShell_Commands_Apr22_1
3
30f5a82fc1c7bbe4d89678d625e6d94626b6c511459372194a88d268d4c048ee
SUSP_Encoded_Registry_Key_Paths_Sep22_1
3
30f5a82fc1c7bbe4d89678d625e6d94626b6c511459372194a88d268d4c048ee
SUSP_Defender_Exclusion_Aug21
3
30f5a82fc1c7bbe4d89678d625e6d94626b6c511459372194a88d268d4c048ee
SUSP_B64_Atob_Aug23
3
30f5a82fc1c7bbe4d89678d625e6d94626b6c511459372194a88d268d4c048ee
Suspicious_Javascript_Running_Interpreter
3
30f5a82fc1c7bbe4d89678d625e6d94626b6c511459372194a88d268d4c048ee
HKTL_PY_Stealer_Blank_Grabber_No23
3
30f5a82fc1c7bbe4d89678d625e6d94626b6c511459372194a88d268d4c048ee
SUSP_HKTL_CobaltStrike_PS1_Loader_Indicator_Nov23_2
3
30f5a82fc1c7bbe4d89678d625e6d94626b6c511459372194a88d268d4c048ee
SUSP_PS1_SingleLiner_Jun22_1
9
a222779606d0ced41e7466aa8ac266b9774f96e4f46ddf349d4ce4fa5e0a1cb1
SUSP_OBFUSC_Base64_Hex_Encoded_Apr19
4
3f714050d91558001e1d57f2649deca611cdbd6b49a287683e88421a010a2792
SUSP_B64_Atob_Aug23
4
3f714050d91558001e1d57f2649deca611cdbd6b49a287683e88421a010a2792
APT_PlugX_SFX_with_Chinese_Chars
7
49cd719354d80218bdc31d4389bec8b4a9b177b04060d699881a661c707a93c9
MAL_Unknown_Sept19_1
14
814b28bd42b806ce71ec6db6e0578bf637d85573f53d4133c5a23790204f3f75
SUSP_Credential_Stealer_Indicators_Jul23_1
11
d240e022d8f199878637134579d6f31c99481665c63de3f244053c9c41ef0372
SUSP_Base64_Encoded_C_Powershell
11
d240e022d8f199878637134579d6f31c99481665c63de3f244053c9c41ef0372

YARA Rules Per Category

This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)

Tag
Count
Malware
6025
Threat Hunting (not subscribable, only in THOR scanner)
4940
APT
4817
Hacktools
4461
Webshells
2308
Exploits
617

Newest Sigma Rules

This table shows the newest additions to the Sigma rule set

Rule
Description
Date
Ref
Info
Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
01.04.2024
Certificate-Based Authentication Enabled
Detects when certificate based authentication has been enabled in an Azure Active Directory tenant.
26.03.2024
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
26.03.2024
Deployment Deleted From Kubernetes Cluster
Detects the removal of a deployment from a Kubernetes cluster. This could indicate disruptive activity aiming to impact business operations.
26.03.2024
Privileged Container Deployed
Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks. A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host. Various versions of "privileged" containers can be specified, e.g. by setting the securityContext.privileged flag in the resource specification, setting non-standard Linux capabilities, or configuring the hostNetwork/hostPID fields
26.03.2024
Kubernetes Events Deleted
Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.
26.03.2024
Potential Remote Command Execution In Pod Container
Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
26.03.2024
Creation Of Pod In System Namespace
Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.
26.03.2024
Container With A hostPath Mount Created
Detects creation of a container with a hostPath mount. A hostPath volume mounts a directory or a file from the node to the container. Attackers who have permissions to create a new pod in the cluster may create one with a writable hostPath volume and chroot to escape to the underlying node.
26.03.2024
RBAC Permission Enumeration Attempt
Detects identities attempting to enumerate their Kubernetes RBAC permissions. In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment. In a Kubernetes cluster, this can be achieved by interacting with the API server, and querying the SelfSubjectAccessReview API via e.g. a "kubectl auth can-i --list" command. This will enumerate the Role-Based Access Controls (RBAC) rules defining the compromised user's authorization.
26.03.2024
Kubernetes Secrets Enumeration
Detects enumeration of Kubernetes secrets.
26.03.2024
New Kubernetes Service Account Created
Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
26.03.2024
Potential Sidecar Injection Into Running Deployment
Detects attempts to inject a sidecar container into a running deployment. A sidecar container is an additional container within a pod, that resides alongside the main container. One way to add containers to running resources like Deployments/DeamonSets/StatefulSets, is via a "kubectl patch" operation. By injecting a new container within a legitimate pod, an attacker can run their code and hide their activity, instead of running their own separated pod in the cluster.
26.03.2024
Potential KamiKakaBot Activity - Lure Document Execution
Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
22.03.2024
Potential KamiKakaBot Activity - Winlogon Shell Persistence
Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
22.03.2024
Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command. This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
22.03.2024
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
20.03.2024
MaxMpxCt Registry Value Changed
Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.
19.03.2024
ETW Session Stopped
This detection triggers every time an ETW session is stopped. Attackers can stop ETW sessions in order to blind security monitoring tooling.
13.03.2024
New ETW Session Started
This detection triggers every time a new ETW session is started.
13.03.2024
Critical ETW Session Stopped
This detection triggers every time an important or critical ETW session is stopped. Attackers can stop ETW sessions in order to blind security monitoring tooling.
13.03.2024
Important ETW Provider Has Been Unregistered
Detects important or critical ETW providers that have been unregistered. Attackers might unregister a certain provider in order to evade defenses or blind security monitoring tooling.
13.03.2024
UAC Bypass Attempt Via Msdt.EXE
Detects UAC bypass attempt using the Msdt binary and the bluetooth "BluetoothDiagnostic.xml" diagnostic package. The Msdt binary is capable of auto-elevation and the "BluetoothDiagnostic" diagnostic package doesn't requires admin privileges. This allows a user to call Msdt (32bit version) with the bluetooth package, which will automatically start an elevated instance of Msdt and call the "sdiagnhost" binary. This binary will try to load the "BluetoothDiagnosticUtil" DLL, which it will not be able to find. So it defer to loading from any directory in the PATH env variable. An attacker can hijack one of these location to insert a malicious version of this DLL and get it loaded by "sdiagnhost".
13.03.2024
Makecab.EXE Execution With Directive File
Detects the execution of "makecab.exe" with a directive file. Attackers can leverage makecab with a directive file in order to create ".cab" file while avoiding any mention of the files being compressed. As the ".DDF" file will contain all the information necessary for the compression.
12.03.2024
Makecab.EXE Execution With An Uncommon Directive File Extension
Detects the execution of "makecab.exe" with a directive file with an uncommon extension. The typical extension for cab directive is the Diamond Directive File (.DDF). Not using this extension might be a sign of something uncommon or even suspicious worth investigating.
12.03.2024
IExpress.EXE Binary Proxy Execution Through Diamond.EXE
Detects the execution of a binary named "diamond.exe" through "IExpress.EXE" The IExpress binary in almost all cases will spawn the "makecab" utility in order to create the ".cab" file requested by the users via the ".SED" files. Internally it offers a different mode if the ".SED" file specifies a CompressionMode called "QUANTUM". In this mode it will look for a binary named "diamond.exe". As this binary has been deprecated and is not available in newer version of Windows. Attackers can use this fact in order to execute any binary named "diamond.exe" located in the same directory of execution as IExpress.
12.03.2024
Potential Remote Code Execution Via Outlook Form
Detects the creation of a new file with a ".DLL" extension in the Outlook Forms folder. This might be an indicator of an attacker using Outlook form persistence or remote code execution as seen in CVE-2024-21378 exploitation.
12.03.2024
Potentially Suspicious COM DLL Loaded By Outlook.EXE
Detects load of DLL located in the Outlook FORMS directory. This could be an indication of a potential exploitation of CVE-2024-21378 or potential persistence via Outlook FORMS.
12.03.2024
HH.EXE Initiated A Network Connection To An Uncommon Destination Port
Detects a network connection initiated by the "hh.exe" process to an uncommon destination port. This could indicate potential process injection or uncommon communication method.
12.03.2024
Suspicious COM CLSID Registry Value Set By Outlook.EXE
Detects the creation of a COM CLSID pointing to a DLL file residing in the Outlook Forms directory. This is could potentially indicate the installation of a malicious Outlook Form. Investigate further action executed during this time frame and look for a DLL being dropped to disk and then that same DLL being loaded by the Outlook process.
12.03.2024

YARA/SIGMA Rule Count

Rule Type
Community Feed
Nextron Private Feed
Yara
2968
17669
Sigma
3204
446

Sigma Rules Per Category (Community)

Type
Count
windows / process_creation
1206
windows / registry_set
187
windows / file_event
182
windows / ps_script
163
windows / security
153
linux / process_creation
108
windows / image_load
97
webserver
78
windows / system
72
macos / process_creation
56
proxy
51
linux / auditd
49
windows / network_connection
45
azure / activitylogs
43
windows / registry_event
38
aws / cloudtrail
35
azure / auditlogs
35
windows / ps_module
32
windows / application
28
azure / signinlogs
24
windows / process_access
23
okta / okta
22
windows / dns_query
20
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
linux
17
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
12
cisco / aaa
12
windows / file_delete
12
kubernetes / application / audit
10
windows / driver_load
10
github / audit
10
windows / codeintegrity-operational
10
windows / ps_classic_start
10
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / msexchange-management
8
dns
8
antivirus
7
windows / firewall-as
7
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
zeek / smb_files
7
windows / file_access
6
windows / registry_delete
6
jvm / application
5
windows / dns-client
5
zeek / dns
4
zeek / dce_rpc
4
windows / sysmon
4
windows / taskscheduler
4
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
windows / wmi_event
3
zeek / http
3
linux / network_connection
3
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / file_change
2
windows / security-mitigations
2
spring / application
2
m365 / audit
2
linux / syslog
2
firewall
2
windows / dns-server
2
windows / dns-server-analytic
1
windows
1
windows / printservice-operational
1
windows / driver-framework
1
windows / ps_classic_provider_start
1
windows / printservice-admin
1
nginx
1
windows / lsa-server
1
windows / wmi
1
fortios / sslvpnd
1
netflow
1
cisco / ldp
1
cisco / syslog
1
linux / auth
1
cisco / bgp
1
windows / ldap
1
windows / smbclient-connectivity
1
linux / cron
1
windows / process_tampering
1
django / application
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / raw_access_thread
1
linux / guacamole
1
juniper / bgp
1
windows / applocker
1
nodejs / application
1
linux / clamav
1
windows / appxpackaging-om
1
windows / shell-core
1
python / application
1
windows / file_executable_detected
1
windows / capi2
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
windows / file_rename
1
velocity / application
1
linux / sudo
1
zeek / x509
1
windows / smbclient-security
1
ruby_on_rails / application
1
m365 / exchange
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / sysmon_status
1
sql / application
1
m365 / threat_detection
1
zeek / rdp
1
windows / terminalservices-localsessionmanager
1
windows / sysmon_error
1
database
1
zeek / kerberos
1

Sigma Rules Per Category (Nextron Private Feed)

Type
Count
windows / process_creation
179
windows / ps_script
52
windows / registry_set
49
windows / wmi
29
windows / file_event
20
windows / image_load
14
proxy
11
windows / system
10
windows / security
10
windows / kernel-event-tracing
6
windows / network_connection
6
windows / ntfs
5
windows / registry_event
4
windows / create_remote_thread
4
windows / ps_module
4
linux / process_creation
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / registry_delete
3
windows / hyper-v-worker
3
windows / pipe_created
3
windows / ps_classic_script
3
windows / taskscheduler
2
windows / bits-client
2
windows / driver_load
2
windows / kernel-shimengine
2
macos / process_creation
1
windows / process_access
1
windows / file_delete
1
windows / file_access
1
windows / registry-setinformation
1
windows / file_rename
1
windows / dns_query
1
windows / codeintegrity-operational
1
windows / audit-cve
1
windows / amsi
1
windows / application
1

Tenable Nessus

Requirement: Privileged Scan

  • YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
Tutorial: https://docs.tenable.com/nessus/Content/CredentialedChecksOnWindows.htm

YARA Scanning with Nessus

  • You can only upload a single .yar file
  • Filesystem scan has to be activated
  • You have to define the target locations
  • The Nessus plugin ID will be 91990
  • Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Tutorial: https://de.tenable.com/blog/threat-hunting-with-yara-and-nessus

Carbon Black

Tutorial: https://github.com/carbonblack/cb-yara-connector

FireEye EX

Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022