currently serving 23182 YARA rules and 4293 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
SUSP_LNK_PowerShell_Indicators_Nov25
Detects LNK file that runs a suspicious PowerShell code
06.11.2025
SUSP_OBFUSC_LNK_PS1_Indicators_Nov25
Detects LNK file that runs a suspicious PowerShell code with obfuscated code patterns
06.11.2025
SUSP_JSP_WebShell_Nov25
Detects JSP bash webshell
04.11.2025
APT_MAL_Kimsuky_Launcher_Nov25
Detects a launcher written in Go which is used to load next-stage payloads, seen being used by Kimsuky APT group
01.11.2025
MAL_HancomAgent_Downloader_Nov25
Detects HancomAgent downloader which is used to download and execute next-stage payloads, seen being used by Kimsuky APT group
01.11.2025
SUSP_JS_Obfuscation_Oct25_3
Detects JavaScript obfuscation, seen being used multiple APTs and malwares
31.10.2025
HKTL_EDR_Redir_Oct25
Detects EDR-Redir a tool used to disable or cripple EDR agents on Windows systems using Bind Filter and Windows Cloud Filter API.
30.10.2025
MAL_Loader_Oct25
Detects a loader that performs in-memory string decryption, VM detection, and command execution capabilities, seen being used by Loginszip stealer
30.10.2025
SUSP_MSIX_PsfLauncher_Oct25
Detects MSIX configuration files that launch PowerShell scripts via the Package Support Framework (PSF) PsfLauncher.exe - often abused by threat actors to bypass application control solutions
29.10.2025
MAL_JS_VSIX_Glassworm_Oct25
Detects malicious usage of non-printable unicode characters which are not displayed in IDE but interpreted by JavaScript
29.10.2025
MAL_JS_VSIX_Glassworm_Oct25_2
Detects malicious usage of non-printable unicode characters which are not displayed in IDE but interpreted by JavaScript
29.10.2025
SUSP_JS_NonPrintable_Unicode_Characters_Oct25
Detects suspicious usage of non-printable unicode characters interpreted by JavaScript
29.10.2025
SUSP_JS_Unicode_Decoder_Oct25
Detects suspicious decoding of non-printable unicode characters
29.10.2025
MAL_FakeUpdate_Loader_Oct25
Detects fake update loader used to load Phoenix backdoor, seen being used by MuddyWater APT
28.10.2025
MAL_Chromium_Stealer_Oct25
Detects Chromium stealer module, seen being used by MuddyWater APT
28.10.2025
MAL_Presistence_Module_Oct25
Detects persistence module, seen being used by MuddyWater APT
28.10.2025
SUSP_Exploit_Indicators_Oct25
Detects generic exploit indicators in scripts and binaries
26.10.2025
HKTL_EXPL_SeManageVolume_Privilege_Escalation_Oct25
Detects attempts to abuse SeManageVolume / privilege escalation by writing a controlled DLL into Printconfig.dll and triggering PrintNotify to obtain SYSTEM.
26.10.2025
HKTL_EXPL_WSUS_Exploitation_POC_Oct25
Detects POC for the exploitation of the Windows Server Update Services (WSUS) Remote Code Execution Vulnerability (CVE-2025-59287)
26.10.2025
HKTL_Obex_EDR_Blocker_Oct25
Detects Obex - a PoC tool/technique that can be used to prevent unwanted modules (e.g., EDR or monitoring libraries) from being loaded into a newly started process during process initialization or at runtime.
25.10.2025
SUSP_Simple_Loader_Characteristics_Oct25
Detects suspicious characteristics found in simple loaders
25.10.2025
EXPL_WSUS_Exploitation_Indicators_Oct25
Detects indicators related to the exploitation of the Windows Server Update Services (WSUS) Remote Code Execution Vulnerability (CVE-2025-59287)
25.10.2025
HKTL_DumpGuard_NTLMv1_Extractor_Oct25
Detects Proof-of-Concept tool for extracting NTLMv1 hashes from sessions on modern Windows systems
24.10.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_EXPL_ShellCode_Loader_Nov22_1
13
871473e262bfa474bb168a4cd4f15d33797d50e941527e70af35c173d3154660
SUSP_EXPL_ShellCode_Loader_Nov22_1
12
66422d2e61766fa4be13c2bb766b8712c061706fae2ac922e620acd8c0a20638
SUSP_EXPL_ShellCode_Loader_Nov22_1
13
bafc8b468d73f548afa43a2af92350dad749155f3c36c81b800bed9b01715ccd
SUSP_EXPL_ShellCode_Loader_Nov22_1
11
ac201663dc76ba6900d7438f4011df9e033d111302702b8940df14632bf66c96
SUSP_EXPL_ShellCode_Loader_Nov22_1
12
2469336ab0395b6bc22c2b2d7fd9898e3a414c7f343e129309ce772c02e7d624
SUSP_EXPL_ShellCode_Loader_Nov22_1
10
3f99d6deef415e7d28ef9795e0e8d9fd63bc24619bf6c7068745568c957815a2
SUSP_EXPL_ShellCode_Loader_Nov22_1
11
ae17dd26d6b2a42386d7dfa47fe8f84abababd94ba393375233cf6a027e9ae3e
SUSP_EXPL_ShellCode_Loader_Nov22_1
11
24d2a47539d508fbbfcccbfb8c75851e76054dea21e1387c6ca6e046371095d1
SUSP_EXPL_ShellCode_Loader_Nov22_1
10
b4444047385d0df57d27aca1994071c807e6e656f8b395645b893c5980bbb1b6
SUSP_EXPL_ShellCode_Loader_Nov22_1
11
607e7f6efcda529f38723705cf038d2fd13d6f9b1b31159e2ce07dfad6e70838
SUSP_EXPL_ShellCode_Loader_Nov22_1
13
c31d56b9c105aeddccbc81a2c5241e48f2db17c3edebabfbcccec5942c5ad9df
SUSP_EXPL_ShellCode_Loader_Nov22_1
11
321b332157ab1afad409a96fde49a642655d72dd603d7839f639978d017230e6
SUSP_EXPL_ShellCode_Loader_Nov22_1
13
9d020662748bc3c07f542e1cbd5521c0a30643cad8c7458406ba559a51635a04
SUSP_EXPL_ShellCode_Loader_Nov22_1
10
49f9b3f040ee9513e32417f7305fb44d4f55839c28b24a2250973a9b65af6342
SUSP_EXPL_ShellCode_Loader_Nov22_1
12
4401bb955a5272f17af767958322c1af423bf1b251348d73e8f80d6daf67ca00
SUSP_EXPL_ShellCode_Loader_Nov22_1
12
30b49ad51b15fe58a582578a52eaed6bbd5fb11e09ca94af74c1891f4caa5a3f
SUSP_EXPL_ShellCode_Loader_Nov22_1
13
4a20025a1fb93696be745ebf8a3a648bbfd3db70023395c7357f6befafd27fb2
SUSP_EXPL_ShellCode_Loader_Nov22_1
11
fbe3cb9b835ea8e933a7148a873b4eb0b9844087d0532bde2030c9505bfd7307
SUSP_EXPL_ShellCode_Loader_Nov22_1
12
a2ee7996ca3faa66fa8cdf5a94c3633bf8a052eab1df1c038d7de356425390fe
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7196
Threat Hunting (not subscribable, only in THOR scanner)
5649
APT
5032
Hacktools
4758
Webshells
2394
Exploits
699
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Scheduled Task Creation via PowerShell Schedule.Service COM Object
Detects PowerShell execution using the Schedule.Service COM object to create scheduled tasks.
There are straightforward methods to create scheduled tasks using built-in Windows tools such as schtasks.exe or PowerShell cmdlets like New-ScheduledTask.
However, threat actors may leverage alternatice method such as the Schedule.Service COM object to create scheduled tasks to bypass detection.
21.10.2025
Suspicious File Write to Webapps Root Directory
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
20.10.2025
Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)
Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password.
This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.
20.10.2025
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
20.10.2025
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
20.10.2025
ISATAP Router Address Was Set
Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6.
In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic.
This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.
19.10.2025
AWS Bucket Deleted
Detects the deletion of S3 buckets in AWS CloudTrail logs.
Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.
19.10.2025
AWS ConsoleLogin Failed Authentication
Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.
19.10.2025
AWS EnableRegion Command Monitoring
Detects the use of the EnableRegion command in AWS CloudTrail logs.
While AWS has 30+ regions, some of them are enabled by default, others must be explicitly enabled in each account separately.
There may be situations where security monitoring does not cover some new AWS regions.
Monitoring the EnableRegion command is important for identifying potential persistence mechanisms employed by adversaries, as enabling additional regions can facilitate continued access and operations within an AWS environment.
19.10.2025
AWS VPC Flow Logs Deleted
Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call.
Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.
19.10.2025
Unsigned or Unencrypted SMB Connection to Share Established
Detects SMB server connections to shares without signing or encryption enabled.
This could indicate potential lateral movement activity using unsecured SMB shares.
19.10.2025
AWS Successful Console Login Without MFA
Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA).
This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.
18.10.2025
BaaUpdate.exe Suspicious DLL Load
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
18.10.2025
Suspicious BitLocker Access Agent Update Utility Execution
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes.
Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
18.10.2025
Mask System Power Settings Via Systemctl
Detects the use of systemctl mask to disable system power management targets such as suspend, hibernate, or hybrid sleep.
Adversaries may mask these targets to prevent a system from entering sleep or shutdown states, ensuring their malicious processes remain active and uninterrupted.
This behavior can be associated with persistence or defense evasion, as it impairs normal system power operations to maintain long-term access or avoid termination of malicious activity.
17.10.2025
Ngrok Reverse Tunnel Without Installation - Linux
Detects the usage of ngrok reverse tunnel via SSH without installation of ngrok, which could be used to expose internal services to the internet.
Adversaries may use ngrok to create reverse tunnels to bypass network restrictions and facilitate lateral movement or data exfiltration.
15.10.2025
Ngrok Reverse Tunnel Without Installation - Windows
Detects the usage of ngrok reverse tunnel via SSH without installation of ngrok, which could be used to expose internal services to the internet.
Adversaries may use ngrok to create reverse tunnels to bypass network restrictions and facilitate lateral movement or data exfiltration.
15.10.2025
AWS STS GetCallerIdentity Enumeration Via TruffleHog
Detects the use of TruffleHog for AWS credential validation by identifying GetCallerIdentity API calls where the userAgent indicates TruffleHog.
Threat actors leverage TruffleHog to enumerate and validate exposed AWS keys.
Successful exploitation allows threat actors to confirm the validity of compromised AWS credentials, facilitating further unauthorized access and actions within the AWS environment.
12.10.2025
Installation of WSL Kali-Linux
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL).
Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
10.10.2025
Potential Exploitation of GoAnywhere MFT Vulnerability
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.
This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
07.10.2025
Linux Sudo Chroot Execution
Detects the execution of 'sudo' command with '--chroot' option, which is used to change the root directory for command execution.
Attackers may use this technique to evade detection and execute commands in a modified environment.
This can be part of a privilege escalation strategy, as it allows the execution of commands with elevated privileges in a controlled environment as seen in CVE-2025-32463.
While investigating, look out for unusual or unexpected use of 'sudo --chroot' in conjunction with other commands or scripts such as execution from temporary directories or unusual user accounts.
02.10.2025
Non-Standard Nsswitch.Conf Creation - Potential CVE-2025-32463 Exploitation
Detects the creation of nsswitch.conf files in non-standard directories, which may indicate exploitation of CVE-2025-32463.
This vulnerability requires an attacker to create a nsswitch.conf in a directory that will be used during sudo chroot operations.
When sudo executes, it loads malicious shared libraries from user-controlled locations within the chroot environment,
potentially leading to arbitrary code execution and privilege escalation.
02.10.2025
RunMRU Registry Key Deletion - Registry
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
25.09.2025
RunMRU Registry Key Deletion
Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
25.09.2025
PowerShell File Discovery Activity in User Directories
Detects PowerShell scripts that enumerate specific files and directories in common user document folders, which may indicate data discovery for exfiltration.
25.09.2025
PUA - TruffleHog Execution - Linux
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
24.09.2025
PUA - TruffleHog Execution
Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously.
While it is a legitimate tool, intended for use in CI pipelines and security assessments,
It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
24.09.2025
Hacktool - EDR-Freeze Execution
Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows.
EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process.
This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
24.09.2025
Shai-Hulud NPM Attack GitHub Activity
Detects GitHub activity associated with the 'Shai-Hulud' NPM supply chain attack. The attack involves malicious NPM packages that use stolen GitHub tokens to create a new branch,
inject a malicious workflow file to exfiltrate secrets, and make private repositories public.
24.09.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2705
20477
Sigma
3472
821
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1303
windows / registry_set
205
windows / file_event
204
windows / ps_script
165
windows / security
158
linux / process_creation
125
windows / image_load
112
webserver
82
windows / system
74
macos / process_creation
68
proxy
53
linux / auditd
53
windows / network_connection
52
aws / cloudtrail
52
azure / activitylogs
42
windows / registry_event
39
azure / auditlogs
38
windows / ps_module
33
windows / application
30
windows / dns_query
25
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
github / audit
14
windows / file_delete
13
m365 / threat_management
13
cisco / aaa
12
windows / create_remote_thread
12
linux / file_event
12
kubernetes / application / audit
10
windows / driver_load
10
windows / codeintegrity-operational
10
windows / ps_classic_start
9
windows / create_stream_hash
9
dns
9
windows / registry_add
9
windows / registry_delete
9
windows / firewall-as
8
windows / msexchange-management
8
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
7
gcp / google_workspace.admin
7
windows / bits-client
7
zeek / smb_files
7
antivirus
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
zeek / http
5
linux / network_connection
5
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
windows / sysmon
4
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
m365 / audit
3
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
firewall
2
windows / file_change
2
spring / application
2
linux / syslog
2
windows / security-mitigations
2
windows / dns-server
2
database
1
windows / sysmon_status
1
windows / driver-framework
1
windows
1
windows / dns-server-analytic
1
nginx
1
windows / printservice-admin
1
netflow
1
cisco / bgp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
linux / auth
1
cisco / ldp
1
windows / ldap
1
django / application
1
fortios / sslvpnd
1
linux / clamav
1
nodejs / application
1
cisco / syslog
1
linux / guacamole
1
huawei / bgp
1
windows / applocker
1
windows / smbclient-connectivity
1
cisco / duo
1
juniper / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
windows / process_tampering
1
python / application
1
paloalto / file_event / globalprotect
1
linux / cron
1
windows / appxpackaging-om
1
paloalto / appliance / globalprotect
1
windows / smbserver-connectivity
1
windows / raw_access_thread
1
windows / certificateservicesclient-lifecycle-system
1
windows / shell-core
1
velocity / application
1
linux / sudo
1
zeek / x509
1
windows / capi2
1
windows / microsoft-servicebus-client
1
ruby_on_rails / application
1
m365 / exchange
1
windows / file_executable_detected
1
sql / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / file_rename
1
m365 / threat_detection
1
zeek / rdp
1
windows / smbclient-security
1
windows / sysmon_error
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
389
windows / registry_set
78
windows / ps_script
75
windows / image_load
43
windows / file_event
38
linux / process_creation
34
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ps_module
5
windows / ntfs
5
windows / sense
4
windows / pipe_created
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / ps_classic_script
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / driver_load
3
windows / hyper-v-worker
3
windows / windefend
2
windows / process_access
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
macos / process_creation
1
windows / firewall-as
1
windows / application
1
windows / process-creation
1
windows / audit-cve
1
windows / file_access
1
windows / file_delete
1
windows / registry-setinformation
1
linux / file_event
1
windows / amsi
1
windows / file_rename
1
windows / dns_query
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR