currently serving 23393 YARA rules and 4343 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
MAL_Etoroloro_Malicious_NodePackage_Dec25
Detects malicious component of node package named Etoroloro
12.12.2025
MAL_Ransom_01flip_Dec25
Detects 01flip ransomware elf variant written in Rust programming language
12.12.2025
MAL_LNX_PeerBlight_Backdoor_Dec25
Detects PeerBlight Linux backdoor used in React2Shell exploits
11.12.2025
MAL_LNX_ZinFoq_Dec25
Detects ZinFoq Linux backdoor written in GO used in React2Shell exploits
11.12.2025
HKTL_EDR_Killer_Driver_Dec25
Detects a kernel driver used to terminate EDR processes by their process IDs, seen being used by Shanya packer
10.12.2025
MAL_MuddyViper_Backdoor_Dec25
Detects MuddyViper backdoor that uses encrypted C2 channels, extensive file and process control, and system discovery to give attackers full remote access to the infected machine while evading detection, seen being used by MuddyWater APT group
10.12.2025
SUSP_PS1_Indicators_Dec25_1
Detects suspicious PowerShell script characteristics that indicate process discovery and termination often found in malicious scripts
09.12.2025
CHAR_PS1_Indicators_Dec25_2
Detects suspicious PowerShell script characteristics that indicate process discovery, web requests or service management often found in malicious scripts
09.12.2025
SUSP_LNX_Shell_Indicators_Dec25
Detects suspicious shell indicators often used in Linux based threat actor tools
09.12.2025
SUSP_LNX_Shell_Crypto_Miner_Indicators_Dec25
Detects suspicious crypto miner indicators often used in malicious scripts for Linux
09.12.2025
HKTL_PY_Aardwolf_Dec25
Detects aardwolf, a headless RDP and VNC client for Python with numerous hacking features
08.12.2025
MAL_Discord_Bot_Backdoor_Dec25
Detects Discord bot backdoor written in Go that leverages the discordgo library to establish C2 communication via Discord API, enabling remote command execution, file exfiltration, and system reconnaissance, seen being used by UNC5174 APT group
08.12.2025
MAL_Duperunner_Dec25
Detects Duperunner that downloads payloads from a remote C2 server and injects them into legitimate processes using the classic CreateRemoteThread injection technique
08.12.2025
MAL_Weyhro_C2_Payload_Dec25
Detects Weyhro C2 payload which delivers ChaCha20-encrypted, in-memory payloads for stealthy post-exploitation, including remote control, file operations, and credential theft. It avoids detection by unhooking NTDLL and dynamically resolving APIs.
08.12.2025
MAL_PreyHunter_HelperWatcher_Dec25
Detects PreyHunter third-stage helper and watcher module used in an iOS exploit chain which identifies behavior-monitoring and spyware-enabling hooks prior to full payload deployment.
08.12.2025
MAL_PreyHunter_JS_ExploitLoader_Dec25
Detects JavaScript helper used in the PreyHunter exploit chain to parse Mach-O structures, resolve symbols, and assist kernel-level exploitation.
08.12.2025
MAL_ChromeB_Stealer_Dec25
Detects ChromeB stealer
07.12.2025
EXPL_SUSP_JS_POC_RSC_Detector_Payloads_Dec25
Detects RCE indicators related to the proof-of-concept code for the React Server Remote Code Execution Vulnerability (CVE-2025-55182) as used in the RSC Detector browser extension but could be used in other JavaScript based PoC code as well
06.12.2025
EXPL_SUSP_JS_Exploitation_Payloads_Dec25
Detects RCE indicators related to the exploitation attempts of the React Server Remote Code Execution Vulnerability (CVE-2025-55182) as observed in the wild
06.12.2025
EXPL_React_Server_CVE_2025_55182_POC_Dec25
Detects in-memory webshell indicators related to the proof-of-concept code for the React Server Remote Code Execution Vulnerability (CVE-2025-55182)
05.12.2025
SUSP_WEBSHELL_LOG_Signatures_Dec25
Detects indicators related simple webshells that use the same exec/cmd pattern
05.12.2025
EXPL_RCE_React_Server_CVE_2025_55182_POC_Dec25
Detects RCE indicators related to the proof-of-concept code for the React Server Remote Code Execution Vulnerability (CVE-2025-55182)
05.12.2025
EXPL_RCE_React_Server_Next_JS_CVE_2025_66478_Tracebacks_Dec25
Detects traceback indicators caused by the exploitation of the React Server Remote Code Execution Vulnerability (CVE-2025-55182) in Next.js applications (CVE-2025-66478). This can also be caused by vulnerability scanning.
05.12.2025
EXPL_RCE_React_Server_Next_JS_CVE_2025_66478_Errors_Dec25
Detects error messages caused by the exploitation of the React Server Remote Code Execution Vulnerability (CVE-2025-55182) in Next.js applications (CVE-2025-66478). This can also be caused by vulnerability scanning.
05.12.2025
EXPL_SUSP_JS_POC_Dec25
Detects RCE indicators related to the proof-of-concept code for the React Server Remote Code Execution Vulnerability (CVE-2025-55182) but could be used in other JavaScript based PoC code as well
05.12.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_MSIL_NET_OBF_ConfuserEx_Constants_Jul23
14
20edf75d5f8e4365d7b3f4687ddcd9718b31b11ee4f0e5d9172748c0114b71de
SUSP_HKTL_Hacktool_Strings_Oct21_1
5
fff37095496fefd0c780e8da6adeb573c9e4e32b0f0cb655cfae94fb3a2359ba
SUSP_MinGW_Microsoft_Combo_Jul20_1
5
fff37095496fefd0c780e8da6adeb573c9e4e32b0f0cb655cfae94fb3a2359ba
SUSP_Defender_Disable_AV_Scanning
14
f66dbfecfc130ec2f78ea3daa22695f538ab16961c1f7e1bd0589ddf9a26ad17
SUSP_PS1_OBFUSC_IEX_Pattern_Feb22_1
9
3da0d3c8f9ad3d77343c0abc250e6554ca11b4bdd1349cc1023552250b27be74
SUSP_OBFUSC_Script_Indicators_Jul25
10
7b01a62fd3fabd2a201fb159bbddf0bb737836cdf038461df425dd6a5dc5af57
SUSP_Javascript_Obfuscation_NonAscii_Apr25
10
7b01a62fd3fabd2a201fb159bbddf0bb737836cdf038461df425dd6a5dc5af57
SUSP_LNX_ShellCode_Loader_Jun21_1
6
9ad5697628f1fbf363d09baa8c9671014770a223033577d726c352241912b1b1
SUSP_LNX_Malware_Indicators_Aug21_1
6
9ad5697628f1fbf363d09baa8c9671014770a223033577d726c352241912b1b1
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7305
Threat Hunting (not subscribable, only in THOR scanner)
5713
APT
5041
Hacktools
4782
Webshells
2397
Exploits
710
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Linux Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell).
This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands.
When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>).
For other methods, the Image field will show the spawned process directly.
05.12.2025
Windows Suspicious Child Process from Node.js - React2Shell
Detects suspicious child processes started by Node.js server processes on Windows, which may indicate exploitation of vulnerabilities like CVE-2025-55182 (React2Shell).
Attackers can abuse the Node.js 'child_process' module to run system commands or scripts using methods such as spawn(), exec(), execFile(), fork(), or execSync().
If execSync() or exec() is used in the exploit, the command line often shows a shell (e.g., cmd.exe /d /s /c ...) running a suspicious command unless other shells are explicitly invoked.
For other methods, the spawned process appears directly in the Image field unless a shell is explicitly used.
05.12.2025
Github Self-Hosted Runner Execution
Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution.
Shai-Hulud is an npm supply chain worm targeting CI/CD environments.
It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
29.11.2025
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
27.11.2025
WerFaultSecure Loading DbgCore or DbgHelp - EDR-Freeze
Detects WerFaultSecure.exe loading dbgcore.dll or dbghelp.dll which contains the MiniDumpWriteDump function.
The MiniDumpWriteDump function creates a minidump of a process by suspending all threads in the target process to ensure a consistent memory snapshot.
The EDR-Freeze technique abuses WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to suspend EDR/AV processes.
By leveraging MiniDumpWriteDump's thread suspension behavior, edr-freeze allows malicious activity to execute undetected during the suspension period.
27.11.2025
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
27.11.2025
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
27.11.2025
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
27.11.2025
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.
This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
27.11.2025
Grixba Malware Reconnaissance Activity
Detects execution of the Grixba reconnaissance tool based on suspicious command-line parameter combinations.
This tool is used by the Play ransomware group for network enumeration, data gathering, and event log clearing.
26.11.2025
Suspicious FileFix Execution Pattern
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation.
This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms,
which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content.
The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
24.11.2025
HackTool - WSASS Execution
Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's
(Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
23.11.2025
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
22.11.2025
Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
22.11.2025
Unsigned .node File Loaded
Detects the loading of unsigned .node files.
Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack.
.node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code.
This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.
22.11.2025
Windows Default Domain GPO Modification via GPME
Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
22.11.2025
Windows Default Domain GPO Modification
Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
22.11.2025
Suspicious Filename with Embedded Base64 Commands
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
22.11.2025
Suspicious DNS Exfiltration via Command Line
Detects potential data exfiltration using DNS lookups with encoded data, typically used by malicious scripts.
This technique may involve encoding data (e.g., using xxd) and sending it via DNS queries (e.g., using nslookup).
21.11.2025
Suspicious Child Process Spawned by Node.js
Detects suspicious child processes spawned by Node.js that could indicate compromised npm packages or malicious scripts.
Malicious packages often use install/preinstall scripts to execute unauthorized system commands through these child processes.
Investigate immediately as this may indicate package compromise or malicious code execution.
21.11.2025
Cisco ASA Exploitation Activity - Proxy
Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
20.11.2025
Suspicious ClickFix/FileFix Execution Pattern
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix).
Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
19.11.2025
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
19.11.2025
Network Connection Initiated via Finger.EXE
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
19.11.2025
Suspicious Kerberos Ticket Request via CLI
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
techniques like silver ticket attacks.
18.11.2025
RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class
Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell.
In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP.
In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
15.11.2025
Uncommon Svchost Command Line Parameter
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
14.11.2025
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing.
This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection.
This behavior has been observed in various malicious lnk files.
12.11.2025
Deletion of RDP Log Files via Command Line
Detects deletion of Remote Desktop Protocol (RDP) log files which may indicate ransomware or malicious activity attempting to impede forensic investigation
06.11.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2716
20677
Sigma
3517
826
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1321
windows / registry_set
214
windows / file_event
203
windows / ps_script
165
windows / security
160
linux / process_creation
129
windows / image_load
114
webserver
82
windows / system
74
macos / process_creation
68
aws / cloudtrail
55
proxy
54
windows / network_connection
53
linux / auditd
53
azure / activitylogs
42
windows / registry_event
40
azure / auditlogs
38
windows / ps_module
33
windows / application
31
windows / dns_query
26
windows / process_access
25
azure / signinlogs
24
okta / okta
22
azure / riskdetection
19
opencanary / application
18
windows / pipe_created
18
rpc_firewall / application
17
gcp / gcp.audit
16
windows / windefend
16
github / audit
16
linux
16
bitbucket / audit
14
linux / file_event
13
windows / file_delete
13
m365 / threat_management
13
cisco / aaa
12
windows / create_remote_thread
12
kubernetes / application / audit
10
windows / codeintegrity-operational
10
windows / driver_load
10
windows / registry_delete
9
windows / ps_classic_start
9
dns
9
windows / create_stream_hash
9
windows / firewall-as
8
windows / msexchange-management
8
windows / file_access
7
azure / pim
7
windows / bits-client
7
zeek / smb_files
7
gcp / google_workspace.admin
7
antivirus
7
fortigate / event
7
windows / appxdeployment-server
7
windows / dns-client
6
jvm / application
5
kubernetes / audit
5
zeek / dns
5
linux / network_connection
5
zeek / http
5
zeek / dce_rpc
4
windows / sysmon
4
windows / iis-configuration
4
windows / taskscheduler
4
windows / registry_add
3
linux / sshd
3
m365 / audit
3
macos / file_event
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
windows / file_change
2
linux / syslog
2
windows / security-mitigations
2
spring / application
2
windows / dns-server
2
apache
2
onelogin / onelogin.events
2
firewall
2
cisco / syslog
1
linux / cron
1
juniper / bgp
1
windows / appxpackaging-om
1
windows / process_tampering
1
windows / smbclient-connectivity
1
windows / smbserver-connectivity
1
paloalto / file_event / globalprotect
1
linux / vsftpd
1
windows / capi2
1
windows / shell-core
1
windows / raw_access_thread
1
nodejs / application
1
paloalto / appliance / globalprotect
1
windows / certificateservicesclient-lifecycle-system
1
zeek / x509
1
windows / microsoft-servicebus-client
1
python / application
1
windows / diagnosis-scripted
1
windows / file_executable_detected
1
m365 / exchange
1
zeek / rdp
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_error
1
m365 / threat_detection
1
zeek / kerberos
1
windows
1
windows / sysmon_status
1
ruby_on_rails / application
1
windows / driver-framework
1
windows / terminalservices-localsessionmanager
1
sql / application
1
linux / sudo
1
velocity / application
1
cisco / duo
1
cisco / bgp
1
nginx
1
windows / dns-server-analytic
1
windows / ldap
1
windows / printservice-admin
1
cisco / ldp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
database
1
linux / clamav
1
windows / applocker
1
linux / auth
1
linux / guacamole
1
django / application
1
fortios / sslvpnd
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / openssh
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
391
windows / registry_set
78
windows / ps_script
76
windows / image_load
43
windows / file_event
38
linux / process_creation
36
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / registry_event
8
windows / network_connection
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / create_remote_thread
4
windows / registry_delete
4
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
webserver
3
windows / vhd
3
windows / application-experience
3
windows / driver_load
3
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / windefend
2
windows / process_access
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / kernel-shimengine
2
windows / amsi
1
windows / application
1
windows / process-creation
1
windows / file_access
1
windows / registry-setinformation
1
windows / file_delete
1
linux / file_event
1
windows / firewall-as
1
windows / file_rename
1
windows / audit-cve
1
windows / dns_query
1
macos / process_creation
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR