currently serving 22003 YARA rules and 3960 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
HKTL_Spraycannon_Feb25
Detects spray Cannon, a multithreaded multiplatform password spraying tool designed for easy use
17.02.2025
HKTL_Captaincredz_Feb25
Detects captaincredz, a modular and discreet password-spraying tool
17.02.2025
HKTL_Ghauri_Feb25
Detects Ghauri, an cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws
17.02.2025
MAL_PHISH_Final_Payload_Feb25
Detects possible final payload of phishing-delivered malware, where embedded shellcode is used to decrypt and execute the payload after user-supplied password input.
14.02.2025
SUSP_HTML_Small_Redirect_Feb25
Detects small suspicious HTML files which have the purpose of redirecting to suspicious URL - seen used in phishing attacks
14.02.2025
SUSP_Sysinternals_Desktops_Anomaly_Feb25
Detects anomalies in Sysinternals Desktops binaries
14.02.2025
SUSP_PE_Compromised_Certificate_Feb25
Detects suspicious PE files signed with a certificate used in a widespread phishing attack in February 2025
14.02.2025
MAL_WEBSEHLL_LocalOlive_Feb25
Detects the LocalOlive webshell, an ASPX-based backdoor written in C# that facilitates command-and-control (C2) communication and enables the deployment of additional utilities on compromised infrastructure.
13.02.2025
MAL_NET_DCRat_Feb25
Detects DarkCrystalRAT (DCRat), a .NET-based remote access tool and credential stealer malware used for unauthorized access and data exfiltration.
13.02.2025
MAL_OBFUSC_JS_Feb25
Detects an obfuscated JavaScript file that downloads and executes a next-stage payload. This obfuscation was observed in Strela stealer campaigns but may also be used in other threats.
13.02.2025
APT_MAL_Deuterbear_RAT_Loader_Feb25
Detects Deuterbear RAT loader, related to Earth Hundun, which is known for targeting the Asia-Pacific region
12.02.2025
MAL_BadIIS_Feb25
Detects an IIS backdoor module that allows red-team operators to keep a stealthy persistence on IIS web-servers
11.02.2025
HKTL_NET_Strifle_Feb25
Detects Stifle, a .NET post-exploitation tool that maps Active Directory certificates to target objects for unauthorized authentication.
10.02.2025
MAL_RANSOM_GO_Feb25
Detects a ransomware variant written in Go that exploits Amazon S3 for data exfiltration.
10.02.2025
APT_SUSP_XEGroup_Forensic_Artefacts_Jan25
Detects patterns often found in forensic artefacts of the XE Group
10.02.2025
HKTL_Gen_Pattern_Feb25
Detects patterns often found in various hack tools. This rule is a generic rule that might generate false positives. A match should be further investigated.
08.02.2025
HKTL_Gen_Memory_Dumpers_Feb25
Detects unknown process memory dumpers - a rule covering multiple unknown and custom process memory dumpers
08.02.2025
SUSP_PUA_MitmProxy_Feb25
Detects the presence of the MitmProxy tool in combination with WinDivert
08.02.2025
HKTL_LSASS_Memory_Dumper_Feb25
Detects unknown LSASS process memory dumpers
08.02.2025
SUSP_Credential_Dumper_Patterns_Feb25
Detects strings found in process memory dumpers
08.02.2025
SUSP_Patterns_Feb25_1
Detects patterns often found in process memory dumpers
08.02.2025
HKTL_BOF_String_Reaper_Feb25
Detects BOF used to extract strings and credentials from process memory
08.02.2025
SUSP_PS1_Pattern_Feb25
Detects PowerShell scripts modifying the PendingFileRenameOperations registry key, commonly used to schedule file renaming or deletion after reboot.
08.02.2025
MAL_GandCrab_Downloader_Feb25
Detects a downloader, seen being used by GandCrab ransomware
07.02.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
SUSP_BAT_OBFUSC_ENV_Obfuscation_Apr21_1
6
b063ed12605354334eadf253ffd0f5632aae806036db698e41292c1d47a0fba7
SUSP_PS1_Cmdlet_Base64_Encoded_Defender_Exclusion_Apr21_1
5
649d6f8c177159bca86a136fa8a65c851aebfa0e3ad188c1c5ab723fa5385e91
SUSP_HKTL_LNX_Keywords_SCTEST_Oct19
13
62669bd66ef637a56f5540cdba426f506151c2e06aa5ccb05c9ae94ac24586ed
SUSP_BAT_Start_Min_Combo_PowerShell_Jul23_1
3
0674ea0a1fff983583218099085a63f0f42b30566596be53b0148343daa42493
PUA_ConnectWise_ScreenConnect_Mar23
1
6a91a97a6ff6fc51c5f365d8eb46f30208bad67b43432f4b8fe99f00a47733ca
PUA_ConnectWise_ScreenConnect_Mar23
1
5f81f49aedf142da24cc3d06a1924125994058fc52bf1c473263d9d822945fa3
PUA_ConnectWise_ScreenConnect_Mar23
14
7cad91cdfa54a5b69a867080475eb8631ca061de6065726d9eea8f6f2fd5826c
SUSP_OBF_NET_Reactor_JIT_Encryption_Feb25
4
e7bf4beadf637f293e393be45617a69d12733a0f2b1f9b4e83a5a6bdfc166d5e
SUSP_AMSI_Bypass_Indicator_Nov22_1
2
553845cac2cb324b9612fec9daf79845e4ed2789b6b5981f753a4d5492df8c44
SUSP_PE_Discord_Attachment_Oct21_1
4
bb32953bb3786f304d77f53da0ca6158497f9ecedd2849c285271ff94d265939
PUA_ConnectWise_ScreenConnect_Mar23
3
aa8a3d7267678667f08c1caa1f042010e2bf0c539b4cc0ac6d76cc2c4ff22413
PUA_ConnectWise_ScreenConnect_Mar23
1
08260a91568b307ecd40cc302c5abb4fe7fcf2649474b5e31570f11f0f110a57
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
6635
Threat Hunting (not subscribable, only in THOR scanner)
5257
APT
4922
Hacktools
4641
Webshells
2354
Exploits
654
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
ExecutionContext Reflection Abuse
Detects attempts to abuse PowerShell `$ExecutionContext` and variable drives
to access the runtime environment via reflection methods (`Get-ChildItem`,
`Get-Item`, `.Name-*like`). Such techniques are commonly used in obfuscated
payloads to dynamically resolve and execute commands while evading detection.
This behavior is associated with defense evasion tactics and fileless malware
execution.
14.02.2025
PS ExecutionContext Reflection Abuse
Detects attempts to abuse PowerShell `$ExecutionContext` and variable drives
to access the runtime environment via reflection methods (`Get-ChildItem`,
`Get-Item`, `.Name-*like`). Such techniques are commonly used in obfuscated
payloads to dynamically resolve and execute commands while evading detection.
This behavior is associated with defense evasion tactics and fileless malware
execution.
14.02.2025
Windows Defender Reconnaissance - PowerShell
Detects attempts to gather detailed information about Windows Defender settings and status using Defender related commands.
This behavior may indicate that an attacker is trying to assess the system's security configuration to identify potential weaknesses.
Adversaries often perform reconnaissance to enumerate the system's security policies, configurations, and defenses.
By understanding the current security posture, attackers can tailor their exploitation strategies to bypass defenses and achieve their objectives.
13.02.2025
Suspicious Use of WMIC for Windows Defender Exclusion
Detects the usage of WMIC to modify Windows Defender's exclusion list.
This behavior is potentially suspicious because legitimate administrators typically use PowerShell, the Windows Defender UI, or other authorized methods to configure exclusions.
Using WMIC in this way could be an indication of an attempt to bypass security controls or evade detection.
13.02.2025
Recon Windows Defender Settings via Registry
Detects attempts to read Windows Defender settings directly via the registry.
Such activity may indicate reconnaissance efforts by malware or attackers to understand and potentially disable security measures.
13.02.2025
Suspicious WMIC Usage for Windows Defender Recon
Identifies usage of WMIC utility for Windows Defender reconnaissance.
Attackers might leverage WMIC to collect data on Windows Defender settings and status to understand the security measures and defenses present.
Although there are direct methods to obtain this information, using WMIC for this purpose is considered suspicious.
13.02.2025
Windows Defender Services Reconnaissance
Detects the execution of the `sc.exe` utility used to query the status of security services such as Windows Defender.
Adversaries might use this technique to check the status of these security services while enumerating the target system.
13.02.2025
Windows Defender Reconnaissance
Detects reconnaissance attempts to query Windows Defender settings and status using PowerShell commands.
This can be indicative of reconnaissance activities performed by an attacker to understand the security posture of the system.
Adversaries often perform reconnaissance to enumerate the system's security policies, configurations, and defenses.
By understanding the current security posture, attackers can tailor their exploitation strategies to bypass defenses and achieve their objectives.
13.02.2025
Suspicious Curl Usage with SOCKS Proxy or TOR
Detects curl usage to access a SOCKS proxy or TOR. Normal users rarely use these proxies or onion services, making this activity potentially suspicious.
Adversaries may exploit the curl utility to access their malicious domains, either to upload collected information or download potentially malicious software.
13.02.2025
Suspicious Defender Exclusions
Detects suspicious exclusions in Windows Defender for the files or processes located in potentially suspicious locations.
13.02.2025
Wsmprovhost Suspicious Image Load
Detects the potentailly suspicious image loads events by the wsmprovhost.exe process.
This could be an indicator of Windows Remote Management (WinRM) loading a new plugin, that could be potentially malicious.
12.02.2025
Suspicious File Creation with Unicode Space Characters
Detects when files are created with filenames or file paths containing Unicode characters from U+2000 to U+200A.
These Unicode space characters can be used to obfuscate file paths, making them appear as regular spaces while actually being different Unicode characters.
Attackers often use these space characters for path/file obfuscation to evade security detections.
12.02.2025
CrashControl DedicatedDumpFile Abuse
Detects abuse of DedicatedDumpFile which can kill any file before boot, for this to happen CrashDumpEnabled must have none zero value, so it triggers a dump upon system reboot and redirect the dump tp the specified value in DedicatedDumpFile.
11.02.2025
Possible Path Obfuscation Using Unicode Space Characters
Detects the usage of Unicode space characters ranging from U+2000 to U+200A such as En Quad, Em Quad, En Space, Em Spac and so on in file paths.
These Unicode space characters can be used to obfuscate file paths, making them appear as regular spaces while actually being different Unicode characters.
Attackers could abuse this technique to bypass security detections that do not account for these special characters.
11.02.2025
Atexec Execution Pattern - Scheduled Task Creation
Detects the creation of scheduled tasks creation pattern during atexec execution.
Atexec is a tool in the Impacket suite that allows attackers to execute commands on remote systems.
Typically, Atexec creates a scheduled task on the target system to execute the command.
07.02.2025
Possible Atexec Execution Pattern - Remote Share Access
Detects the access to ADMIN$ for the .tmp file to be deleted.
This is a possible pattern of Atexec execution where the .tmp file is deleted after the command execution.
07.02.2025
HackTool - Potential Impacket Atexec Execution
Detects the use of Impacket's atexec tool. Atexec, included in the Impacket suite, enables attackers to execute commands on remote systems.
07.02.2025
CLI WDAC Policy Creation From Suspicious Location
Detects creation of Windows Defender Application Control (WDAC) from suspicious location
07.02.2025
PS WDAC Policy Creation From Suspicious Location
Detects creation of Windows Defender Application Control (WDAC) from suspicious location
07.02.2025
HackTool - Potential Impacket Smbexec Execution
Detects the use of Impacket's smbexec tool. Smbexec, included in the Impacket suite, enables attackers to execute programs remotely.
Similar to PsExec, but it leverages the SMB protocol to retrieve command outputs.
06.02.2025
Possible Smbexec Execution Pattern
Detects reading and deleting the temporary output file (__output) via UNC path.
This is a possible pattern of Smbexec execution where the output file is read and deleted after the command execution.
06.02.2025
Smbexec Installed As Service - Security
Detects the installation of the impacket's smbexec service on a target system. When smbexec is executed, it creates a new service with specific patterns.
06.02.2025
Hex Encoded Eexecutable Creation
Detects creation of hex encoded executable piece by piece using commandline.
04.02.2025
Suspicious Child Processes of SSH
Detects suspicious child processes of SSH, which may indicate malicious activity.
Adversaries might use the SSH.exe for indirect proxy execution of malicious code or programs in order to bypass the detection
04.02.2025
Wuauclt Accessing LSASS Memory
Detects wuauclt (Windows Update Agent) requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping
29.01.2025
Suspicious Folder Permissions Modifications
Detects a suspicious folder's permissions being modified or tampered with.
28.01.2025
Suspicious Binaries and Scripts in Public Folder
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
23.01.2025
Klist Utility Execution
Detects the execution of the klist utility, which can be used to enumerate Kerberos tickets and may indicate reconnaissance activity.
22.01.2025
Potential Deelevator64.DLL Sideloading
Detects potential DLL sideloading of "deelevator64.dll"
20.01.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
3216
18787
Sigma
3354
606
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1251
windows / registry_set
202
windows / file_event
193
windows / ps_script
165
windows / security
156
linux / process_creation
119
windows / image_load
105
webserver
78
windows / system
72
macos / process_creation
65
windows / network_connection
52
proxy
52
linux / auditd
48
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
38
azure / auditlogs
38
windows / ps_module
33
windows / application
29
azure / signinlogs
24
okta / okta
22
windows / dns_query
22
windows / process_access
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / create_remote_thread
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
windows / ps_classic_start
9
windows / create_stream_hash
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
dns
8
windows / msexchange-management
8
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
gcp / google_workspace.admin
7
windows / bits-client
7
zeek / smb_files
7
windows / registry_delete
7
windows / dns-client
6
windows / file_access
6
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / dns
4
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
3
zeek / http
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
linux / syslog
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
firewall
2
windows / file_change
2
spring / application
2
windows / security-mitigations
2
velocity / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
windows / file_executable_detected
1
ruby_on_rails / application
1
m365 / exchange
1
linux / sudo
1
zeek / x509
1
sql / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
windows / sysmon_error
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
database
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows
1
windows / printservice-operational
1
nginx
1
windows / printservice-admin
1
netflow
1
cisco / ldp
1
windows / lsa-server
1
windows / wmi
1
windows / ps_classic_provider_start
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
windows / ldap
1
django / application
1
cisco / syslog
1
linux / cron
1
nodejs / application
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / clamav
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
windows / process_tampering
1
python / application
1
paloalto / appliance / globalprotect
1
windows / appxpackaging-om
1
windows / raw_access_thread
1
windows / shell-core
1
windows / capi2
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
269
windows / registry_set
65
windows / ps_script
64
windows / wmi
29
windows / image_load
26
windows / file_event
25
windows / security
15
proxy
12
linux / process_creation
11
windows / network_connection
7
windows / system
7
windows / registry_event
7
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / create_remote_thread
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / taskscheduler
3
webserver
3
windows / vhd
3
windows / application-experience
3
windows / registry_delete
3
windows / kernel-shimengine
2
windows / process_access
2
windows / driver_load
2
windows / bits-client
2
windows / codeintegrity-operational
1
windows / dns_query
1
windows / firewall-as
1
windows / file_delete
1
windows / file_rename
1
macos / process_creation
1
windows / amsi
1
windows / windefend
1
windows / application
1
windows / audit-cve
1
windows / file_access
1
windows / registry-setinformation
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR