currently serving 22845 YARA rules and 4217 Sigma rules
API Key
New Rules per Day
Newest YARA Rules
This table shows the newest additions to the YARA rule set
Rule
Description
Date
Ref
EXPL_RAR_Archive_With_Path_Traversal_Aug25
Detects RAR archives abused for path traversal like CVE-2025-8088 and CVE-2025-6218
11.08.2025
MAL_PY_PyLangGhost_Auto_Module_Aug25
Detects a Python module of PyLangGhost that Collects configuration data from cryptocurrency browser extensions and login artifacts, including credentials and cookies, from Google Chrome.
08.08.2025
MAL_PY_PyLangGhost_Nvidia_Module_Aug25
Detects a Python module of PyLangGhost that establish persistence, continuously listening for new instructions from the C2 server. Additionally, it supports standalone execution with specific command-line arguments, enabling it to immediately perform actions such as stealing cookies or login data.
08.08.2025
MAL_PY_PyLangGhost_Command_Module_Aug25
Detects a Python module of PyLangGhost that acts as a dispatcher, interpreting both malware logic and C2 communications, and executing instructions accordingly
08.08.2025
MAL_PY_PyLangGhost_Util_Module_Aug25
Detects a Python module of PyLangGhost that compresses files in-memory, extracts .tar.gz files from memory to disk, validates routes to prevent path transversal
08.08.2025
SUSP_Scheduled_Task_Java_JAR_Aug25
Detects scheduled tasks that execute Java JAR files, which is suspicious but not necessarily malicious
07.08.2025
SUSP_JAVA_Loader_Indicators_Aug25
Detects indicators of a Java loader used in phishing campaigns
07.08.2025
MAL_JAVA_Loader_Final_Jar_Aug25
Detects a final Java loader JAR file used in phishing campaigns
07.08.2025
SUSP_JAVA_Class_Allatori_Obfuscator_Aug25
Detects a relatively small Java class file obfuscated by Allatori Obfuscator
07.08.2025
MAL_SoupDealer_Aug25_1
Detects obfuscation function used by SoupDealer a Stealth Java loader Used in Phishing Campaigns Targeting Turkey, although matches other malwares that uses same method
07.08.2025
SUSP_SoupDealer_Aug25_2
Detects obfuscation function used by SoupDealer a Stealth Java loader Used in Phishing Campaigns Targeting Turkey, although matches other malwares that uses same method
07.08.2025
MAL_SoupDealer_Final_Payload_Aug25
Detects SoupDealer a Stealth Java loader Used in Phishing Campaigns Targeting Turkey
07.08.2025
HKTL_EDR_BamboozlEDR_Aug25
Detects BamboozlEDR, a tool used to bypass or blind ETW monitoring solutions
07.08.2025
HKTL_EDR_BamboozlEDR_Aug25_1
Detects BamboozlEDR, a tool used to bypass or blind ETW monitoring solutions
07.08.2025
SUSP_PS1_Dropper_Indicators_Aug25
Detects indicators of PowerShell dropper scripts that download and execute malicious payloads
06.08.2025
MAL_SharpHostInfo_Aug25
Detects SharpHostInfo that collects host and domain info on Windows environments
05.08.2025
MAL_StormDNS_Aug25
Detects StormDNS, a DNS shell used by Storm-260 to receive and execute commands from a C2.
05.08.2025
SUSP_HKTL_ELF_Nim_Indicators_Aug25
Detects Nim ELF binaries with specific hacktool indicators
04.08.2025
SUSP_HKTL_Nim_Indicators_Aug25
Detects Nim binaries with specific hacktool indicators
04.08.2025
SUSP_Nim_Indicators_Aug25
Detects Nim binaries with specific indicators
04.08.2025
HKTL_Rust_C2_Malefic_Aug25
Detects a specific proof-of-concept for remote mapping injection that uses shared memory and cross-process mapping to inject and execute code. This rule targets the unmodified POC and doesn't cover obfuscated or alternative implementations.
04.08.2025
HKTL_CrossProcMapping_POC_Aug25
Detects a specific proof-of-concept for remote mapping injection that uses shared memory and cross-process mapping to inject and execute code. This rule targets the unmodified POC and doesn't cover obfuscated or alternative implementations.
04.08.2025
SUSP_Implant_Indicators_Aug25
Detects indicators found in a set of implants
04.08.2025
Successful YARA Rules in Set
This table shows statistics of the best rules with lowest AV detection rates (rules created in the last 12 months, matches of the last 14 days)
Rule
Average AV Detection Rate
Sample Count
Info
VT
Latest YARA Matches with Low AV Detection Rate
This table lists the last matches with low AV detection rates (between 0 and 15 AV engines matched)
Rule
AVs
Hash
VT
HKTL_PS1_Base64_Encoded_Shell_Indicators_Feb22_1
1
cb1bd453b86c33b362f82ef1bd19370eb366e022a2911ec3bd1be5b0a3e62c9f
MAL_BAT_OBFUSC_BOM_Override_Apr25
11
ec69483a59ab4d9f4ffe025d4a48a027fcafd4cc7c5c12463a7c1305413e0fe4
EXPL_Office_TemplateInjection_Aug19
4
fcdba6b998a3bfbfb280fac5a487bdb596cd92901468236b9d9d296ecbc54df8
YARA Rules Per Category
This list shows the number of YARA rules in the subscribable categories (categories overlap as a rule can be in 'n' categories)
Tag
Count
Malware
7041
Threat Hunting (not subscribable, only in THOR scanner)
5514
APT
5008
Hacktools
4727
Webshells
2388
Exploits
683
Newest Sigma Rules
This table shows the newest additions to the Sigma rule set
Rule
Description
Date
Ref
Info
Windows MFA Tool Uninstallation via WMI
Detects the uninstallation of the Windows Multi-Factor Authentication (MFA) tool such as Duo Authentication for Windows Logon through Windows Management Instrumentation (WMI).
These MFA tools are used to enhance security by requiring additional verification during the login process. Thus, threat actors may attempt to uninstall these tools to bypass mfa.
01.08.2025
Password Set to Never Expire via WMI
Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
30.07.2025
SharePoint CVE-2025-53770 ToolShell Exploitation Commandline
Detects potential SharePoint exploitation (CVE-2025-53770) using ToolShell.
This rule looks for suspicious command lines that may indicate the use of ToolShell
to exploit SharePoint vulnerabilities. The detection is based on known patterns
of exploitation, such as the presence of specific paths and commands related to
SharePoint installations.
24.07.2025
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation.
This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
24.07.2025
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments.
This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
22.07.2025
Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
SharePoint ToolShell CVE-2025-53770 Exploitation - Web IIS
Detects access to vulnerable SharePoint components potentially being exploited in CVE-2025-53770 through IIS web server logs.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators
Detects potential exploitation of CVE-2025-53770 by identifying indicators such as suspicious command lines discovered in Post-Exploitation activities.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
21.07.2025
Potential SSH Tunnel Persistence Install Using A Scheduled Task
Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
14.07.2025
Delete Defender Scan ShellEx Context Menu Registry Key
Detects deletion of registry key that adds 'Scan with Defender' option in context menu. Attackers may use this to make it harder for users to scan files that are suspicious.
11.07.2025
Windows Defender Threat Severity Default Action Modified
Detects modifications or creations of Windows Defender's default threat action settings based on severity to 'allow' or take 'no action'.
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level,
allowing malicious software to run unimpeded. An attacker might use this technique to bypass defenses before executing payloads.
11.07.2025
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9').
This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level.
An attacker might use this technique via the command line to bypass defenses before executing payloads.
11.07.2025
ADExplorer Writing Complete AD Snapshot Into .dat File
Detects the dual use tool ADExplorer writing a complete AD snapshot into a .dat file. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
09.07.2025
Failed Logon from Known Bad Hostname
Detects failed RDP logon attempts or accessing of a network share from a system using a known bad hostname. This hostname is probably part of a golden image attackers use for their attacks.
09.07.2025
Windows Defender Context Menu Removed
Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys.
This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives.
Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
09.07.2025
Logon from Known Bad Hostname
Detects a successful RDP logon or accessing of a network share from a system using a known bad hostname. This hostname is probably part of a golden image attackers use for their attacks.
09.07.2025
Disabling Windows Defender WMI Autologger Session via Reg.exe
Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events.
By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events
from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
09.07.2025
FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.
05.07.2025
HackTool - Doppelanger LSASS Dumper Execution
Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
01.07.2025
HackTool - HollowReaper Execution
Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing.
It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
01.07.2025
FileFix - Suspicious Child Process from Browser File Upload Abuse
Detects potentially suspicious subprocesses such as LOLBINs spawned by web browsers. This activity could be associated with the "FileFix" social engineering technique,
where users are tricked into launching the file explorer via a browser-based phishing page and pasting malicious commands into the address bar.
The technique abuses clipboard manipulation and disguises command execution as benign file path access, resulting in covert execution of system utilities.
26.06.2025
Potential Notepad++ CVE-2025-49144 Exploitation
Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path.
This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer.
The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.
26.06.2025
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
20.06.2025
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob
matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure,
commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to
attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,.
where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
20.06.2025
Suspicious DNS Query Indicating Kerberos Coercion via DNS Object SPN Spoofing - Network
Detects DNS queries containing patterns associated with Kerberos coercion attacks via DNS object spoofing.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073.
20.06.2025
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line.
The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure.
Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts.
It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records
to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073.
If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records,
or checking for the presence of such records through the `nslookup` command.
20.06.2025
Suspicious Conhost Remote Share Execution
Detects suspicious conhost.exe execution with a remote share path, which may indicate an attempt to execute code from a remote location.
Threat actors may use this technique to execute malicious payloads hosted on remote shares, often leveraging the conhost process for proxy execution
of commands or scripts while evading detection. This is commonly seen in the lnk file execution, that was send via phishing emails or other means,
which aim is to get initial hold on the target system and execute secondary payloads from remote shares.
19.06.2025
Suspicious Command Execution from Remote Share
Detects execution of potential malicious files from remote shares using command prompt, which may indicate an attempt to execute code from a remote location.
Threat actors may use this technique to execute malicious payloads hosted on remote shares. This is commonly seen in the malicious lnk file execution, that was
sent via phishing emails or other means, which aim is to get initial hold on the target system and execute secondary payloads from remote shares.
19.06.2025
SystemRoot Environment Variable Hijacking
Detects potential environment variable hijacking of `SystemRoot` or `windir` variables.
Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries.
17.06.2025
Potential Service Environment Variable Tampering
Detects modifications to service environment variables in the Windows registry that could indicate an attempt to tamper with system environment variables.
This technique is often used for privilege escalation or persistence by modifying the `SystemRoot` or `windir` variables to point to malicious locations.
17.06.2025
YARA/SIGMA Rule Count
Rule Type
Community Feed
Nextron Private Feed
Yara
2692
20153
Sigma
3420
797
Sigma Rules Per Category (Community)
Type
Count
windows / process_creation
1279
windows / registry_set
203
windows / file_event
199
windows / ps_script
165
windows / security
158
linux / process_creation
120
windows / image_load
110
webserver
82
windows / system
73
macos / process_creation
67
linux / auditd
53
windows / network_connection
52
proxy
52
aws / cloudtrail
46
azure / activitylogs
43
windows / registry_event
39
azure / auditlogs
38
windows / ps_module
33
windows / application
30
windows / dns_query
25
azure / signinlogs
24
windows / process_access
23
okta / okta
22
azure / riskdetection
19
windows / pipe_created
18
opencanary / application
18
linux
17
rpc_firewall / application
17
windows / windefend
16
gcp / gcp.audit
16
bitbucket / audit
14
m365 / threat_management
13
windows / file_delete
13
github / audit
13
cisco / aaa
12
windows / create_remote_thread
12
windows / codeintegrity-operational
10
kubernetes / application / audit
10
windows / driver_load
10
windows / ps_classic_start
9
windows / create_stream_hash
9
dns
9
windows / registry_add
9
linux / file_event
9
windows / firewall-as
8
windows / msexchange-management
8
windows / registry_delete
8
zeek / smb_files
7
antivirus
7
azure / pim
7
windows / appxdeployment-server
7
windows / file_access
7
gcp / google_workspace.admin
7
windows / bits-client
7
windows / dns-client
6
zeek / http
5
linux / network_connection
5
jvm / application
5
kubernetes / audit
5
zeek / dns
5
windows / sysmon
4
windows / taskscheduler
4
windows / iis-configuration
4
zeek / dce_rpc
4
m365 / audit
3
windows / wmi_event
3
windows / powershell-classic
3
windows / ntlm
3
linux / sshd
3
linux / syslog
2
windows / dns-server
2
onelogin / onelogin.events
2
macos / file_event
2
apache
2
qualys
2
windows / security-mitigations
2
windows / file_change
2
spring / application
2
firewall
2
velocity / application
1
windows / certificateservicesclient-lifecycle-system
1
windows / microsoft-servicebus-client
1
ruby_on_rails / application
1
m365 / exchange
1
linux / sudo
1
zeek / x509
1
windows / file_executable_detected
1
sql / application
1
linux / vsftpd
1
windows / diagnosis-scripted
1
windows / smbclient-security
1
windows / file_rename
1
windows / sysmon_status
1
m365 / threat_detection
1
zeek / rdp
1
windows / sysmon_error
1
zeek / kerberos
1
windows / terminalservices-localsessionmanager
1
database
1
windows / dns-server-analytic
1
windows / driver-framework
1
windows
1
windows / printservice-admin
1
nginx
1
windows / ps_classic_provider_start
1
windows / printservice-operational
1
netflow
1
cisco / ldp
1
windows / wmi
1
fortios / sslvpnd
1
linux / auth
1
cisco / bgp
1
windows / lsa-server
1
django / application
1
cisco / syslog
1
linux / cron
1
nodejs / application
1
windows / smbclient-connectivity
1
linux / guacamole
1
huawei / bgp
1
windows / appmodel-runtime
1
windows / ldap
1
windows / process_tampering
1
paloalto / file_event / globalprotect
1
cisco / duo
1
linux / clamav
1
juniper / bgp
1
windows / applocker
1
windows / openssh
1
python / application
1
paloalto / appliance / globalprotect
1
windows / appxpackaging-om
1
windows / raw_access_thread
1
windows / capi2
1
windows / shell-core
1
Sigma Rules Per Category (Nextron Private Feed)
Type
Count
windows / process_creation
373
windows / registry_set
75
windows / ps_script
73
windows / image_load
42
windows / file_event
38
linux / process_creation
33
windows / wmi
29
windows / security
22
proxy
12
windows / system
9
windows / network_connection
8
windows / registry_event
8
windows / kernel-event-tracing
6
windows / ntfs
5
windows / ps_module
5
windows / pipe_created
4
windows / sense
4
windows / taskscheduler
4
windows / create_remote_thread
4
windows / registry_delete
4
windows / hyper-v-worker
3
windows / ps_classic_script
3
windows / vhd
3
webserver
3
windows / application-experience
3
windows / driver_load
3
windows / kernel-shimengine
2
windows / windefend
2
windows / process_access
2
windows / bits-client
2
windows / codeintegrity-operational
2
windows / file_access
1
linux / file_event
1
windows / dns_query
1
windows / firewall-as
1
windows / file_rename
1
windows / amsi
1
windows / file_delete
1
macos / process_creation
1
windows / audit-cve
1
windows / application
1
windows / registry-setinformation
1
Tenable Nessus
Requirement: Privileged Scan
- YARA Scanning with Nessus works only when scanning with credentials (privileged scan)
YARA Scanning with Nessus
- You can only upload a single .yar file
- Filesystem scan has to be activated
- You have to define the target locations
- The Nessus plugin ID will be 91990
- Only files with the following extensions can be scanned: .application, .asp, .aspx, .bat, .chm, .class, .cmd, .com, .cp, .csh, .dl, .doc, .docx, .drv, .exe, .gadget, .hta, .inf, .ins, .inx, .isu, .jar, .job, .jpeg, .jpg, .js, .jse, .jse, .jsp, .lnk, .msc, .msi, .msp, .mst, .paf, .pdf, .php, .pif, .ppt, .pptx, .ps1, .ps1xm, .ps2, .ps2xm, .psc1, .psc2, .reg, .rgs, .scf, .scr, .sct, .shb, .shs, .swf, .sys, .u3p, .vb, .vbe, .vbs, .vbscript, .ws, .wsf, .xls, .xls
Carbon Black
Tutorial: https://github.com/carbonblack/cb-yara-connectorFireEye EX
Tutorial: https://www.fireeye.com/blog/products-and-services/2018/12/detect-and-block-email-threats-with-custom-yara-rules.html
Scan your endpoints, forensic images or collected files with our portable scanner THOR